YFZblu's CCNA: Security journey (640 554)

YFZblu

Hey all--

After achieving my CCNA, I decided to specialize with the CCNA Sec track. I've never done anything like this before, but I'm going to post daily to this thread to keep a running log of my experiences; good and bad. I don't have much to offer now in terms of security, just my security+. So as you'll see in my later posts I'm quite green to IT security besides basic terminology and concepts.

So here is my plan of attack: I'm probably going to read the book the first time without taking many notes or lab'ing much at all. I strictly want to gain a high-level understanding of the concepts. Hopefully by the time I complete the book the first time (~3 weeks) there will be more resources available for the new exam such as CBT Nuggets and/or Train Signal. Once those video tutorials are released, I will then re-read the book in conjunction with the video tutorials, to gain a more granular understanding of the topics. Hopefully by this time I will also have my ASA 5505 in-hand for some serious lab study.

All in all, I'd like to do this in under three months - For someone with just a CCNA and no practical experience in security and no paid experience in networking, I think this is an aggressive goal. I'm currently going to school full time and working full time + on call, so I can't spend 6 hours a night on this like I want to After the enormous amount of time I spent on the CCNA, I promised my wife I'd back off a little as well.

I also hope this thread can serve as a hub for others to post their experiences to during their CCNA Sec journey. Good luck to all!

Edit: The book I'm reading is: 640-554 CCNA Security, Official Cert Guide. Authors are Keith Barker and Scott Morris.

sratakhin

Good luck! Do you work with Cisco at your job?

YFZblu

Yeah, we're a Cisco shop - As of now I only have privileged exec access to our network hardware; so when an issue arises I mostly just take a look around and help diagnose the issue before the network engineers fix it. So I definitely wouldn't say I work with the tech every day.

Roguetadhg

Why the CCNA:Sec?

Hmm, you might be a good candidate for CCNP as you work around the equipment and help troubleshoot?

YFZblu

I decided on CCNA Sec for a couple of reasons. First, I want to move my career in the security direction as soon as possible. Secondly my company employs two types of network guys: Field engineers who handle R&S, and security engineers who deal with ACL's, ASA appliances, and policies. Having both an R&S CCNA as well as the CCNA sec will potentially open either door when it comes time to get hired - When my time comes to join the network folks, I don't really care how I get in as long as I get in.

Roguetadhg

Roger that. I guess this goes without saying, you already have a lab for CCNA:Sec? If so, What do you have - I'd like to copy someone's lab

YFZblu

As of now I haven't added anything to my CCNA lab which consists of:

3x 2950 switch
3x 2600 series routers
1x 871 router

I'm still waiting to hear back from a re-seller I know to find out if he has any ASA 5505's laying around.

YFZblu

We have liftoff - I went ahead and read Chapter 1. Very basic stuff:

-Discussed Confidentiality, Integrity, Accounting
-Types of attacks
-Discussed risk and how to mitigate it, transfer it, or eliminate it
-Other security terms: Vulnerability, threat, etc.

It's a short chapter, only 11 pages. It looks like the first few chapters are short and set the stage for the vendor-specific information and configuration to begin.

FloOz

goodluck in your studies!

YFZblu

Day 2:

I read chapters two and three, which were quite short as well. I ended up breaking my 'no note taking' rule for the first read of the book, simply due to the amount of terminology involved in the first few chapters. Chapters two and three covered some nice things:

-SecureX architecture
-Defense in depth
-Concept (and reality) of border-less networks
-Administrative, logical, and physical threat countermeasures

A quote I liked from the book: "An ounce of prevention is worth one pound of cure"

zrockstar

Hey Blu, I have started the same book, currently on Chapter 7. I am trying to work through some lab issues in GNS3 currently, but let's keep in touch and help each other out through the study.

Roguetadhg

YFZblue, Does the physical book come with a full-book pdf file included with the cd?

YFZblu

It just comes with a free 45-day Safari subscription, which hosts the book online - But no PDF format unfortunately.

YFZblu

zrockstar wrote: »

Hey Blu, I have started the same book, currently on Chapter 7. I am trying to work through some lab issues in GNS3 currently, but let's keep in touch and help each other out through the study.

Sounds good!

Qord

Good luck on your studies!!!

YFZblu wrote: »

I'm still waiting to hear back from a re-seller I know to find out if he has any ASA 5505's laying around.

You might want to check ebay as well. Some good deals on good equipment can be found. Although, I believe you wont need them unless you go on to CCNP/Sec.

