Defending against lameness since 2008

So, my project website is basically complete and I have decided to focus on the CCIE Security exam again. I am gonig to try and schedule it for sometime around mid-September. Since I purchased the IPExpert Blended Learning Solution I am going to start preparing for the first lab which is ACLs and IP filtering.  I am going to spend a few days studying online and some books I have scattered around my office focusing only on access control lists, CBAC and IP Spoofing filtering.  It looks like this lab doesn’t have any firewalls so I will only be practicing on routers. Also, since moving my exam date guarantees I will be taking the new version of the lab I will only study on those appropriate IOS versions. Hopefully I can dedicate at least two hours a day for studying.

Off I go.

Related Blogs

• Related Blogs on access control lists
• IPv4 and IPv6 Access Control Lists In Cisco IOS

Since I have been focusing most of my time the last few weeks on launching my new website I haven’t been able to get any studying accomplished. I’m going ot use this as an excuse to push my lab date back a few months from April to September. This will also give me time to adjust my methods to the new lab blueprint.

Related Blogs

• Related Blogs on CCIE Security
• CCIE Security 2.X Verification Commands “Cheat Sheet”

Today is the official start date of my CCIE Security studies. I have taken the last few weeks since my BCSI failure to work on some other projects non-CCIE related. Even though these are not fully completed I feel that 6 months might not be enough time even with a full-time study attitude but I cannot let another day pass without studying. My goal is at least 2 hours a day during the work week and 8 hours a day on the weekends. Obviously due to circumstances related to other business interests this is a lofty goal and I will be struggling to keep my schedule.
Tonight I will start on the Volume I workbook from IPExpert’s Blended Learning Solution and hopefully tomorrow I will be filling you in on my first impression.

Bryan

EDIT: Or so I thought it would begin. I ran into some snags getting the first section working in GNS3. Since I am not so familiar with GNS3 I decided to watch a few of the videos that came with the hard drive. I will have to look at getting some rack time so I dont have to mess with GNS3.

Since the arrival of my IPExpert Blended Learning Solution I have been forced to take the CCIE lab studying a little more serious. Today I decided to start putting together some pieces to help me study. I have a Dell 1435 server that is going ot be my home GNS3 machine, so hopefully with its dual processors and 2GB of memory I will be able to run more virtual devices than my regular home machine. At work I will be setting up a GNS3 lab with a Dell 2850 that currently has 8 physical interfaces thanks to some PCI-E cards and an ASA 5520 and Pix 515. Depending on when they announce the changes to the CCIE Security lab I may need to get a VPN Concentrator since my lab is scheduled in April. I also hope to get access to at least a 4215 but hopefully we can get a 4240 for testing.

With the completion of my home setup I hope to create a few tutorials as I go along in my studying. Hopefully I can make them as good as the ones over at Blindhog. Well, back to the lab build.

Related Blogs

• Related Blogs on ccie home lab
• Cisco CCNA / CCNP Certification Exam: Cabling Your Home Lab
• Obtain CCNP Certification In 7 Days
• The home stretch
• Cisco CCNP / BSCI Exam Tutorial: OSPF Route Redistribution Review
• Cisco CCNA / CCNP Tutorial: Home Lab Assembly Case Study

I decided to go ahead and book my lab for April 15, 2009 in San Jose. I figured doing the lab a few days before my birthday would either make it the best or worst birthday I have ever had. I also booked my BSCI exam for September 19th. I plan on starting day 1 of the lab study on the following day of the BSCI exam. I hope to do a better job of tracking my studying subjects and time throughout the lab preparation.

Well after about 90 minutes I was able to finish the exam and review it completely. I’m glad I decided to review it because I caught a few answers that were wrong the first time around. I also noticed that if you decide to do a full review and not mark any questions for review while going through the test it will reset the drag and drop questions. All-in-all I thought the exam was easier than I expected it to be, especially it only requiring a 57 to pass. I was lucky enough to surpass this mark and can now move on to studying for the lab. Before I mark off 100% of my study time for the lab I have decided to take the BSCI exam to better understand the routing protocols as I have realized I am a little weak in this department. I figured I might as well take the exam if I am going to learn the materials.

