+ Reply to Thread
Results 1 to 25 of 25
  1. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #1

    Talking My Journey for Implementing Cisco IOS Network Security (640-553 IINS) [CCNA:Security]

    My Journey for Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    I PASSED!!!!!!!

    Boom shaka-laka!

    See update here:
    My Journey for Implementing Cisco IOS Network Security (640-553 IINS) [CCNA:Security]

    -----------------------------
    Initial Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    008.33% - Overall Preparation
    =============================
    050.00% - Reading
    000.00% - Carding
    000.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    000.00% - Confidence

    Today's Update:
    Reading - I'm on chapter 8, approximately halfway through the study guide. I also went to cisco.com, to look over the exam objectives, to see if they'd changed. According to the site, they were last updated on December 2009 ... just making sure, don't want to get blindsided.
    Carding - N/A
    Labbing - N/A
    Studying - N/A
    Practicing - N/A
    Confidence - I feel that if I took this exam today, I would undoubtedly fail it, as there is so much SDM in the objectives, and when I look at SDM, I think back to the PDM that I hated so much back in the day. I remember being overjoyed to discover that the Pix firewall indeed had a CLI -- which turned into over-disappointment when I realized that I had to use different commands than regular IOS.


    ================================================== =========================================
    Header Explanations (this will only be done for this initial posting
    ================================================== =========================================

    <insertword> Update:
    Which update I'm on. I like to use first, second, third, etc. Hopefully, I clear the exam before the thirtieth update!

    Certification: <title>
    Title of certification I'm working on

    Overall Preparation:
    1. Basically, a mathematical average of the numbers in 1-6.
    2. If it's anything like my past updates in my CCNA post, expect me to get a few of these wrong, and have to recalculate after the fact.

    Reading (of preparation text):
    1. CCNA Security Study Guide, by Tim Boyles, 2010, ISDN: 978-0-470-52767-2
    2. Cisco Systems, Inc (I want to go here for any clarifications)
    3. Welcome to The TCP/IP Guide! (Great free resource, plan to use this, as required)

    Carding (Making the flash cards):
    1. Will use Cuecard software, and/or index cards, depends on how tired I am of looking at computer screens that day.
    2. Want to focus on exam objectives, not making a card for every other sentence just about, like I was on the CCNA.

    Labbing (Doing the labs)
    1. Labs in the text above.
    2. No other labs.
    3. Focusing on exam objectives, not on doing a million different configurations.
    4. Goal is to do at least four or five sweeps through the labs (hope this doesn't bore me too much, and I learn something from it).
    5. Lab EQ: SDM/GNS3.
    6. Most of the objectives can be completed on a single SDM-supporting router
    7. You could do "half" the VPN configuration, but that would be kind of defeating the purpose of the learning exercise.

    Studying (Studying the flash cards and reviewing labs)
    1. Review the flash cards
    2. Review labs

    Practice (Taking Practice Tests in the text):
    1. Taking practice tests in the text, review questions, etc.
    2. Want to wait until I'm near 80% level on confidence before I go at these.
    3. After taking one, I want to reassess my weak points, then study/lab up on those, before attempting the next practice test.
    4. This gives me the greatest chance of mimicing the results of an actual exam where I only get to see it once, though I doubt it will be as good as the Cisco exam.


    Confidence (How confident I am in being able to pass this exam, if I took it today.)
    1. CCNA:Security (640-553) has 31 objectives
    2. CCNA (640-802) has 76 objectives
    3. Just by counting the objectives, I can breathe a little easier, LOL.
    4. Anecdotal notes from others -- on this forum: "Easier than Security+", "easier than CCNA", or a coworker: "Not very technical" -- help to increase my confidence level a little bit.
    5. I was able to pass 640-802, so that gives me some measure of confidence.
    Last edited by instant000; 07-23-2011 at 10:20 PM. Reason: PASSED!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #2
    Second Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    021.67% - Overall Preparation
    =============================
    100.00% - Reading
    000.00% - Carding
    005.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    025.00% - Confidence
    ============================
    ============================
    Today's Update:

    Reading - Completed the text today. Note: I have not attempted any of the written labs, or the review questions. I just wanted to enjoy the book. When I go back through and make the flash cards, I expect to dig through the text a bit more, as I basically have to read the entire thing again, to pick out what I want to use to work against the objectives. The appendix material wasn't on the objectives, but I read them anyway. I even glanced over the glossary. Thankfully, the terms were mostly recognizable, so I guess I did get something out of the book. I did not glance over the index that much, but figure it might be useful, once I go back to making cards.

    Carding - Made No Cards today.

    Labbing - I did look over the labs, while reading through the text, so I give myself a little credit for that, LOL. I noticed that there is even a few exercises there in the Appendix D, towards the end of the book, want to make sure to go over those, too. The author of the book called it a case study, and it is six exercises about setting up secure management, AAA, IPS, IOS Firewall, Layer 2 Security, and he even threw one in on site-to-site VPN ... I think he was trying to cover all of the bases, LOL. They're all geared towards exam objectives, so can't hurt to do those labs, also.

    Studying - Am Not counting reading the book as studying. I tried to enjoy the book, reading it for its merit, and ignored going over the questions, so it would be a more fun exercise for me.

