YFZblu's CCNA: Security journey (640 554)

Roguetadhg

Good deal!

zrockstar

I just sucks that we can't actually do it. If the ACS demo was more avilable or there was at least a sim for it, that would be sweet. I'm sure it really isn't that big of deal though, it's just when I see new toys I want to play with them

YFZblu

Day 8

Chapter 7 - Implementing AAA Using IOS and the ACS Server

This chapter basically took what we learned in chapter six and applied it to configuration. Topics included:

-Why use Cisco ACS?
-Differences between RADIUS and TACACS+
-Preparing routers to communicate with a AAA server - This can be done via CLI or CCP
-Details of Cisco ACS - Network device groups, network devices, identity groups, user accounts, and authorization profiles
-Creation of the above components in Cisco ACS
-Verification and troubleshooting of the communication between network devices and Cisco ACS

This chapter had me nervous because of the ACS configuration; however something I noticed in the text is there were no "Key Topic" bubbles near ANY of the ACS configuration. In fact a "Key Topic" bubble didn't appear in ACS until the troubleshooting portion. This is good news because ACS trouble shooting happens at the command line for the most part. So rejoice! ACS isn't bad at all, even for us noobs with no access to it.

Anyway, I really enjoyed the last two chapters. They have cleared up a ton of questions that the CCNA left me with.

YFZblu

Day 9:

Chapter 8 - Securing Layer 2 Technologies

Considering I just passed the CCNA last week, I took the liberty of skipping the sections that review STP, switch logic, VLANs, and trunking. So there were only a few pages of layer 2 security to get through. This chapter discussed port security, BPDU Guard and Root Guard as well as the configurations that went along with it. This wasn't new material as all of these technologies and their configurations were covered by the CCNA exam.

veritas_libertas

I'm going to enjoy following this. Once I'm finished with the CCNA I intend to start on the CCNA:Security. As I understand it, you need to have an ASA to really be ready for the exam?

YFZblu

^ Yeah, it looks like Chapter 14 really gets heavy with ASA configuration both in CCP, ASDM, and the ASA device; however it is my understanding that it is possible to lab the ASA device in GNS3.

veritas_libertas

YFZblu wrote: »

^ Yeah, it looks like Chapter 14 really gets heavy with ASA configuration both in CCP, ASDM, and the ASA device; however it is my understanding that it is possible to lab the ASA device in GNS3.

I saw that, but it looks a little more complicated than I'm interested in. I'll probably just pick one up myself.

BroadcastStorm

I thought you only need a router and switch for CCNA security? a router has two interface get a WIC card with a fastethernet then you have inside/outside/dmz.

Am I wrong about this? what topic in CCNA security that is needed to use ASA firewall? if you're getting a firewall might as well get something with a Security Plus License otherwise you'll outgrow it.

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.

YFZblu

The new CCNA Sec covers ASA device configuration - Previously only CCNP Sec did.

BroadcastStorm

Cisco just want to make more money from the students so there's more demands for the ASA 5505.

YFZblu

Day 9

Chapter 9: Securing the Data Plan in IPv6

I had a little extra time today, so I decided to hit this chapter as well. The chapter started off with some nice IPv6 review which I decided to read - It just talked about address structure in comparison to v4 mostly, as well as the different types of addresses: Link local, global unicast, anycast, and loopback. The chapter also discussed the multicasting that goes on with IPv6 and the associated addresses. What I especially liked is that this chapter went a little deeper than CCNA R&S did regarding configuration - Or maybe I just wasn't paying attention during CCNA R&S IPv6 configuration

The chapter closed with the types of threats that occur on both v4 and v6 networks, and only on v6 networks - Issues related to tunneling, link local multicasting, ICMPv6 issues, and just general issues that can arise when implementing a new software package.

YFZblu

Day 10

Chapter 10: Planning a Threat Control Strategy

This chapter kicked off part III of the book and was mostly dedicated to discussing the process of mitigating and reacting to threats on the network, and the policies in place. The chapter reviewed a few tools available at layers two (port security, dynamic ARP inspection, BPDU Guard, Root Guard) and layer three (ACL's, VPN, IPS, AAA, etc). No config in this chapter as most of these features have their own dedication sections throughout the book.

Mike-Mike

good thread, I'm going for the CCNA Security too, but I need to review my CCNA stuff first

sthompson86

I got started this week - Finishing up with chapter 1 and supplementing CBT videos. I am going slower through the material, and taking lots of notes as I go. No rush here.

