GCIA purchased today

Paul Boz

Just got to wrap up the GCFW gold paper and self-study the GCIA for a minute and bam, GSE candidate

Find more posts tagged with

Comments

Bl8ckr0uter

Paul Boz wrote: »

Just got to wrap up the GCFW gold paper and self-study the GCIA for a minute and bam, GSE candidate

Awesome. Do you have a link to the paper? Has it been placed in the reading room yet?

Good luck on the GCIA. Let us know how it goes*

*especially those of us who are going to challenge the exam later this year

ipchain

That's great news! Not that you'll need it, but best of luck on your GSE attempt. I haven't made much progress on my GCIA studies as school + work are taking a lot of my time at the moment.

With a bit of luck I will be able to find some motivation along the way to continue studying for it.

Paul Boz

The paper isn't near done because I'm juggling at least ten massive projects at the moment. When work prevails study suffers.

veritas_libertas

Is Dynamik still in the race?

Edit: Oh, and of course congratulations! Quite an accomplishment just to make it thus far!

Paul Boz

Yeah he's still in the hunt. We now work for different employers (we've both moved on from our shared place of work) so both exceptionally busy. I believe he has a paper and two certs or just two certs or some similar breakdown but he's a machine and we push each other very hard so expect the same from him.

By the way, SANS was massively on-point with getting me course access today. I made the purchase and had access to the MP3s and self-study content within an hour. I haven't had a chance to crack the material yet but I may watch the opening slides tonight to "get in the mood."

Bl8ckr0uter

Have you thought about GCED? It looks like a really cool test to do.

docrice

Okay, it's time for me to sucker up and join the rest of you guys. I'm ordering the GCIA next week before the SANS OnDemand discount code runs cold. I've already requested time off for the rest of the week afterward so I can attempt to go through the OnDemand part of the course for six days straight. I'm fully expecting this one to whip my rear end since I have no practical IDS experience, and who knows ... I might have to spend the entire allotted four months to prepare for the exam.

I just hope my tax return comes through like I expect it to...

Bl8ckr0uter

Man you must be loaded. Good luck!!!!

docrice

Loaded, or broke. Same thing over here. The key to being "loaded" is to compromise on life's luxuries. You know, like eating this thing called food. If I skip three meals a day, I just might be able to do it.

Actually, I forgo a lot of things people take granted for. Cable TV, having a TV, vacations, alcohol... Or to put it another way, the GCIA would be "vacation." Nothing like sitting on a beach (home office chair), enjoying the sun (overhead lighting), watching the sea (OnDemand), while sipping on a cold one (tap water).

Bl8ckr0uter

docrice wrote: »

Loaded, or broke. Same thing over here. The key to being "loaded" is to compromise on life's luxuries. You know, like eating this thing called food. If I skip three meals a day, I just might be able to do it.

Actually, I forgo a lot of things people take granted for. Cable TV, having a TV, vacations, alcohol... Or to put it another way, the GCIA would be "vacation." Nothing like sitting on a beach (home office chair), enjoying the sun (overhead lighting), watching the sea (OnDemand), while sipping on a cold one (tap water).

Lol my TV doesn't even support high dev so when football is on, I have to google the scores or wait until an announcer says 'em cause I can't see them

Cable TV year right, I still haven't even gone on a honeymoon lol.

Beer, forget about it lol

I feel your hustle though

You must spread rep around before giving some to this user....

dynamik

I'm still alive and kicking, barely. I've been all over the place this year. I've become obsessed with FreeBSD. I'm currently configuring a VPS with several jails for various servers, and I just got a pretty sweet ZFS file server with encryption setup at home. Absolute FreeBSD 2nd Edition is a phenomenal book. I've also been playing around with a lot of Ruby and Python. March will be dedicated to assembly. I should probably challenge a couple of those exams and write a paper at some point too. Hm...

veritas_libertas

dynamik wrote: »

I'm still alive and kicking, barely. I've been all over the place this year. I've become obsessed with FreeBSD. I'm currently configuring a VPS with several jails for various servers, and I just got a pretty sweet ZFS file server with encryption setup at home. Absolute FreeBSD 2nd Edition is a phenomenal book. I've also been playing around with a lot of Ruby and Python. March will be dedicated to assembly. I should probably challenge a couple of those exams and write a paper at some point too. Hm...

What kind of security work are you doing these days? I know you got a new gig recently.