    Practicing - Ignored the questions for now. Was trying to just read the book for enjoyment.

    Confidence - After seeing several chapters in the text were re-hashes of Security+ level material, it was quite a relief. Confidence level rose!

    ============================
    ============================
    Just to update, this is the current plan (may change)
    01. Read
    02. Cards
    03. Lab
    04. Revise Cards
    05. Study Cards to Mastery Level
    06. Review Questions and Written Labs
    07. Revise Cards
    08. Lab to Mastery Level
    09. Revise Cards
    10. Study Cards to Mastery Level (* time to schedule exam)
    11. Bonus Exam 1 from CD (reschedule, if score to Bonus Exam 1 is disappointing)
    12. Revise Cards
    13. Study Cards to Mastery Level
    14. Bonus Exam 2 from CD (this will be a good indicator of how well I do on the actual exam)
    15. Pass 640-553
    16. Make pass post on techexams.net

    ============================
    ============================

    With regards to reading cisco.com or other sites ...

    If a topic beats me up, the idea is to then try to find the corresponding documentation for it on cisco.com or elsewhere, so I can see the topic from a different perspective, and maybe catch onto it better. Kind of how I was at work last week, and I had to set up a VPN between two netscreens, using policy-based, and with tunnel-based VPN. The job gave me some documentation, and I tried to follow it, but it just didn't make sense to me.

    I went to juniper.net, and used their documentation (which had excellent images to go along with their configurations) and I could instantly understand what I should be doing. I'd not configured on screenOS before, so the get and set thing was all foreign to me.

    Even with that, I was able to configure site-to-site, using both tunnel-based, and policy-based VPN, just from using the documentation on their site, but I was totally confused with the home-brewed documentation. So, I guess it shows that sometimes I learn better with a different take on the same story. Also, the Juniper documentation was really good (DISCLAIMER: At least, the Juniper documentation I read was very good.)
    Last edited by instant000; 07-03-2011 at 12:47 PM. Reason: spelling
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #3
    Third Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    023.75% - Overall Preparation
    =============================
    100.00% - Reading
    012.50% - Carding
    005.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    025.00% - Confidence
    ============================
    ============================
    Today's Update:

    Reading - Did a little re-reading today, as I was going through, making flash cards.

    Carding - Made flash cards for chapters 1 and 2 of the text. 196 total so far. At this rate, I'll probably be sitting on a big mound of cards again, just like I was with the CCNA.

    Code:
    Ch - Card - Topic
    01 - 0092 - Introduction to Network Security
    02 - 0104 - Creating the Secure Network
    03 - 0000 - Securing Administrative Access
    04 - 0000 - Configuring AAA Services
    05 - 0000 - Securing Your Router
    06 - 0000 - Layer 2 Security
    07 - 0000 - Implementing Cisco IOS Firewall
    08 - 0000 - Implementing Cisco IOS Intrusion Prevention
    09 - 0000 - Understanding Cryptographic Solutions
    10 - 0000 - Using Digital Signatures
    11 - 0000 - Using Asymmetric Encryption and PKI
    12 - 0000 - Implementing Site-to-Site IPSEC VPN Solutions
    GG - 0000 - Glossary
    CC - 0000 - Configure
    VV - 0000 - Verify
            
    TT - 0196 - TOTAL
    Code:
    Legend:
    Ch = Chapter
    Card = Number of cards
    Topic = chapter titles or whatever subject it is
    1-12 = chapter numbers
    GG = Glossary
    CC = Configure cards (to line up with configuration items in the syllabus)
    VV = Verify cards (to line up with verification items in the syllabus)
    TT = Total Number of cards made
    Labbing - No labbing today, chapters 1 and 2 are theory only.

    Studying - N/A

    Practicing - N/A

    Confidence - N/A
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #4
    Fourth Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    037.92% - Overall Preparation
    =============================
    100.00% - Reading
    087.50% - Carding
    010.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    030.00% - Confidence
    ============================
    ============================
    Today's Update:

    Reading - Had to read, to make more flash cards. Had to read techexams.net, as well as gns3.net, as I was having SDM issues, with regards to java. I'm also having to read documentation from juniper.net at work, as I have to support netscreens also. It kinda just adds to the overall knowledge piece.

    Carding - Made more flash cards. This is probably the most grueling part of the preparation ... and it is also probably the most essential part for my preparation. I'm now stuck at making the configure and verification cards, which basically has me to start on the labbing stage, so I can make those cards properly.

    Some of the longer configurations ... i.e. site-to-site VPN really can't fit on the flash cards in the size I like to make them.

    I'm suspecting I might have to make those in a word processor or something, specifically because I want to use pictures/configs/etc. to study off. So, I need a workaround. How else can you verify pertinent parts of a configuration, without the snippets? As I printed out my flash cards last time, I'll probably do it again this time.

    I restricted myself from coming on this site, and it really helped my carding progress ... caught myself on here too much.

