Passed my final CCNP exam and I'm quite pleased about it.
Here's my recommendations to anyone getting on the CCNP-Security track:
1. These exams involve a good deal of GUI usage. Software is more important than hardware on 3 of the 4 tests. You will need the IPS Manager Express and ASDM running in demo mode for the IPS and VPN exams, respectively. You might also like to have the AnyConnect client software for the VPN exam.
2. Hardware? Simple and cheap. Yes, I know an ACS server isn't cheap and an IPS box can be pricey, but you don't really *need* either. IPS is emulated with IME in demo mode and ACS is mentioned in passing on most tests - except SECURE. However, a pair of switches that can do 802.1x, 2 or 3 1841 routers, and an ASA 5505 can give you plenty enough hands-on for the exams. GNS3 can emulate more hardware for you, and you'll want that to go along with your modest home lab.
3. Having your ASA 5505 handle your home internet traffic is a great way to get actual traffic going through your ASA for examination and troubleshooting. Just warn anyone you live with prior to affecting their production flow of Internet.
4. Take Firewall first, then IPS, then VPN. A good measure of the material in the VPN book is redundant, so bear with it and keep your eyes open for minor differences between client types, as those are testable details. Anyway, these tests are quite doable and they can serve as a foundation for the material you need to know for the last test, SECURE.
5. SECURE has the most difficult questions of the four tests and you might want to budget enough money to take it two or three times. Possibly four. This is no joke: it is a rough ride. The book for the test has a number of errors and, even after correcting them, the test itself goes beyond the scope of the many items covered in the book. I personally believe the test is cursed, but that's just my superstition. More to the point, this test illustrates where you need to go "beyond the book" for the CCNP level of certification.
6. Read product guides. Yes, that may mean another 184 pages, but it's worth doing. Feel free to skim here and there, but keep your eyes open and attentive on troubleshooting information. Read the 18-page IPSec troubleshooting manual like it was divine revelation that you can download. Read the IPSec debugging guide, while you're at it. When you debug your own VPNs, compare them to the guides. Break things and see where they go wrong and what messages you get when they do go wrong.
7. Suggestions on things to break: set up a VPN, then unplug one end as you have "interesting traffic" going across the link; set up a VPN, then change the transform-set on an endpoint; set up a VPN, then mess up the ISAKMP policy... then mess up that default policy that always seems to override everything else... be sure to have debugging on when you do these things and then research the error messages.
8. Get the premium edition tests that go with the official Cisco press cert guides. You'd like to have those and to practice on those... and to research anything that crops up on those tests that surprises you.
I guarantee if you prepare properly, you will learn things that won't even show up on the test. Instead of grumbling about learning something you didn't need on a test, you'll be proud that you had skills to spare.
Best of luck to everyone on this track, and it can be done!