LAB equipment for CCNA security

pujan96

Hi Guys,

Could anyone suggest lab equipment for studying for the CCNA security.

I currectly have 2 catalyst switches and 3 routers, I assume I need an ASA firewall, can anyone suggest one, budget is not an issue but ideally something I can get second hand thats good value for money.

Thanks
Pujan

clarson

You can probably get by with an asa5505. it would be best for the exam to have a software version of 9.1 for asa and 7.3 for asdm or better.
older asa5505's came with only 256mb of ram. These versions of the software require 512mb of ram.
Upgrading the ram is no big deal as the ram is pretty standard and quite old so quite cheap to get.
upgrading the software is easy also. That is, if you have it. and be sure to get the power adapter also.

an asa5510 will also work. A few dollars more expensive.

an asa5506 would be nice to get, but that will be a few hundred dollars more.

Iristheangel

@clarson - Actually, you can get an ASA 5506 for about $300 on Amazon or Ebay. Load that bad boy up with a firepower 45 day eval license that you can get on Cisco.com and you're ready to rock and roll.

I would NOT suggest getting the 5505 or 5510. Go ASAv if you had to instead of buying hardware that can't use current code at all

ande0255

I'd personally recommend (for the sake of knowledge) working with both Cisco 5505 running IOS code 8.2, and like Iris suggested a 5506 and throw Firepower on it when your ready to hit that subject.

I am seeing 8.2 slowly go away, but some of our SMB customers at my MSP have 5520's running code 8.2, and you just have to know the differences with NAT operations in my opinion.

For exam purposes the latest and greatest is always the best option, but for real world purposes, I might load 8.2(x) on a 5506 then once configured make use of the upgrade wizard to migrate to 8.3+ images to practice migrating customers off 8.2 code - this I think would be the optimal situation if your new to ASA's.

Iristheangel

Makes me sad when people are running 8.2 or bragging about the *years* of uptime on their firewall. Makes me shake my head and wonder how many 5+ year old exploits they are vulnerable to because they didn't want to update or because they like high uptime.

ande0255

Yes, a lot of "if it's not broken don't fix it" kind of thinking, gotta love it.

Iristheangel

I can understand that for switches and routers to some degree. It's not like Windows where you want to patch it regularly but your edge security? Yikes!

jorglct

User GNS is a great tool to implementation.

ande0255

Iristheangel wrote: »

I can understand that for switches and routers to some degree. It's not like Windows where you want to patch it regularly but your edge security? Yikes!

Edge security for SMB customers at my MSP, some places are stubborn about replacing their Sonicwall TZ-200 series firewalls and ASA 5505's at the cost of newer and more secure technologies, my job is just to support them the best I can (and make recommendations for upgrades where I see them).

I think a new wave of edge security hardening is upon us though, over the last year or so the ransomware I see out in the wild encrypting customer servers is growing exponentially to customers on older edge device security platforms, costing them thousands of dollars to pay the ransom and unlock their files, than it would have to upgrade to Next-Gen firewall with Firepower and a good user policy.

I suppose there is always that one user who will click on the "You have won a million dollars" link in emails, but unless non-IT people have just gotten dumber over the years to these tricks (which wouldn't surprise me), I don't think security should stop at the edge of a network.

Iristheangel

Completely agree. I more point out the edge because it's what's getting slammed most of the time. I've set up Netflow on the edge and its always fun to see every weird country that's scanning you.

Legacy User

It comes down to the IT guyand/or the company if security is a priority. I found a lot of SMB don't care to spend more if it is already working and they have not got any attacks then its hard to push upgrades. Checking the log viewer on the ASA to see how many denys for telnet or other common port numbers from different IP's or port scanning from different IPs its just all types of scary.

Yup ransomware is definitely becoming more rampant the cyber ops team at my place keeps flagging users for ransomware and the it becomes a fire drill when multiple teams have to work to shut down services to that machine.

Boby

what's wrong with Asav ? everyone is recommending buying an old Asa but I think that everything can be done in GNS3 except the hardware dependent features.

Iristheangel

@Boby - Nothing at all wrong with it. My recommendation was to get a 5506 for the Firepower features that aren't on the ASAv. The 5505 is just a paperweight at this point :P

craigaaron

Iristheangel wrote: »

@Boby - Nothing at all wrong with it. My recommendation was to get a 5506 for the Firepower features that aren't on the ASAv. The 5505 is just a paperweight at this point :P

I am still getting plenty of knowledge from myasa5505 :P I would love a 5506 though

blatini

How much longer will the 5506 be relevant for?
Bit much to invest in if it is going to be obsolete by next exam.

Iristheangel

@blatini - The 5506 is only about a year and a half old. I don't think you run any risk of it going away anytime soon.

blatini

Roger - thanks for the info!

albinorhino187

I did all of my labbing through GNS3. I passed by the skin of my teeth, but I didn't have to shell out a bunch of $$ for hardware.

pogue

Iris,

Can you clarify what is needed beyond the actual physical 5506? I am not quite clear on how the Firepower licensing works... I would like to run a 5506 as the border security device for my home network, leveraging VPN capabilities + whatever license would be most applicable to CCNP-Security studies. It seems like the full gamut license subscription runs like $170.00 a year? Pretty expensive.... Is there another option that pretty much covers the bases for CCNP Security, but isn't limited to a 45-day trial period?

Thanks,

Russ

doctore

Iristheangel wrote: »

Makes me sad when people are running 8.2 or bragging about the *years* of uptime on their firewall. Makes me shake my head and wonder how many 5+ year old exploits they are vulnerable to because they didn't want to update or because they like high uptime.

Probably just as many as the zero-day exploits the new versions have

5505 is perfectly fine for the CCNA Security, after all the test is on the 5505. Considering you can have it for under $100, it's a no-brainer.

maelstrom3530

Like the above poster asked, what else, beyond an ASA 5506, would be required in preparation for the CCNA Security exam?

Thanks!

I have some equipment already:

1x 2600XM
1x 2801
1x 2821

2x 2950's
1x 2960

I also have an HP DL380 G6.

clarson

pretty much you do security on a switch, router, and a firewall.

the model of the switch isn't so important. but the 2960 could run version 15 of the ios. get the best ios you can

for the router, you need version 15 of the ios so you can run CCP, cisco configuraton professional. And, of course, the advsecurity or better feature set.

and the firewall has been talked about already.

and the G6 can be used to virtualize what you can find.

looks like you have everything you need as far as hardware