    Code:
    Ch - Card - Topic
    01 - 0092 - Introduction to Network Security
    02 - 0104 - Creating the Secure Network
    03 - 0097 - Securing Administrative Access
    04 - 0099 - Configuring AAA Services
    05 - 0060 - Securing Your Router
    06 - 0079 - Layer 2 Security
    07 - 0100 - Implementing Cisco IOS Firewall
    08 - 0081 - Implementing Cisco IOS Intrusion Prevention
    09 - 0073 - Understanding Cryptographic Solutions
    10 - 0081 - Using Digital Signatures
    11 - 0169 - Using Asymmetric Encryption and PKI
    12 - 0083 - Implementing Site-to-Site IPSEC VPN Solutions
    GG - 0073 - Glossary
    CD - 0101 - CD Flash Cards 
    CC - 0000 - Configure
    VV - 0000 - Verify
           
    TT - 1191 - TOTAL
    Code:
    Legend:
    Ch = Chapter
    Card = Number of cards
    Topic = chapter titles or whatever subject it is
    1-12 = chapter numbers
    GG = Glossary
    CD = CD Flash Cards (those on the CD, that comes with the book.  I was able to drag and drop from the .xml file, to quickly create flash cards ... there's only 101 of them ... now I see why they didn't note how many there were on the book. ... they don't look that special, either.)
    CC = Configure cards (to line up with configuration items in the syllabus)
    VV = Verify cards (to line up with verification items in the syllabus)
    TT = Total Number of cards made
    Labbing - Set up GNS3 lab with two 3600 series routers. put clouds off them, with one going to a DSL host running in VMware player, and the other going to my PC. Realized there is a problem with my java, as I was trying to test the syllabus item of "Security Audit" saw another post here saying that it's java related (and tons of other posts on the net that corroborate that, so there is probably a reboot ahead of me this late Friday evening.)

    Studying - N/A

    Practicing - N/A

    Confidence - The flash cards from the author looked remarkably easy. I was hunting for the Cisco material. Everything looked so "Security+" it was a bit ridiculous. So far, I really can't say any topic of this exam 'scares' me. I've done everything the exam asks for before (except for the SDM stuff), so we'll just see how that turns out.

    OK, ending the post ... trying to avoid too much time on the forums, they can become a black hole of time, if you let them
    Last edited by instant000; 07-09-2011 at 04:59 AM.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #5
    Fifth Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    047.92% - Overall Preparation
    =============================
    100.00% - Reading
    087.50% - Carding
    050.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    050.00% - Confidence
    ============================
    ============================
    Today's Update:

    1. Reading - cisco.com, cisco.com, cisco.com. Found myself continually going there, as I was working through my first pass at the "Labbing" section of the text.

    2. Carding - N/A. Did not make any cards today, decided I'd be able to make cards for configure/verify, after looking through the labs, and getting a "feel" for it.

    3. Labbing -- I put labbing at 50%, because there are about half of these labs I won't even repeat, they're kind of basic if you have too much experience. A few, I just want to repeat to build up the memorization level, not because I don't have the concept. I have a good bit to say about the labs, look below ...

    4. Studying - N/A - All of what I'm doing is technically considered "study" but I haven't yet started grilling myself on my flash cards, so I can't assume anything yet.

    5. Practicing - N/A

    6. Confidence - Labs were easy, even the one I messed up.

    ===================
    ===================
    ===================

    Hands-On Lab Review:

    =====================
    WARNING: to minimize damage to your network, I advise performing any downloads or testing on test equipment, that is not connected to your production network.

    Note: There are not labs for every single chapter in the text. I have reviewed all the labs included in the text, though, during my first run-through.

    The links to helpful reading resources might help you, or not. They add to the experience for me.
    ========================
    Number: 3.1:
    Topic: Configuring passwords
    What to do:
    1. Configure password on console
    2. Configure password on vty
    3. Configure password on aux

    Issues noted:
    1. the lab asks you to configure passwords on console, vty, and aux, but does not ask you to use the "login" command, to make those passwords active. this seems counter-intuitive, to a "security" course
    2. the lab asks you to configure a password of "guessthis?" of course, when you enter the "?" character, the router thinks you're asking it what to do next, not that it is part of the password. I tried searching for an escape character sequence to make it valid, but couldn't find it after thirty seconds of searching. What a bother. (Yes, I gave up this fast, my reasoning was that the "?" of all characters, should be a reserved character, but I didn't find a doc for that.)
    3. Cisco resource:
    Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example - Cisco Systems
    ========================
    Number: 4.1
    Topic: Configuring AAA Authentication with a local database
    What to do:
    1. create local username and password database
    2. turn on AAA services
    3. set AAA to use local database

    Issues noted:
    1. The lab does not warn you of the danger of configuring "aaa new-model" and not finishing your configuration to set up your "aaa authentication".
    2. Cisco Resource:
    Cisco IOS Security Configuration*Guide, Release*12.2 - Configuring Authentication - Cisco Systems
    ========================
    Number: 4.2
    Topic: Configuring TACACS+ Authentication, Authorizating, and Accounting
    What to do:
    1. turn on AAA services
    2. set tacacs-server IP
    3. configure authentication via TACACS+ "ONLY"
    4. configure authorization via TACACS+
    5. configure accounting via TACACS+