Forsaken_GA

dynamik wrote: »

I'm still alive and kicking, barely. I've been all over the place this year. I've become obsessed with FreeBSD.

Noo... come back from the dark side......

Actually, I kid. I like FreeBSD for some things, I've just gotten spoiled with easy linux distros, Debian in particular. Every time I go work on a FreeBSD box, I have to go shift my brain around and remember where everything is. I've been slowly transitioning myself into RHEL/CentOS land, since that's what we use at work.

My little distractions have consisted of building a homebrew SAN and porting all my physical boxes to ESXi guests. As much as I love Debian and it's derivatives, getting LDAP up and running on fedora-ds and integrating CentOS/RHEL hosts is freaking easy compared to any other implementation I've done.

docrice

I helped stimulate the economy today by hitting the Purchase button on the SANS registration site, and my wallet's in pain. It's as if thousands of dollars suddenly cried out in terror and were suddenly silenced.

For those of you going through the GCIA course at the moment, how do you like it so far? Have you picked up a great deal that's practical for your work? Is it pretty fast-paced? Has it improved family life and lowered neighborhood crime rates?

veritas_libertas

docrice wrote: »

I helped stimulate the economy today by hitting the Purchase button on the SANS registration site, and my wallet's in pain. It's as if thousands of dollars suddenly cried out in terror and were suddenly silenced.

For those of you going through the GCIA course at the moment, how do you like it so far? Have you picked up a great deal that's practical for your work? Is it pretty fast-paced? Has it improved family life and lowered neighborhood crime rates?

Nice Star Wars reference...

Good luck with the GCIA

dynamik

veritas_libertas wrote: »

What kind of security work are you doing these days? I know you got a new gig recently.

It's a management position. It pays well, but I'm already missing the hands-on, technical tasks. It's also odd to work at a single location exclusively. I got a random text from Paul the other day, "I need to start traveling again. I still feel like I'm just at a really long on-site." I can totally relate. I think the next step is going to be to start my own company (I'll let Paul be my secretary). The only other option at this point is to really just put my time in and make a VP > CSO/CISO > CIO progression, and that really doesn't appeal to me.

Forsaken_GA wrote: »

Noo... come back from the dark side......

Actually, I kid. I like FreeBSD for some things, I've just gotten spoiled with easy linux distros, Debian in particular. Every time I go work on a FreeBSD box, I have to go shift my brain around and remember where everything is. I've been slowly transitioning myself into RHEL/CentOS land, since that's what we use at work.

My little distractions have consisted of building a homebrew SAN and porting all my physical boxes to ESXi guests. As much as I love Debian and it's derivatives, getting LDAP up and running on fedora-ds and integrating CentOS/RHEL hosts is freaking easy compared to any other implementation I've done.

I'm really becoming a fan of source-based distros. The ports system is tight, and I think I'm going to transition over to Gentoo on the Linux side of things. I agree with you though. If you're looking to be cutting-edge or do things like support interoperability, you may be better off with Linux. I went with FreeBSD at home specifically for ZFS. I'm not too keen on the userland implementation in some Linuxes (licensing issues). I used geli to encrypt each block device then made a raidz pool with each resulting .eli device. *sexy*

docrice wrote: »

I helped stimulate the economy today by hitting the Purchase button on the SANS registration site, and my wallet's in pain. It's as if thousands of dollars suddenly cried out in terror and were suddenly silenced.

For those of you going through the GCIA course at the moment, how do you like it so far? Have you picked up a great deal that's practical for your work? Is it pretty fast-paced? Has it improved family life and lowered neighborhood crime rates?

I saw a package from SANS at Paul's today that was about a cubic foot in size. I'm going to bring a tazer with me next time I go over there, so I wouldn't count on it lowering crime rates, at least in the near future.

I was a bit let-down that my employer (probably) isn't going to get me this course, but I have a ridiculous self-study routine planned out that will probably result in me learning more overall than had I simply taken the course.

The thing I like about self-study is that when you hit a wall or mess up, struggling to figure it out instead of having someone simply provide you with an answer really makes the material stick. I also want to brag about scoring higher on the exam than Paul, who has the material

I probably could finance it myself, but between the GCIH and GCIA challenges, the GSE written, the GSE lab, and travel to the lab, I'm already looking at around $5k out-of-pocket. That's about my threshold for annual out-of-pocket certification expenses. I'm also looking at getting some lab time for the OSCP, and am debating CISM, CISSP-ISSAP, and/or CISSP-ISSMP this year as well. At the moment, I'm just trying to conveniently ignore the fact that price tags are also attached to those items...

docrice

dynamik wrote: »

I think the next step is going to be to start my own company (I'll let Paul be my secretary).

