Archive for June, 2010

Vol 1 – DONE!

Posted by TacAck in CCIE-Security on June 30th, 2010

Hello All!

Today , for the first time ever , i’m done with INE and IPX vol 1 labs. I am pretty damn sure i don’t remember atleast 10% of what i have labbed so far, but it’s time to move on. Also, i’ll definitely be revisiting these labs and going through the DSGs in the coming month.

One real COOL feature that i learnt as a result of today’s labbing was this. I didn’t know 2 things about traceroute :

  • There’s a better way to do traceroute . The original algorithm is sorta inefficient for huge networks, so there was a new solution proposed and it involves using the ip option “traceroute”. Here’s the RFC. Please go through it if you’ve the time. It’s an awesome ( and surprisingly short) read.
  • Also , i did not know that we could do TCP traceroutes. I always thought , there were only 2 types of traceroutes : ICMP ( windows style ) and UDP (Unix, cisco style ). There’s also a TCP traceroute which uses SYN packets sent on port-80. You can find some documentation about that HERE.

I also watched one of my favourite movies of all time – Dazed and Confused :)

So overall it’s been a good day. Have fun guys!

Cheers,

TacACK

No Comments

This just in.. SIMON BAUMANN is CCIE-26323(security)!

Posted by TacAck in CCIE-Security on June 30th, 2010

Whoa! This is awesome.  A friend of mine, Simon Baumann , just passed his CCIE-sec today! :) He’s from Germany and he’d gone to dubai to attempt his lab.

Congrats Simon! All the hard work has definitely paid off. Now sit back and relax!

You can wish him HERE !

Cheers,
TacACK

No Comments

One more to go

Posted by TacAck in CCIE-Security on June 29th, 2010

Alright, i’m getting excited :) I just have 1 more Vol 1 lab to go ( 8 ) , and then i move on to INE Vol 2 labs! :)

I spent about 4 hours yesterday and 3 hours today doing IPX Vol 7A. It’s one of the easier labs in the IPX series and it was a good change to know some of the configs. There were still many topics that i was not comfortable with and i looked them up on the doc-cd. Here’s a list :

  • The order of operation of NAT in the IOS
    • When using route-maps in order to specify different NAT rules for different traffic, the order in which they are processed is a little tricky. It’s processed in alphabetical order. This is what cisco has to say
    • NAT processes route map-based mappings in lexicographical order. When static NAT and dynamic NAT are configured with route maps that share the same name, static NAT is given precedence over dynamic NAT. In order to ensure the precedence of static NAT over dynamic NAT, you can either configure the route map associated with static NAT and dynamic NAT to share the same name, or configure the static NAT route map name so that it is lexicographically lower than that of the dynamic NAT route map name.
    • I encountered this issue in one of the configuration tasks where i had to configure a static translation and also a general dynamic translation. Both were using route-maps. I ran into this in the doc-cd which helped me out a lot. So what i did was, i renamed the static NAT route-map to a name which was lexicographically lower than the route-map being used in dynamic NAT.
    • ex : Suppose i have 2 NAT translation rules, both using route-maps to classify the traffic which is to be NAT’d ( if that’s a word )
      • ip nat inside source static x.x.x.x y.y.y.y route-map yusuf
        (and)
      • ip nat inside source route-map vybhav pool Z What happens is that if traffic from x.x.x.x goes from the inside to the outside, it will match the 2nd NAT statement ( even though it’s dynamic NAT ), as “vybhav” is lexcographically lower than “yusuf”.
    • I encourage you to lab this and try it out. Trust me, it’s a complete joy to watch when it works :)
  • There was a task which required packets going out of a frame-relay interface to be marked. I thought it could be done using the usual packet marking techniques (NBAR, route-maps, etc ). But apparently there’s a better way to do it. HERE’s the doc-cd reference for that.
  • I knew about flow-capture on the IOS. It was a tool being used to store information about traffic flows on configured interfaces. We could tweak the flow-capture size , export the flow-capture data to a server ,etc. But i didn’t know about the AGGREGATION-CACHES. They’re super cool!

  • Finally, i remember reading something about this on Packetlife.net a long time back . It’s a technique to uniquely identify which ACL was responsible for the logs that were being generated ( Assuming you have entered the log keyword at the end of the ACE ). There are 2 ways to do this.
    • Manually specify a TAG value after the log keyword. This tag value will show up in the logs, and can be used to correlate the logs to the corresponding ACE which generated it.
    • Instruct the router to dynamically generate a hash-value and use that as the TAG , instead of manually having to enter the tags after each ACE . This was designed because, if you have large number of ACE’s, it becomes a pain to manually have to enter unique tags for each ACE.
    • This can be achieved by using the command -> #ip access-list logging hash-generation

I have lab 8A remaining and i hope to do that tomorrow. Also, i’m a little apprehensive about the inital VPN sections that i configured, so i’ll spend some time browsing through the DSG ( INE and IPX ) tonight or tomorrow.

Cheers and have a GREAT evening!

TacACK

No Comments

INE Vol 1 – ID Mgmt

Posted by TacAck in CCIE-Security on June 26th, 2010

Ah, it’s a great feeling to finish a lab :) I did the INE vol 1 lab yesterday and apart from the last 2 NAC configurations, everything went smoothly. Infact , i didn’t even attempt the NAC configurations. That’s because i’m yet to study the theory properly and i thought i’d best wait for next weekend ( NAC WEEKEND! ).