    Issues noted:
    1. The lab does not warn you of the danger of configuring "aaa new-model" and not finishing your configuration to set up your "aaa authentication"
    2. The lab does not warn you that if you enter the commands as given, and your TACACS+ server is unavailable, you can lock yourself out of your router. The lab should have had you also at least enter in the "fallback" authentication to "local" user, just one more word on the command, and could save frustration of someone less critical of what the lab is asking you to do. Seriously, the lab even tells you to use a TACACS+ server that wasn't configured yet?!
    3. Cisco resource:
    Cisco IOS Security Configuration*Guide, Release*12.2 - Configuring TACACS+ - Cisco Systems
    ========================
    Number: 5.1
    Topic: Configuring a Router for SSH administrative access
    What to do:
    1. set domain name
    2. zeroize keys
    3. generate keys
    4. set ssh timeout
    5. set vty line to use ssh


    Issues noted:
    1. It's actually an SDM issue, but pertinent here. It is possible to get an error with connecting to SDM on initial setup, if you don't set up your SSH access properly. Furthermore, it is possible to get issues that tell you something is wrong with your keys (if you run the console session while attempting to connect to SDM, you can see some key errors). The best thing here is to zeroize, and regen the keys.
    2. quirk: I looked at cisco documentation (and I have looked at some of my own work devices", and timeout for ssh is spelled "timeout" but on my home lab router, I had to spell it "time-out" ... no big deal, but a just in case sort of thing. "?" can save you some grief, if you happen to catch this issue.
    3. The lab doesn't tell you to set up AAA authentication (my SSH did not work without this, and the Cisco documentation I found on this topic didn't mention it.)
    EDIT: ^^^^ I see what I was doing wrong, you can get past this, using "login local" under your vty lines. The Cisco documentation that I found actually does address this. Helps to read things carefully, LOL.
    4. Cisco resource:
    http://www.cisco.com/en/US/tech/tk58...800949e2.shtml
    Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4 - Secure Shell Version 2 Support [Cisco IOS Software Releases 12.4 Mainline] - Cisco Systems

    ========================
    Number: 6.1
    Topic: Configuring Protection against a Spanning Tree Attack
    What to do:
    1. configure root guard
    2. configure BPDU guard

    Issues noted:
    1. I cannot do this lab at this time, as I do not own a device that supports these commands. When I get back to the office, I can try this out on our lab EQ.
    2. The lab did not request that you introduce another switch into the environment, to see the effects the rootguard/bpduguard commands actually have.
    3. Cisco resource:
    Spanning Tree Protocol Root Guard Enhancement - Cisco Systems
    Spanning Tree PortFast BPDU Guard Enhancement - Cisco Systems
    Spanning Tree Protocol Problems and Related Design Considerations - Cisco Systems
    ========================
    Number: 6.2
    Topic: Configuring SPAN on a Cisco Switch to Do Troubleshooting
    What to do:
    1. set source interface
    2. set destination interface
    3. capture traffic using the spanned interface

    Issues Noted:
    1. Was able to perform this lab using GNS3. I used a DSL-Linux host as the traffic generator (I had it ping a router connected to the etherswitch module). I used a windows machine as the traffic monitor. Once you realize you have to use manual connections to the switch modules (it will actually tell you so), just plugging in the clouds is easy.
    2. Cisco resource:
    Catalyst Switched Port Analyzer (SPAN) Configuration Example - Cisco Systems
    ========================
    Number: 6.3
    Topic: Configuring Port Security on a Cisco Switch
    What to do:
    1. Configure access port
    2. turn on port security
    3. Configure maximum number of MACs
    4. configure sticky MACs
    5. configure static MAC

    Issues Noted:
    1. I was unable to perform this lab. I could configure either access or trunk, and that was about it. port security was not available.
    2. Cisco resource:
    Catalyst 6500 Release 12.2SX Software Configuration Guide - Port Security [Cisco Catalyst 6500 Series Switches] - Cisco Systems
    ========================
    Number: 7.1
    Topic: Configuring an access list
    What to do:
    1. create extended access list
    2. apply it to an interface

    Issues Noted:
    1. Very straightforward lab. I would have liked to have seen standard and named ACL also (considering they were seen in CCNA).
    2. Cisco resource:
    Configuring IP Access Lists - Cisco Systems
    ========================
    Number: 8.1
    Topic: Configuring an IPS Policy Using Cisco SDM
    What to do:
    1. Configure
    2. Intrusion Prevention
    3. Lauch IPS rule Wizard

    Issues Noted:
    1. I couldn't connect to my router via SDM at first. Root cause? It wasn't turned on?!
    2. The author references "create IPS Policy Wizard" but I never saw this in my SDM. If you check the screenshots in the text, they also say "Launch IPS Rule Wizard"
    3. Cisco resource:
    Getting Started with IOS IPS ? A Step-by-Step Guide [Cisco IOS Intrusion Prevention System (IPS)] - Cisco Systems
    Router and Security Device Manager in Cisco IOS Intrusion Prevention System Configuration Example [Cisco IOS Intrusion Prevention System (IPS)] - Cisco Systems
    ========================
    Number: 9.1
    Topic: Creating a Substitution Cipher
    What to do:
    1. Create a four-position substitution cipher
    2. Encode a given phrase
    3. Compare to book-generated output