YFZblu

^ Will do - It looks like I'm going to have to spend about $250 minimum for the ASA device. I'll try to hold out for a better deal, we'll see.

YFZblu

Day 2.5 - I couldn't sleep, so I thought I'd get another chapter in tonight.

Chapter 4:

-Network Foundation Protection (NFP): Securing the Management Plane, Control Plane, and Data Plane
-Read about some intriguing tools such as Unicast Reverse Path Forwarding, and TCP Intercept

Yet another short chapter. Chapter five begins some configuration with CCP, I'm looking forward to that!

YFZblu

Day 3:

Family time tonight, no opportunities to read. I went ahead and installed CCP on a Server 2008 box I have at the house, and I'll get to it tomorrow

sthompson86

I have my CCNA Sec book in the mail.. CCP never heard of that lol.. Lots to look forward too!

YFZblu

Day 4: Didn't read, unfortunately. I had a busy day at work and just wanted to relax.

---

Day 5:

Chapter 5: Protecting network infrastructure with CCP. Really good information in this chapter! I went ahead and installed CCP on a server and I was able to use all features with my 871 router. So far CCP seems like a significant upgrade over SDM. CCP is easy to navigate and has some really cool features. This chapter covered:

-Preparing the router to allow HTTP/S connections and setting up level 15 authentication on the local database
-Discovering a router or a community of routers
-Creating user profiles to impose configuration restrictions
-Configuration templates
-CCP Security audit
-CCP One step lockdown

So far everything seems pretty straight forward, and the writing style of the book has worked out nicely for me. I don't think I'll jump into chapter 6 today; instead I'm going to review the notes I've made from chapters 1-5 and play around with the basic functions of CCP a little bit more.

YFZblu

sthompson86 wrote: »

I have my CCNA Sec book in the mail.. CCP never heard of that lol.. Lots to look forward too!

Great! Hopefully we can get a group of CCNA Sec hopefuls on the forums to help each other along the way.

zrockstar

YFZblu wrote: »

Great! Hopefully we can get a group of CCNA Sec hopefuls on the forums to help each other along the way.

I would be down with this, maybe a Skype or g-chat session once a week?

YFZblu

That could work. But we can't have you running off to CCDA!

zrockstar

YFZblu wrote: »

That could work. But we can't have you running off to CCDA!

LOL, the lack of gear is getting me down man!

sthompson86

YFZblu wrote: »

Great! Hopefully we can get a group of CCNA Sec hopefuls on the forums to help each other along the way.

I would be interested.

YFZblu

Day 6/7

Chapter 6: Securing the Management Plane

This chapter was kind of a beast for a CCNA Sec noob, I ended up taking two days to digest it. I also searched YouTube long enough to find some CCNP Switch Trainsignal videos that were very helpful, in case anyone needs help in this area. This section was all about using AAA to secure the management plane - VTY lines, Console, and Aux. The chapter covered enabling AAA, configuring AAA for the management plane via command line, and securing IOS images in flash to prevent attackers from modifying it remotely - Really good stuff!

Chapter 7 looks like it has some ACS topics involved (13 pages, I counted!). Unfortunately I won't be able to lab ACS as it requires a commercial relationship with Cisco...Hopefully it won't be too terrible! It's still early in the day and I could move to chapter 7, but I think I'll review my notes from 1-6.

Roguetadhg

are you saying that Chapter 7 can not be labbed for us non-cisco-aff people?

YFZblu

Unfortunately you're correct. Not to say that configuring TACACS in the ACS doesn't require preparation via the command line, it does. So there is some labbing you can do on the local router; however it's probably impossible for someone in my position to lab the ACS gui unless I shell out a bunch of money for an in-person bootcamp or something.

Roguetadhg

https://learningnetwork.cisco.com/thread/10204
for the CCNA Security, you need to know what ACS is used for and some basics "howto", it's the SDM(Security Device Manager) that you will need to know inside out.

So it shouldn't be too much of an issue. Thank you for the heads-up!

YFZblu

Those posts were made back in January - Are we sure they're referring to the 554 exam, and not 553?

YFZblu

Follow up: This is from the blueprint: Understanding, implementing, and verifying AAA (authentication, authorization, and accounting), including the details of TACACS + and RADIUS

I assume we'll have to know a little configuration pertaining to ACS; however probably not much. For example, chapter seven is 30 pages in length, 13 pages of that are dedicated to the ACS gui. Other than that, I didn't really see any other ACS stuff when flipping through the book. So I think we'll be just fine.