YFZblu's CCNA: Security journey (640 554)

YFZblu

Completed re-reading chapter 7, configuring AAA using IOS CLI, CCP, and ACS. In total I only have about seven ACS note cards, there really isn't much required for the CCNA Sec apparently.

Tonight before I go to sleep I'll watch CBT Nuggets on Layer 2 security.

spiderjericho

Doesn't Server 2008 have NPS, which uses RADIUS? If you enabled it, it would probably be better.

And ISE seems to be Cisco's new identity management/network access solution and it uses RADIUS.

sthompson86

YFZ - How did you digest Chp. 6? That is where I am at.. I do not like chapters like this where they throw all these commands at you with out really explaining what the heck is going on. Its like trying to teach some one how to drive without letting them drive lol

I guess what I am asking is - did you lab Ch. 6? I can enter in all these commands, but I really do not know what the heck I am doing.

spiderjericho

That's why it helps to have supplemental material like CBT Nuggets. Or maybe just take a break, retread the chapter and lab again.

YFZblu

spiderjericho wrote: »

Doesn't Server 2008 have NPS, which uses RADIUS? If you enabled it, it would probably be better.

And ISE seems to be Cisco's new identity management/network access solution and it uses RADIUS.

Great suggestion, I didn't know NPS used RADIUS. I'll try that out tomorrow an report back

YFZblu

sthompson86 wrote: »

YFZ - How did you digest Chp. 6? That is where I am at.. I do not like chapters like this where they throw all these commands at you with out really explaining what the heck is going on. Its like trying to teach some one how to drive without letting them drive lol

I guess what I am asking is - did you lab Ch. 6? I can enter in all these commands, but I really do not know what the heck I am doing.

+1 to what spiderjericho suggested - IMO, the 'problem' with the Cisco Press book for CCNA Sec is there are certain "glue" statements that must be clearly conveyed in order to fit all of this information together. Some of these 'glue' statements as I call them are barely glossed over in the book, so much that one might miss it completely, rendering the rest of the topics confusing. CBT Nuggets does help with a little of this, especially watching a video a couple of times prior to reading the corresponding chapter in the book.

Can you post exactly what you're confused on, or try to verbalize it here? Maybe I can help, I feel like I have a decent understanding of the topics for AAA.

sthompson86

spiderjericho wrote: »

That's why it helps to have supplemental material like CBT Nuggets. Or maybe just take a break, retread the chapter and lab again.

Yeap going to have to. I am not totally lost just a bit dazed lol

YFZblu

So the CBT Nuggets for Layer 2 security is pretty awesome. Keith Barker explains several different types of attacks: Gratuitous ARP, CAM overflow, VLAN hopping, different types of spoofing such as gateway spoofing or DHCP spoofing, etc. He also gets into manipulating DTP for malicious use and using STP to take control of the network data flow or capture packets. He then proceeds to use Backtrack to perform a couple of these attacks and then uses 'show' commands on the switch to see the infrastructure react in real time. Maybe my favorite CBT Nuggets video ever!

So for today I will read the corresponding chapter to that video, securing layer 2

Roguetadhg

You might be interested in the CCNP: Security Firewall exam. The last video has information about using ASA with GNS3. I haven't watched it, im going through the NA videos first. I'll try to swing that video in at the end.

spiderjericho

YFZblu wrote: »

Great suggestion, I didn't know NPS used RADIUS. I'll try that out tomorrow an report back

Cisco RADIUS Setup : layer2edu

Use RADIUS to manage Cisco devices : layer2edu

Check out the above links on how to set up NPS. Maybe a combo of real hardware with a VM or Virtualbox and GNS3 to lab the concept.

YFZblu

Awesome links, thanks for the great resource

YFZblu

Roguetadhg wrote: »

You might be interested in the CCNP: Security Firewall exam. The last video has information about using ASA with GNS3. I haven't watched it, im going through the NA videos first. I'll try to swing that video in at the end.

Good point!

YFZblu

Re-read the layer 2 security chapter - Nearly halfway through with the 2nd read-through, looking forward to putting all of this together.

sthompson86

YFZblu wrote: »

Can you post exactly what you're confused on, or try to verbalize it here? Maybe I can help, I feel like I have a decent understanding of the topics for AAA.

I think I understand it, but this is what has me wondering.

Lets take the command -

R1(Config)# aaa authentication login MY-LIST-1 Group tacacs local enable

The "My-List-1" had/has me a bit confused. My guess is that its pretty much like an ACL, and that I can have as many as I want, and I can place them on which ever Interface or Line. The last few statements such as, " Group tacacs local enable" declare where "My-List-1" is supposed to check for credentials along with the sequence.

I think I understand?

spiderjericho

The list is instructing the line on how to authenticate, authorize and account.

Mylist1 group TACAS+ local none

This list if applied to your line vty will cause the router and switch to authenticate first with the ACS, then the local user then fail authentication.

It's just a behavior.

YFZblu

sthompson86 wrote: »

I think I understand it, but this is what has me wondering.