    Issues Noted:
    1. Not a particularly thrilling lab. Seems like a lab for boy scouts.
    2. I'm not doing this one again, LOL.
    3. Cisco Resource:
    http://www.cisco.com/web/offer/emea/...ginsRSmith.ppt
    ^^^ it is a powerpoint slide, but if you don't have powerpoint, and can't get a viewer, open office is free, and can open it using the "Impress" program. I enjoyed this slide, and you might, too. It covered a bit more than substitution ciphers, though. It was the type of document you could bring to a meeting and brief to non-technical people.
    ========================
    Number: 10.1
    Topic: Generate a Hash Value from a File
    What to do:
    1. generate a text file
    2. generate a hash of the file
    3. record the hash values
    4. modify the file
    5. record the new hash values

    Issues noted:
    1. Made an assumption that students already had a hash calculating program installed.
    2. Cisco Resource:
    http://www.cisco.com/en/US/docs/ios/...e_Chapter.html
    Cisco IOS Image Verification - Cisco Systems
    ========================
    Number: 11.1
    Topic: view the Content of Root CA Certificates
    What to do:
    1. Open a web browser
    2. View certificates

    Issues noted:
    1. Might come in handy for some to do this lab. I had to do this regularly at a past job, while troubleshooting PKI issues. Truth be told, unless a server was down in some way, all the issues usually boiled down to user configuration and setup. There were a couple gotchas where you could get misleading information, but you get past the caveats with experience.
    2. Cisco resource:
    Public Key Infrastructure: Deployment Benefits and Features [Identity Based Networking Services] - Cisco Systems
    http://www.cisco.com/en/US/prod/coll...cd80313df7.pdf
    http://www.cisco.com/en/US/prod/coll...cd80313df4.pdf
    ========================
    Number: 12.1
    Topic: Configuring a Site-to-Site VPN
    What to do:
    1. create isakmp policy
    2. create ipsec transform set
    3. create isakmp pre-shared key and peer address
    4. define interesting traffic using ACL
    5. create crypto map that ties it all together
    6. bind the crypto map to an interface


    Issues Noted:
    1. Nice, I screwed up my VPN, and it didn't work. "sh run" to the rescue! Oh well, this was one of the better labs in the text.
    2. the lab never asked you to configure both sides of the connection (if you've ever dealt with VPN troubleshooting, you know that the worst ones are when you can't configure both sides yourself, especially when you're going across vendors, and you have to deal with the "gotchas")
    3. the lab never asked you to generate traffic or test the tunnel
    4. Cisco resources:
    Cisco Blog Blog Archive Great Cipher, But Where Did You Get That Key?
    Cisco IOS VPN Configuration Guide - Site-to-Site and Extranet VPN Business Scenarios [Cisco 7200 Series Routers] - Cisco Systems
    Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions - Cisco Systems

    Here is the lab I fubared below, see if you can find out what I did wrong?
    Code:
    router r1:
    inside interface: f0/0 - 192.168.32.110/24
    outside interface: f1/0 - 10.0.0.2/30
    
    
    Configuration done on R1:
    crypto isakmp policy 1
    encryption 3des
    authentication pre-share
    group 2
    
    crypto isakmp key techexams address 10.0.0.1
    
    crypto ipsec transform-set instant000TS esp-3des esh-sha-hmac
    
    access-list 110 permit ip 192.168.32.0 0.0.0.255 172.16.10.0 0.0.0.255
    
    crypto map instant000CM 1 ipsec-isakmp
    set peer 10.0.0.1
    set transform-set instant000TS
    match address 110
    
    int f0/0
    crypto map instant000CM
    ===========================
    router r2:
    inside interface: f2/0 - 172.16.10.1/24
    outside interface:  f0/0 - 10.0.0.1/30
    
    configuration on r2:
    crypto isakmp policy 1
    encryption 3des
    authentication pre-share
    group 2
    
    crypto isakmp key techexams address 10.0.0.2
    
    crypto ipsec transform-set CCNATS esp-3des esh-sha-hmac
    
    access-list 100 permit ip 172.16.10.0 0.0.0.255 192.168.32.0 0.0.0.255
    
    crypto map CCNACM 1 ipsec-isakmp
    set peer 10.0.0.2
    set transform-set CCNATS
    match address 100
    
    int f0/0
    crypto map CCNACM
    ^^
    hints:
    1. Check interfaces
    2. check routing
    3. check if stuff is turned on, that should be
    4. check if stuff is applied, where it should be


    ========================
    ========================
    Number: D-1
    Topic: Layer 2 Exercise
    What to do:
    1. configure access port
    2. configure bpduguard
    3. configure dhcp snooping
    4. enable port-security
    5. configure MAC sticky
    6. configure maximum MACs
    7. configure port-security protect

    Issues Noted:
    1. unable to do port security, not supported in what I have
    2. unable to do dhcp snooping, not supported in what I have
    3. Cisco resources:
    Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.1(13)EW - Understanding and Configuring DHCP Snooping [Cisco Catalyst 4500 Series Switches] - Cisco Systems
    Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.1(13)EW - Configuring Port Security [Cisco Catalyst 4500 Series Switches] - Cisco Systems
    ========================
    Number: D-2
    Topic: IOS Firewall Exercise
    What to do:
    1. Launch SDM
    2. Configure > Firewall and ACL
    3. Basic Firewall Wizard

