TacAck – My security journey!

Hello Hello!

I’ve been busy for the last couple of days doing some ccie-sec stuff and also getting some work done. I did INE lab 5 first and i found it REALLY REALLY hard! I don’t think there’s anyway the real exam is going be this hard.

After that, i did INE Lab 7 and i found it pretty fair. Some sections were tough, but most sections were doable. I found some confidence after doing them and i think i need to work a little bit more on my speed.

Later tonight, i’ll be posting a video about how i actually start the lab. This will include how i draw the diagram, how i take down notes ,etc. If you feel i should do anything differently, please feel free to let me know!

Yesterday, i did  a lot of Doc-CD study. I studied/did-some labs on IOS NAT, went through the great free whitepapers available on the INE website! I also did some VPN configurations but i just couldn’t get EZVPN to work. :/ I wanted to debug this but couldn’t find the time yesterday.

In about 30 mins time, my rack-rental session starts and i intend to do INE Lab 8 today. Hopefully, it’ll be fun!

P.S : I’m sorry if my blogs don’t have much techy stuff these days, it’s just because there’s so much going on and i’m finding it a little hard to collect it all and blog it. But i promise, after my 1st attempt, i will start blogging in depth about the technologies ( and a little less about my feelings )

Cheers and have fun!

TacACK

Hell All,

To sum it up in one sentence, INE vol 2 Lab 4 was HELL( http://en.wikipedia.org/wiki/Hell ) ! The configuration sections were just too long and very very tough. I had a 5.5 hour time period in which i had to finish the lab, but i only managed to finish 4 sections , and half of one other section.

The sections i finished were :

• ASA
  • Very long
  • I wouldn’t call this tough , but it wasn’t easy either. Required a lot of thinking
• IOS F/w
  • This section was relatively easy, but it took a long time ( considering that there were only 2 tasks  ).
  • The ZBPF section was a little tricky, because i had to keep revisiting this, because a lot of the later configs had to be accounted for when doing the configuration.
• VPN
  • There was an IPSec HA section. To be honest, i’d like to think i’m good with IPSec HA ( because i’ve practiced it many times ) , but i just didn’t understand the question.
  • I don’t know if  my understanding was flawed or if the question was worded badly. Either way, i couldn’t configure it.
  • There was a troubleshooting question here , which was pretty simple. Again, this got a little more complicated because, the router which had the issue was also running ZBPF. So , had to account for that. ( More time spent )
• ID MGMT
  • They had 2 , i repeat 2 NAC sections. Since i didn’t know NAC , i just skipped these and moved on
  • Even the command authorization section was tough.
• CONTROL PLANE SECURITY
  • 2/3 tasks were easy.
  • One task was tough. ( required a lot of thinking , digging up the doc-cd ). However i’m still not convinced about the answer. I must ask some folks on OSL.
• IPS
  • The only section which was simple.
  • The penultimate task threw me off slightly, but i somehow figured out what to do. (Took some time)
• ADVANCED SECURITY
  • Again, not very difficult configurations, but they were very detailed and i took a lot of time configuring and testing them. I’d like to think they’re correct, but i’ll only know once i tally them with the answers.
  • I skipped the last task because i felt i was running out of time.
• NETWORK ATTACKS
  • Didn’t have time to do this.

As you can see, i couldn’t finish the lab in the 5.5 hours. So i managed to save the configs and i’m going to try it again sometime soon ( maybe tomorrow ).

I’d love to hear from you about how your studies are going! Please feel free to buzz me on twitter ( @tacack ) , or by e-mail ( tacack at tacack dot com ) , or by just commenting to this post.

Cheers and Happy studying!

TacACK

Hello All!

I had an interesting day yesterday! I didn’t have any rack-rentals scheduled as i was scheduled to be spending most of my day doing some work-related stuff. I did that till about 3 PM and then i fired up good ‘ol GNS3 and started doing some small labs. I had forgotten how much FUN this was! Here are a couple of things that i labbed yesterday :