Hire me, please? I know a few commands. This "ping" thing comes to mind, and I have a few certs so I apparently must be qualified.

dynamik wrote: »

The thing I like about self-study is that when you hit a wall or mess up, struggling to figure it out instead of having someone simply provide you with an answer really makes the material stick.

I agree with this, and banging your head against the wall will (hopefully) make you figure out alternate ways of getting things to work. However, being spoon-fed the information is convenient and in many ways time-efficient, although in the long run you'd certainly learn much more on the subject matter through your own trial-and-error. These courses are merely for jump-starting into a subject area anyway, or at the very least reinforcement of existing knowledge.

dynamik

docrice wrote: »

Hire me, please?

Heh, the way you're going, you may be the one hiring me in a few years.

docrice wrote: »

I agree with this, and banging your head against the wall will (hopefully) make you figure out alternate ways of getting things to work. However, being spoon-fed the information is convenient and in many ways time-efficient, although in the long run you'd certainly learn much more on the subject matter through your own trial-and-error. These courses are merely for jump-starting into a subject area anyway, or at the very least reinforcement of existing knowledge.

I agree. In this case, it's less about banging my head against the wall than ensuring that I cover all my bases for the exam. I'm planning on going through a half-dozen books or so, but there will probably be some unique content in the courseware. But like I was saying, I'll probably have a more thorough understanding of the items I study simply because I'm going out of my way to learn as much as possible.

Paul Boz

You know why I really miss traveling? Because I could study on the damn airplanes. I had to spend six to ten hours a week on one so I may as well do something productive with that time. Now I work like 80 hours a week then come home and do nothing. I'm maybe 30 pages into book 1 and I bought the course weeks ago. I think there's a fair bit of apathy on my part though... like 50% of this course is straight GCFW material so it is hard to gauge my interest because I've read it all six times over in the past. I'm on vacation the week after next and will completely devour this entire course and probably challenge the test shortly there after. What is 1400+ pages when 50% of it is rehash?

Also, a personal goal is to buy a brand new Porsche 911 GT2 with cash by 30, so hopefully the GSE will help facilitate that to a certain degree. I need to get into investing so that I have the capital to buy my wife her own physical therapy practice. That's when the money comes in by the barge load. Basically you pimp out other PTs that work in your clinic and get a slice of their pie. The fact that I work at one of America's largest healthcare corporations has given me quite a bit of insight into running a medical practice. I don't think I'd need to hire any outside council at all. I digress.

veritas_libertas

dynamik wrote: »

The only other option at this point is to really just put my time in and make a VP > CSO/CISO > CIO progression, and that really doesn't appeal to me.

That does seem rather boring. I prefer to deal with new projects and challenges on a regular basis.

docrice

Paul Boz wrote: »

I'm maybe 30 pages into book 1 and I bought the course weeks ago. I think there's a fair bit of apathy on my part though... like 50% of this course is straight GCFW material so it is hard to gauge my interest because I've read it all six times over in the past. I'm on vacation the week after next and will completely devour this entire course and probably challenge the test shortly there after. What is 1400+ pages when 50% of it is rehash?

Suggestion: skip the first book. As a matter of fact, if you're already familiar with tcpdump, filtering with bitmasking, and header fields, go straight to book 2, page 295. You can always go back to the earlier sections to skim through later.

I'm not sure if I'd say half of SEC-503 is a re-hash of 502. The first book is pretty much all review from the 502 for sure (except maybe the Microsoft protocols section, which is relatively sparse, unfortunately).

Bl8ckr0uter

Do any of you have a good book on Windows Protocols? I have been going through the WCNA book as an intro to some of the GCIA topics. As far as windows protocols, I have a Server 2008 book and this document:

TCP/IP Fundamentals for Microsoft Windows

I am also going to pick up these books:
http://www.amazon.com/TCP-Guide-Comprehensive-Illustrated-Protocols/dp/159327047X/ref=wl_it_dp_o?ie=UTF8&coliid=IZZH5HKQFAF3G&colid=2WIN7NYQ75PLF

http://www.amazon.com/Computer-Networking-Internet-Protocols-Action/dp/0471661864/ref=sr_1_1?s=books&ie=UTF8&qid=1298146920&sr=1-1

docrice

I think I skimmed through that document before. It addresses the core Internet protocols and some of the NetBIOS-related stuff, but doesn't really get into SMB / CIFS or MS-RPC as much as I'd like.