    Issues Noted:
    1. Not sure they ever prompt you, through the entire book, to enable the feature that lets you preview commands before they are delivered to the router. If they did, then sorry. This would make it a much richer learning experience, to preview the commands that get delivered to the router.
    2. Cisco resources:
    http://www.cisco.com/en/US/docs/rout...s/FPLCY-an.pdf
    Cisco Guide to Harden Cisco IOS Devices - Cisco Systems
    ========================
    Number: D-3
    Topic: Securing Management Access Exercise
    What to do:
    1. auto secure

    Issues Noted:
    1. Pretty straight forward, basic lab.
    2. Cisco resources:
    Cisco Guide to Harden Cisco IOS Devices - Cisco Systems
    Cisco Router and Security Device Manager Q&A [Cisco Router and Security Device Manager] - Cisco Systems
    ========================
    Number: D-4
    Topic: Cisco IPS Exercise
    What to do:
    Ummm, whatever you did in the 8.1 IPS lab earlier, I can find no differences.

    Issues Noted:
    1. I can't tell that this lab is any different than the 8.1 IPS lab earlier in the text.
    2. Cisco Resources:
    Review the resources I posted for the 8.1 IPS lab earlier.
    ========================
    Number: D-5
    Topic: AAA Exercise
    What to do:
    1. Review configuration changes made during "D-3" exercise
    2. Make a TACACS+ setup, like you did in 4.2 earlier.

    Issues noted:
    1. This is just a rehash almost, except for making you look over configuration changes that auto secure made (of course, this would have been easier, if you had used "command preview" feature of SDM.)
    2. If you did lab 4.2 earlier, you might not gain much by this one.
    3. Cisco Resources:
    Review the resources I posted for the 4.2 lab earlier.
    ========================
    Number: D-6
    Topic: Site-to-Site VPN Exercise
    What to do:
    1. whatever you did in Lab 12.1 earlier, it's the same thing almost

    Issues noted:
    1. They used AES, instead of 3DES. Otherwise, it's the same exact lab as 12.1 earlier.
    2. Cisco Resources:
    Review the resources I posted for the 12.1 lab earlier
    ========================
    ========================
    OVERALL LAB REVIEW:

    The labs do not seem that "hands-on" except for maybe aaa, enabling ssh, and configuring site-to-site VPN. I think the site-to-site VPN is the best overall one in the book, and was thinking there would be more "configuration-heavy" topics like that to deal with.

    I think it would do one well to be really familiar with the labs in Appendix D. ... there has to be some reason this guy brought them out for a second look. The section is called "Capstone Exercise".
    ========================
    After going through the labs one time, there are several that I feel no need to repeat, but there is at least one that I will revisit ... no matter how many different ways you configure VPN, it's good to get sharp on the vendor's method prior to sitting their test, LOL.
    ========================
    Last edited by instant000; 07-10-2011 at 07:30 PM. Reason: Broken Hyperlinks, Researched SSH issue, "login local", added hints to broken config I had from lab 12.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #6
    Sixth Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    047.92% - Overall Preparation
    =============================
    100.00% - Reading
    087.50% - Carding
    050.00% - Labbing
    000.00% - Studying
    000.00% - Practicing
    050.00% - Confidence
    Today's Update:

    Reading - Just was reading some more stuff last night and this morning.

    So, I'll just plop down the links I was looking over. If you'll note, a lot of what you'll see in these documents is listed on the exam blueprint, so the material is a bit more useful than you (or I) might give it credit for. This might help you out, in your preparation. I just like to read in general, so this may be less useful to you, than it is to me.

    http://www.nsa.gov/ia/_files/switche...ersion1_01.pdf
    Cisco Router Guides - NSA/CSS
    http://www.nsa.gov/ia/_files/ipv6/I733-041R-2007.pdf

    Also, I like to read on these forums, such a great resource!
    Clarity on DHCP
    Circumventing network security via SSH Tunneling
    http://www.techexams.net/forums/ccsp...sa-5510-a.html

    Carding - N/A

    Labbing - Please read the update above, if you have any doubts about labbing study materials for the text I'm preparing with. (You have to understand the lab, if you're going to do it right.) Anyway, on the topic of site-to-site VPN, this topic just fits in so perfectly:
    Site to site vpn config - rap song - music to study by

    Studying - N/A

    Practicing - N/A

    Confidence - N/A
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #7
    Seventh Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    055.83% - Overall Preparation
    =============================
    100.00% - Reading
    100.00% - Carding
    060.00% - Labbing
    010.00% - Studying
    000.00% - Practicing
    065.00% - Confidence

    Today's Update

    Reading - Been reading more and more. Have not posted to forum as often lately, due to desiring to study more.

    Carding - Finished making cards for now, the posted information below will serve as the "skeleton" of my Configure/Verify Cards. Please see at the end of this post, for the additional information for Configuration/Verify.

    Labbing - Done more labbing, but not as much as I would like. Would want to review the labs two or three more times before feeling "ready". I just want to do it often enough that I can easily spot the mis-configurations.

    Studying - Finally started going over my massive collection of flash cards. After comparing my cards to the actual exam objectives, I feel that I did a bit of overkill on the cards. Irregardless, I prefer "over-preparation." I saw that Cisco had three free sets of questions for this exam on their site. I just incorporated these with my notes, for additional studying.