• DNS rewrite on the ASAs
  • This was a simple topic but i have issues getting this to work 100% of the time, so i decided to spend some time labbing this. Only then did i figure out how complex this actually is. I was referring to the Doc-cd page for “Application inspection” on the ASA and i found some very interesting scenarios(one in particular) which i wanted to share with you.
  • It’s called DNS rewrite with  3 NAT zones
    • We all know how DNS rewrite works. Most of the times, out of habit, we generally configure only 2 NAT zones when we have to test this (ex : inside,outside) . So what happens is , the “A-record” in the DNS response gets translated according to the static nat entry.
    • Now, add another zone. It gets interesting now. What happens if, the user is on the inside, the web-server is on the dmz  and the DNS server is on the outside. How does rewrite actually work. For this i found an awesome section -> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1336066 , which gives us a clear picture on how this happens. I also labbed this up and i was happy to see it working as expected.
  • I also tried the “alias” command and that worked too.
• Local IOS command authorization
  • I was revising IPX Vol 2 – Lab 11 , and i found that i was n0t too confident about the local command authorization section. So , i fired up a small lab and proceeded to do it. I’m now confident about how this works and i’m sure i could work my way through this task , if i face it again.
• AAA Cut-through-proxy on the ASA
  • I had configured regular CTP on the ASA before ( aaa authentication match <ACL> inside <method>) . But i was wondering what the “aaa authentication listener” command did. So i read up on some documentation ( which , i must say , i’m not very impressed with ) and i started configuring this.
  • I learnt that, by entering the “aaa authentication listener” command with the “redirect” , we are redirected to a fancy new page where we have to enter our credentials , instead of the usual pop-up box that we usually get.
  • But, without the redirect keyword, it performs CTP just the usual way . I don’t see any difference in adding the aaa authentication listener command. If someone knows the difference, i’d love to know what it is?!

One thing which i do regularly is to revisit the doc-cd to read about the order of processing of the classes/actions in policy-maps on the ASAs.  I find this VERY helpful http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1083060 as i go about labbing. This can definitely make/break a configuration and i would suggest you are well versed with it.

Today, i have a rack-rental scheduled where i’m going to revisit INE vol2 – lab 4 . I’ll be keeping notes on how it went and i’ll definitely share it with you tomorrow.

Have a great day!

Cheers,

TacACK

Hello All,

It’s been a while since i posted about my study , partly because i’ve been held up doing a lot of miscellaneous jobs. Work ( Coding in ADA ) is really hectic these days and i’m unable to allocate the amount of the time that i would like to allocate to studies and labbing. However i have been studying and labbing whenever i can and here’s a list of things that i’ve done / things i need to do.

DONE

• INE Vol 2 – Lab 1
• INE Vol 2 – Lab 2
• INE Vol 2 – Lab 3
• INE Vol 2 – Lab 10
• IPX Vol 2 – Lab 11
• IPX Vol 2 – Lab 12 ( In progress )

Although, i have done all of these labs, i’m not sure i’ll be able to nail them again because i havent revised the topics that i had difficulties configuring. I must do that sometime this week and ensure that i know the contents of these labs inside out.

Today, i was doing IPX Vol 2 – Lab 12. I always have difficulties with IPX (and some INE) labs. That’s because they’re really hard, elaborate and take a whole lotta time . For me, it’s nearly impossible finishing it in the 8 hour period. I had about 7 hours of quality lab time today, out of which , i  spent an hour re-drawing the diagram and going through the configuration items at the beginning. In the remaining time i could configure 5/8 sections. I have saved the configs and will continue the next time i have a rack-rental. I was a little worried this morning regarding my speed. I thought i was the only one with the slow speed and i was trying to analyze if there was something i was doing/missing, which was causing the slow speed.

But then, later today , i had the good fortune to talk to Kingsley and Toyos about the IPX labs and i found out that both of them were taking a little more time than the allotted 8 hours to finish the lab. This put my mind to ease, because i knew everyone was finding these labs hard and it was not only me.

I hope to get some office work done tomorrow and also study some stuff about NAC , practice some ACS configurations. I also hope to do the first lab in “Yusuf’s workbook” the day-after-tomorrow. Let’s see how that goes. Very excited!

See you tomorrow!

Cheers and Good night!

TacACK

Hello All,

I received some GREAT news yesterday night on twitter. Toyos Yooyen (@tawtoyos , @tyooyen) had just cleared his CCIE-security lab in Tokyo. Congratulations Toyos!

He’s a double CCIE at the age of 24. What a phenomenal acheivement!  He’s been working very hard, knocking out practice lab after practice lab and it’s absolutely inspiring to see such dedication from an individual.Well done Toyos!

I know he’ll do very well in his career , so here’s wishing Toyos the best for his next CCIE!

Cheers,
TacACK