A couple of things that i learned were :

  • When doing Cut-through-proxy on the ASA to permit telnet connections going across the firewall using TACACS+
    • Just do a “aaa authentication include telnet inside 0 0 <NAME>”
    • Don’t include an authorization command . I always end up doing this mistake .
  • Also when doing dot1x, make sure you include the aaa authorization network command. Only after issuing this, will the VLAN assignments from the ACS start working.

What i am doing today? Unfortunately not much! I have to go to this bank to do GOD knows what! Then i’m going shopping. Joy!

Hopefully , i’ll atleast get some Doc-CD study done today and if i do, i’ll definitely post about it tomorrow.

Cheers and have a great weekend! :)

TacACK

3 Comments

CCIE-sec-candidate interviews : Brian Almond

Posted by TacAck in CCIE-sec candidate Interviews on June 24th, 2010

Hello!

It’s time for another interview! Today we’re going to be talking to Brian Almond, or as we know him , @infosecsamurai.
He’s been an inspiration to me , just because he’s another family man, kicking some serious CCIE-sec rear. He’s very knowledgeable and friendly and he’s solved many a doubt on twitter for me. So i sent him some questions and i for one am very very excited about this interview . I have learnt a lot after reading this and i hope it’ll motivate you too. Let’s get this show on the road! :)
TacACK : Hello Brian , how are you doing today?
I am doing well how are you?
TacACK : Where are you from?
I currently live in the Tampa Bay area of Florida.
TacACK : When and how did your journey into cisco networks start?
I actually started my IT career with the CCNA certification. I was in my second year of college and met one of the Cisco instructors. He convinced me to sign up for the CCNA class. I eventually got my CCNA then went on to achieve my CCDA, CCSP, CCNP and CCDP. Essentially, my introduction to I.T. was through Cisco training.
TacACK : Why did you opt for CCIE-security?
This was an easy decision for me. I am a Network Security Engineer/Penetration Tester so it was a very natural fit for me to choose the Security CCIE. I also am of the opinion that since their are less people who are certified as a CCIE in security that more jobs will be available once I am certified.
TacACK : What materials do you currently own?
I currently own all of the IPexpert materials.
TacACK : What is your daily study plan?
I don’t have a daily study plan as a weekly number of hours I try to put in. I schedule two eight hour rack sessions per week and I try to spend at least four hours doing theoretical study such as reading, watching videos and doing practice OEQ questions. This puts me at right at 20 hours per week. This has worked well for me so far.
TacACK : You’re married and expecting your first kid soon and you still manage to lab so much! What words of advice would you give candidates who are married and are finding it hard to allocate study/lab time?
My advice would be to make sure that your family understands how much is involved in attaining a CCIE before beginning the process. My wife is very understanding and realizes that achieving a CCIE is good for us both. She wants me to succeed and that helps, but I also think you should be at a point in your life where you can allocate that 20 hrs per week and not feel like you will lose your mind. If attaining a CCIE is going to cause you to lose your job or family you should consider something else.
TacACK : What are your weakpoints in the blueprint and how do you plan on overcoming those?
I am happy to say that at this point I don’t have what I would consider any really bad weak points. I still hate dealing with NAT on routers as it can get ridiculously over complex, I also am not a fan of NAC framework as it can be very nit picky to get just right. I will say at this point I am at what I would consider a comfortable level with all of the material. I have done over 400 hrs of study and a bootcamp to get to this point but, I do feel like I can get close if not correct on most topics without the documentation.
TacACK : Do you have any role-models?
The only role-model I have is my father. He is a mechanical engineer and worked for NASA for many years. He designed and tested systems that are part of the current Space Shuttle fleet. He gave me my first computer when I was 13. It was a Packard Bell 486sx. What’s funny as these computers were known to be complete pieces of crap.(I still don’t know if he did that on purpose). It would break and my dad would say if you want it to work you have to fix it. So I would fix it.He basically forced me to start learning to fix computers at 13 years old. I attribute most of my success to him pushing me.
TacACK : You’ve already attempted the lab once and i’m surely you just missed the passing score by a point or two. Could you maybe tell us how the lab was? A short description would be excellent!
The lab is a very different experience from your studies. It’s not super hard but not easy either. It will stretch your mind and you probably will be asked to do something you haven’t done before. make sure you know the Doc website well and don’t take the OEQ’s for granted they can be quite hard.
TacACK : On a scale of 1..10 , how close are the ccie material to the actual lab. Does this break the NDA? :) If yes, please feel free to skip this question.
I would say about an 8.
TacACK : 5 tips to any ccie-sec candidate?
1. Know what you are undertaking and commit to it. There will be times when you want to quit, just keep going.
2. Take your time read the questions and don’t rush. Make sure you understand every detail of what is being asked.
3. Try to be calm! Nerves are probably why I didn’t pass on my first attempt.
4. Know how to stack technologies. VPN and Multicast routing for example.
5. Read the Doc Website and know where to look for subjects you are weaker on.
TacACK : How will you celebrate once you get ccie-sec certification?C
I think I am going to take a real vacation. I haven’t had a real vacation in over 5 years and I think after this I will deserve one.

Now , wasn’t that a great interview?! Brian was actually in the process of sending me his pic, but i just couldn’t wait. This interview was so awesome, i had to post it up for everyone to see. Once i get a picture, i’ll add it in :)

I am very very confident that Brian’s going to kill this lab the next time he attempts it. My best wishes to him and to his family :) You can reach Brian on twitter through his twitter handle ( @infosecsamurai ).

Hope you enjoyed this as much as i did!

Cheers!

TacACK

No Comments