    Practicing - N/A. Note that I consider practicing to be taking the actual practice exams.

    Confidence - Confidence is up, as I'm finally to the formal "studying" section (more or less) but I'm still doing a good bit of reading around, whenever I get to something that catches me off guard, which means that I need to review the material, to get the complete understanding. Also, there is plenty of bleed-over of this material with Security+ type of material.

    ==============================
    ==============================

    Note: This is just an attempt to map the exam objectives for "Configuration" type of tasks, to Cisco documentation. Similar (if not the same) links to the documentation I used can be found in the Lab Review or other posts above, so if you want more links, then refer back to my prior posts in this topic, for studying, when repeating steps/re-reading documentation. I don't have the exact word-for-word steps for some of these down here, so I apologize if you're looking for a "complete guide" type of post. This is just a smattering of notes that I'm using to go over things.

    I apologize for the formatting, if it doesn't look that good, LOL. I edited it a couple times, hope it doesn't look too shabby.

    ==============================
    ********************
    ********************
    ********************
    ********************

    Before you look at the rest of this post, a few essential items:

    1. Download Software - Cisco Systems

    2. Cisco Router and Security Device Manager 2.5 User Guide [Cisco Router and Security Device Manager] - Cisco Systems

    3. Cisco IOS Security Configuration Guide, Release 12.4 [Support] - Cisco Systems

    ********************
    ********************
    ********************
    ********************
    ================================================== ===============
    ** Objective: Secure Cisco routers using the SDM Security Audit feature

    Cisco Router and Security Device Manager 2.5 User Guide - Security Audit [Cisco Router and Security Device Manager] - Cisco Systems

    Configure > Security Audit > Perform security audit

    =======================
    ** Objective: Use the One-Step Lockdown feature in SDM to secure a Cisco router

    Cisco Router and Security Device Manager 2.5 User Guide - Security Audit [Cisco Router and Security Device Manager] - Cisco Systems

    Configure > Security Audit > One Step Lockdown

    ===============================================
    ** Objective: Secure administrative access to Cisco routers by setting strong encrypted passwords, exec timeout, login failure rate and using IOS login enhancements

    Cisco IOS Login Enhancements (Login Block) [Cisco IOS and NX-OS Software] - Cisco Systems
    No Service Password-Recovery [Cisco IOS and NX-OS Software] - Cisco Systems
    Insult to injury: San Francisco wins $1.5M from Terry Childs | Data Center - InfoWorld
    Judge Orders Former San Francisco Admin Terry Childs To Pay $1.5M - Slashdot

    enable secret = strong encrypted password, MD5 encryption

    exec-timeout <minutes> <seconds>

    login block-for <seconds> attempts <tries> within <seconds>
    default: 1 second

    login delay <seconds>
    default: 1 second

    show login
    ^^ displays login parameters

    login quiet-mode access-class <aclname or number>
    ^^^
    default: denied
    lets you in when the router is in quiet mode (blocking logins)

    System Logging Messages

    The following logging message is generated after the router switches to quiet mode:

    00:04:07:%SEC_LOGIN-1-QUIET_MODE_ON:Still timeleft for watching failures is 158 seconds,
    [user:sfd] [Source:10.4.2.11] [localport:23] [Reason:Invalid login], [ACL:22] at 16:17:23
    UTC Wed Feb 26 2003

    The following logging message is generated after the router switches from quiet mode back to normal mode:

    00:09:07:%SEC_LOGIN-5-QUIET_MODE_OFF:Quiet Mode is OFF, because block period timed out at
    16:22:23 UTC Wed Feb 26 2003

    =================================
    ** Objective: Secure administrative access to Cisco routers by configuring multiple privilege levels

    Configuring Security with Passwords, Privilege Levels, and Login Usernames for CLI Sessions on Networking Devices [Cisco IOS and NX-OS Software] - Cisco Systems

    privilege level 1 = non-privileged
    privilege level 15 = privileged
    privilege level 0 = (access to disable, enable, exit, help, and logout)

    show privilege = tells you what privilege level you are in

    privilege configure level 7 router eigrp = level 7 (and above) can use eigrp from configure mode

    privilege exec level 4 ping = level 4 (and above) can ping from exec mode

    ===============================================
    ** Objective: Secure administrative access to Cisco routers by configuring role based CLI

    Role-Based CLI Access [Cisco IOS and NX-OS Software] - Cisco Systems

    Code:
    enable view
    configure terminal
    parser view <view-name>
    secret 5 <encrypted-password>
    commands {exec/configure} {include | include-exclusive | exclude} [all] [interface <interface-name> | command]
    exit
    exit
    enable <privilege-level> view <view-name>
    show parser view [all]
    After you have successfully created a view, a system message such as the following will be displayed:

    %PARSER-6-VIEW_CREATED: view `first' successfully created.

    After you have successfully deleted a view, a system message such as the following will be displayed:

    %PARSER-6-VIEW_DELETED: view `first' successfully deleted.

    You must associate a password with a view. If you do not associate a password, and you attempt to add commands to the view via the commands command, a system message such as the following will be displayed:

    %Password not set for view <viewname>.