Well, I have studied and read all I could and hopefully it will be enough. Leaving in around 20 minutes for my exam.

TKIP (Temporal Key Integrity Protocol) is an 802.11i standard that enhances WEP by providing key mixing, anti-replay and message integrity.

EAP (Extensible Authentication Protocol - RFC 3748) - is a universal authentication framework that provides increased functionality and communication for an authentication mechanism. It is available for both wired and wireless LANs and the WLAN piece is defined in RFC 4017.

There are multiple EAP methods used in access control solutions and a few are listed below:

1. EAP-MD5
2. EAP-TLS
3. EAP-TTLS
4. EAP-FAST
5. EAP-Cisco LEAP
6. PEAP

EAP-MD5 is one of the more common EAP methods due to its ease of deployment. However, it is also one of the least secure EAP methods because of the recent vulnerabilities to the MD5 hash.

EAP-TLS (RFC 2716) was developed by Microsoft as an extension to PPP to provide authentication within PPP with TLS (Transport Layer Security) providing integrity for the key exchange. TLS is the successor to SSL. EAP-TLS provides confidentiality and integrity on a per-packet basis and can also provide port-based certificate access control by using the X.509 PKI infrastructure. The deployment of EAP-TLS can become increasingly complex due to the mutual authentication and negotiation requirements

PEAP (Protected Extensible Authentication Protocol) was developed by Cisco, Microsoft and RSA. It is the preferred method for wireless authentication methods due to the increased functionality and security it provides. It uses a TLS tunnel that requires server-side certificates only and allows any EAP method type to be encapsulated inside its TLS tunnel.

I went ahead and scheduled my written exam for August 1st. I am about 90% ready so far even though my posts don’t show it. I have almost finished the latest book by Yusuf Bhaiji titled Network Security Technologies and Solutions. I am also going through the CCIE Security Exam Quick Reference Sheets.  I hope to finish the book by Yusuf this week and spend the rest of my time just reviewing some things I am less learned in. I also hope to catch my posts back up to what I have read by the time I take the test.

Now that I have returned from Networkers I plan to dedicate a lot more time to passing the written and starting to study for the lab. This will probably be a two part section just because there is a lot to cover been the protocols, ciphers and hash algorithms. Ciphers was the first section covered.

Basically this is just information to have so lets just list a few definitions.

• Symmetric Key- Encryption and Decryption are related or identical and its much faster to compute than Asymmetric. Commonly referred to as shared secret.
• Asymmetric Key- Encryption and Decryption require separate keys. A public key and a private key are required.
• Block Cipher - Symmetric key which encrypts a group or block of bits. DES and AES are examples of a block cipher.
• Stream Cipher - Symmetric key that encrypts one bit at a time. RC4 is an example of a stream cipher.

Next I moved on to IKE and IPSEC. Being familiar with VPN tunnels this section was just a brief overview. I will highlight some of the things I glossed over.

• Common ports in IPSEC: ESP - IP 50, AH - IP 51, IKE - UDP 500, NAT T - UDP 4500
• Nat-T is short for Nat-Traversal in IKE. This basically enables UDP encapsulation of ESP packets to provide a better flow through firewalls. 
• IPSEC can have two modes, tunnel and transport. Tunnel mode is used to encrypt traffic between two gateways and transport mode is used between two end-stations or between and end-station and a gateway.
• DH (Diffie-Hellman) is the method of establishing an IKE security association. DH offers three different modes or groups. Group 1 - 768-bit key, Group 2 - 1024-bit key and Group 5 - 1536-bit key.
• IKE (Internet Key Exchange) is used to securely establish the security associations for the IPSEC protocol. It has two phases. Phase 1 authenticates the IPSEFC peers, negotiates the matching policy to protect the IKE exchange, it exchanges the keys via DH and establishes the IKE security association. Phase 2 negotiates the IPSEC sa parameters by using the existing IKE security i and periodically renegotiates the IPSEC sa to ensure security.

If you would like to see a video tutorial on how to setup and IPSEC VPN please click here. Hopefully tomorrow I can get something up on AH and ESP.