However, Microsoft does have available a few docs which I'd really like to get into when I have the time:

http://msdn.microsoft.com/en-us/library/ee442092%28v=prot.13%29.aspx
http://msdn.microsoft.com/en-us/library/cc246482%28v=prot.13%29.aspx
http://msdn.microsoft.com/en-us/library/cc246231%28v=prot.13%29.aspx

I think MS-RPC is a bit more tightly-guarded as a spec and I don't see a link specific to the it (other than the extensions), so managing firewall rules is relatively difficult given the dynamic nature of the protocol as it negotiates different ports for different RPC service bindings. It's a bit frustrating to examine when doing wire analysis. I heard that even Check Point's SmartDefense was not all that great in getting the filtering right via its protocol inspection engine. ISA 2006, naturally, handles it apparently very well, but I understand it's recommended to put another firewall in front of ISA, so...

Bl8ckr0uter

Awesome. Have you looked at these:

Blogs | The Honeynet Project
Wireshark Network Analysis

docrice

I have not. Those Wireshark book supplements look very interesting, although at this point I'm way too backed up with other reading material and certification ambitions to comb through everything I want. There's just not enough time in the day...

Bl8ckr0uter

I hear that.

My whole list for the GCIA self study has grown yet again:

Snort:
Snort :: Docs

DNS:
http://www.zoneedit.com/ doc/rfc/

IDS/IPS:
Extrusion Detection
TAO Network Monitoring
Intrusion Analysis
Honey Pots - Extra Credit

Wireshark/TCPDump/Analyst
Wireshark book – Owned
TCPDUMP MANPAGE
Slience on the wire

Firewalls:
Linux Firewalls – Owned

IPV6
IPV6
IPV6 SECURITY

TCP/IP + ICMP + FIREWALLS
TCP/IP GUIDE
TCP/IP FUNDAMENTALS
NMAP Guide – OWNED

Other Stuff:
Blogs | The Honeynet Project - Bad Traffic
Top 4 Packet Crafting Tools – Packet Crafting Tools
Wireshark Network Analysis – More pcaps
Tools (Beta) | SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - Stuff

I also plan to study up on perl and python but that's more of an extra credit.

docrice

The SEC-503 class is great and they provide you a VM that has Snort pre-installed on it. However, I'm not going to use that VM at work so I decided I'll install it on the CentOS platform that we've (somewhat) standardized on. Unfortunately, given current documentation from snort.org, it's been a hit-or-miss on various parts of the install since the newest version of Snort (2.9.0.4) doesn't line up exactly with what the documentation recommends.

After spending some quality time frustrating through this, I've posted my CLI install notes which was based on the Snort 2.8.6 / CentOS 5.5 install doc. Maybe some of you who are currently pursuing the GCIA might find it easier to get it up and running...

http://kimiushida.com/bitsandpieces/articles/snort_quickstart_on_centos_5.5/

If you see any errors or I missed something, let me know. It's designed to be a copy / paste experience for the most part.

Bl8ckr0uter

Excellent article +rep.

Noob alert:

What is the "evil" packet? I did google it.....

docrice

In that reference, an "evil packet" simply means any packet that you categorize as suspicious and want your IDS to alert you on. I just made up a very simple example where anything running on TCP port 6767 is suspect. Kind of funny - my Snort setup at home alerts me whenever it sees Yahoo! or AIM instant messaging packets because it apparently considers it a security violation by default (I'd assume perhaps most corporations might want to alert on it out of the box).

Don't get confused with the "evil bit." Sometimes you'll hear about this bit in the IP header. This is just the reserved bit in the IP header flags field at byte offset 6. See RFC 3514 regarding that one.

Bl8ckr0uter

docrice wrote: »

Don't get confused with the "evil bit." Sometimes you'll hear about this bit in the IP header. This is just the reserved bit in the IP header flags field at byte offset 6. See RFC 3514 regarding that one.

I think I was getting them confused. Thanks for the information and the rfc. Looks like I have some reading to do