YFZblu

Nice!! Do we have any word on when CBTnuggets or Trainsignal will release 554 content?

YFZblu

Day 11

Chapter 11: Using Access Control Lists for threat mitigation

This chapter was mostly R&S review as well, but the mindset of the chapter was to think about ACL's for more than packet filtering just to keep UserA from reaching HostB - It explained that ACLs can be used to prevent IP address spoofing which isn't something I had considered before. This chapter also introduced the concept of the Object Group which seems like a great tool for making things easier on the ACL administrator. The chapter closed with IPv6 packet filtering with ACL's, which is different than v4 ACLs.

A little bit of new material, I'm looking forward to labbing this later - Especially the Object Groups and IPv6 filtering.

sthompson86

@YFZblu - Can you say whether or not the CCNA Sec 554 requires one to own an ASA for labs? I have done some reading, but really have not found a diffident black or white answer.

Thanks in adv.

YFZblu

Day 12 - No progress made

YFZblu

Day 13

Chapter 12: Understanding Firewall Fundamentals

Another very interesting chapter that covers the basics of firewalls; types, functionality, implementation, and policy. This chapter also covered NAT terminology and deployment.

YFZblu

sthompson86 wrote: »

@YFZblu - Can you say whether or not the CCNA Sec 554 requires one to own an ASA for labs? I have done some reading, but really have not found a diffident black or white answer.

Thanks in adv.

From what I've seen, one does not need to own an ASA appliace; however access to an ASA operating system via GNS3 is probably a good idea.

sthompson86

YFZblu wrote: »

From what I've seen, one does not need to own an ASA appliace; however access to an ASA operating system via GNS3 is probably a good idea.

Thanks - GNS3 will be the way I go if needed. Have a good rest of the weekend.

MAC_Addy

This is an excellent thread. +1 rep. I'm currently reading through all my ICND2 notes and will be taking it within the next few weeks. After I pass the ICND2 I'm going into either security or voice. The story changes every day for myself, but my work has the final say and they're paying for the exams. I'd like to go into Security, but it looks like they're going to push for the voice part. Though, I can't argue if they're going to pay

YFZblu

Thanks!

Update: Now that my wife works for a Cisco reseller, I may be able to get an ASA device at a pretty significant discount. We shall see!

MAC_Addy

YFZblu wrote: »

Chapter 7 looks like it has some ACS topics involved (13 pages, I counted!). Unfortunately I won't be able to lab ACS as it requires a commercial relationship with Cisco...Hopefully it won't be too terrible! It's still early in the day and I could move to chapter 7, but I think I'll review my notes from 1-6.

Did you feel as though the book covered this topic enough to where you didn't need to lab this?

YFZblu

Yeah, it wasn't bad. Once you understand the ACS frame work I think you'd be able to stumble through it on an exam. Just remember:

Network Device Groups: Groups of network devices with similar functions, managed by the same admins.
Network Devices: Individual network devices that make up network devices groups.
Identity Groups: Admins with similar job roles
User Accounts: Make up the identity groups
Authorization Profiles: These profiles control what rights are permitted. The profile is associated with a network devices group and an identity group.

This is all from chapter 7. Good luck!

Roguetadhg

YFZblu wrote: »

Thanks!

Update: Now that my wife works for a Cisco reseller, I may be able to get an ASA device at a pretty significant discount. We shall see!

Perhaps provide discounts to all of the TE members - for educational use, obiviously.

YFZblu

Day 14

Chapter 13: Zone-Based Firewalls

Wow - I felt like I was drinking from a fire hose for two hours. Zone-based firewalls is definitely an interesting and new concept. Thankfully at this point Cisco has trained my brain to accept and saturate new concepts much easier than before I started studying Cisco. The text says we should focus in using CCP for ZBF, which is good because the syntax can get pretty hairy in CLI. Not that you shouldn't know the CLI of course.

sthompson86

I am to Chapter 4, but I see that Chapter 5 starts intro to CCP. I know this will involve some configuring etc. I am going to the Smoky Mountains for 2 weeks.. So I am going to put my studies on hold, for trying to do configs etc on Netbook especially when I am doing stuff for the first time ( CCP ) is not the way I want to go.

I will be carrying my flash cards though that I make after each chapter.

YFZblu

Day 15

I didn't do any reading, but I did set up my ASA device in GNS3. Looking forward to chapter 14 today!

YFZblu

sthompson86 wrote: »

I will be carrying my flash cards though that I make after each chapter.

Good idea