Lets take the command -

R1(Config)# aaa authentication login MY-LIST-1 Group tacacs local enable

The "My-List-1" had/has me a bit confused. My guess is that its pretty much like an ACL, and that I can have as many as I want, and I can place them on which ever Interface or Line. The last few statements such as, " Group tacacs local enable" declare where "My-List-1" is supposed to check for credentials along with the sequence.

I think I understand?

You've got it. You'd use the 'default' keyword if you wanted every management point to use the corresponding method list without having to apply it anywhere. But if you want to manually assign a method list to logical interfaces, such as VTY lines only, you would create a custom method list (in your case named MY-LIST-1) and you would have to manually apply that custom method list to every management point on the router.

First the router will attempt to authenticate to a TACACS+ server. If that server is deemed unreachable, the next step is to failover to the local database, which is a user account created on the router itself. If for whatever reason that fails the router will finally prompt for the enable password, before as spiderjericho said, fails authentication.

YFZblu

Finished watching the CBT Nuggets video for tools to secure the management plane: CCP, SNMPv3, Secure boot, Parser views, Security audit, etc. This video seemed a little out of place considering we had already moved passed the management plane a several videos ago.

YFZblu

Read chapter 9, securing thee IPv6 data plane - I enjoyed this chapter, and as I said before it was a little deeper than the CCNA explanation. Tonight I will review my notecards and move to chapter 10 and 11 tomorrow.

Roguetadhg

Have you gotten that feeling of "Oh, I see how things fit together" yet? I had that feeling after going through the first 5/6 chapters again. So good. Im going to try to schedule my test sometime soon. It'll be a stretch with all the bills... but the CCNA:Voice book is calling out to me like a naughty wall-flower.

I took wrote notes this time, since I scribbled in my book the first time around... instead of coloring this time. I was able to connect the information that was important without a hitch.

YFZblu

Did you already read it twice?? I think I should be close to taking the exam after I finish up in the next couple of weeks; I've been studying my notecards, so the little things shouldn't escape me.

Roguetadhg

my first time was the slowest. Read sentence by sentence, pararaph by paragraph to try to figure out the "points". Scribbled it on the left-side with arrows that went to the paragraph(s) that the point covered. So I wouldn't need to read it again as intensely.

Second time I grazed along the main points of what the paragraphs said from the left-margins. I covered 4-5 chapters easily trusting that I didn't get lazy :P

Now I'm taking notes with those points.

I'll tell you though, the first time. Talk about a snails pace!

YFZblu

Oh ok, I'm reading it sentence-by-sentence both times. Anyway, I still hate you for pulling ahead of me

When do you plan on challenging the exam? Any idea?

Roguetadhg

No idea. Bills, and all... Trying to kill off some debt, to free up some cash. I've been throwing much more money at my loans so I'd rather have that cleared up before progressing with certifications. Less stress I think overall.

Still, I need to fix my work computer - I'll need to rebuild it, as everything was shot after troubleshooting!

Honestly, I don't forsee myself taking the exam until late Novemeber - if that. For now, I'm studying for the knowledge. Unfortantly, I haven't really been able to lab anything. I'm not entirely sure how to lab CCNA:Security with GNS3. I have the ASA loaded, working. But Setting up VPNs... Come to think of it, I should be able to setup two VPNs within GNS3 and do it that way instead of trying to find an ISR router IOS.

The cheapest ISR router is the 1800, and it's not listed under GNS3. I haven't done any research on if it's possible to use the 1800, though.

YFZblu

Completed chapter 10: Planning a Threat Control Strategy. Next up is the ACL chapter, and this is where the technical rubber really meets the road. ACL's, ASA Firewall, Zone based Firewall, PKI, VPN, etc are going to wrap up the last 10 chapters or so, so this is where my lab'ing will hopefully pick up!

I'll be traveling 16 days out of the next 30, so I'm hoping to get my ASA device hooked up to my home network, and I'll throw my lab in the DMZ for remote access. That way I can continue to lab from my hotel room; perhaps even lab on the airplane, just because that would be awesome

A network engineer I know at work hooked me up with his ASA config from home, so I'll modify and hopefully put it in place in the next couple of days.

YFZblu

Moved forward with the CBT Nuggets on IPv4 and IPv6 ACL's via CLI and CCP. I also read the chapter. My CLI note cards are starting to stack high, same goes for my CCP note cards!

Tomorrow begins the firewall work, which I look forward to now that I have my ASA

Roguetadhg

Im going to keep an eye out on the thread. Just to make sure you keep truckin. I'm going to go off to Voice for a read-through, or two. I'll come back later.

YFZblu

Definitely share your experience - Voice may be in the cards down the road for me as well.

Rens-

Hi YFZblu !


Do you already have clear notes on the whole course ?

YFZblu

The only notes I have taken down are on notecards

mtjikuzu

This is a really great thread. I've started with my studies a couple of weeks ago and I am reading the OCG plus CBTNuggets.
I've managed to setup the lab that Keith Barker has in the video on GNS3 with virtualbox and ASA.
Going for my second pass through the OCG guide more slowly. will definitely keep this thread posted on progress.