    ===============================================
    ** Objective: Secure the Cisco IOS image and configuration file

    Cisco IOS Resilient Configuration [Cisco IOS and NX-OS Software] - Cisco Systems

    Code:
    1. enable
    2. configure terminal
    3. secure boot-image       (enable Cisco IOS image resilience)
    4. secure boot-config         (stores a secure copy of the primary bootset in persistent storage)
    5. end
    6. show secure bootset         ((Optional) Displays the status of configuration resilience and the primary bootset filename. )
    The following example displays sample output from the show secure bootset command:
    Code:
    Router# show secure bootset
    IOS resilience router id JMX0704L5GH
    
    IOS image resilience version 12.3 activated at 08:16:51 UTC Sun Jun 16 2002
    Secure archive slot0:c3745-js2-mz type is image (elf) []
      file size is 25469248 bytes, run size is 25634900 bytes
      Runnable image, entry point 0x80008000, run from ram
    IOS configuration resilience version 12.3 activated at 08:17:02 UTC Sun Jun 16 2002
    Secure archive slot0:.runcfg-20020616-081702.ar type is config
    configuration archive size 1059 bytes
    ===============================================
    ** Objective: Configure AAA authentication

    Configuring Authentication [Cisco IOS and NX-OS Software] - Cisco Systems

    local login Authentication:
    config t
    aaa new-model
    aaa authentication login default local
    line vty 0 4
    login authentication default

    tacacs+ login authentication, with local fall-back:
    config t
    aaa new-model
    aaa authentication login default group tacacs+ local
    line vty 0 4
    login authentication default

    create a named login list, with tacacs+, and local fall-back:
    config t
    aaa new-model
    aaa authentication login instantlist group tacacs+ local
    line vty 0 4
    login authentication instantlist

    ===============================
    ** Objective: Configure AAA authorization

    Cisco IOS Security Configuration*Guide, Release*12.2 - Configuring Authorization [Cisco IOS Software Releases 12.2 Mainline] - Cisco Systems
    ^^^ sorry, the 12.4 doc for this was a broken link, and I could not easily locate the correct one.

    The following example shows how to configure a Cisco AS5300 (enabled for AAA and communication with a RADIUS security server) for AAA services to be provided by the RADIUS server. If the RADIUS server fails to respond, then the local database will be queried for authentication and authorization information, and accounting services will be handled by a TACACS+ server.

    Code:
    aaa new-model
    aaa authentication login admins local
    aaa authentication ppp dialins group radius local
    aaa authorization network scoobee group radius local
    aaa accounting network charley start-stop group radius
    
    username root password ALongPassword
    
    radius-server host alcatraz
    radius-server key myRaDiUSpassWoRd
    
    interface group-async 1
     group-range 1 16
     encapsulation ppp
     ppp authentication chap dialins
     ppp authorization scoobee
     ppp accounting charley
    
    line 1 16
     autoselect ppp
     autoselect during-login
     login authentication admins
     modem dialin
    The following examples show how to use a TACACS+ server to authorize the use of network services, including PPP and ARA. If the TACACS+ server is not available or an error occurs during the authorization process, the fallback method (none) is to grant all authorization requests:

    aaa authorization network default group tacacs+ none

    The following example shows how to allow network authorization using TACACS+:

    aaa authorization network default group tacacs+

    The following example shows how to provide the same authorization, but it also creates address pools called "mci" and "att":

    Code:
    aaa authorization network default group tacacs+
    ip address-pool local
    ip local-pool mci 172.16.0.1 172.16.0.255
    ip local-pool att 172.17.0.1 172.17.0.255
    The following example shows how to configure the router to authorize using RADIUS:

    aaa new-model
    aaa authorization exec default group radius if-authenticated
    aaa authorization network default group radius
    radius-server host 192.168.1.2
    radius-server key t3chxams

    The following examples show how to cause the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session:

    aaa new-model
    aaa authentication login default group tacacs+
    aaa authorization reverse-access default group tacacs+
    !

    tacacs-server host 172.31.255.0
    tacacs-server timeout 90
    tacacs-server key goaway

    The following example shows how to cause the network access server to request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session:

    aaa new-model
    aaa authentication login default group radius
    aaa authorization reverse-access default group radius
    !
    radius-server host 172.31.255.0
    radius-server key goaway
    auth-port 1645 acct-port 1646

    ====================================
    ** Objective: Configure AAA accounting

    Configuring Accounting [Cisco IOS and NX-OS Software] - Cisco Systems

    The following example shows how to configure a Cisco AS5200 (enabled for AAA and communication with a RADIUS security server) in order for AAA services to be provided by the RADIUS server. If the RADIUS server fails to respond, then the local database will be queried for authentication and authorization information, and accounting services will be handled by a TACACS+ server.

    Code:
    aaa new-model
    aaa authentication login admins local
    aaa authentication ppp dialins goup radius local
    aaa authorization network scoobee group radius local
    aaa accounting network charley start-stop group radius group tacacs+
    
    username root password ALongPassword
    tacacs-server host 172.31.255.0
    tacacs-server key goaway
    radius-server host 172.16.2.7
    radius-server key myRaDiUSpassWoRd
    
    interface group-async 1
     group-range 1 16
     encapsulation ppp
     ppp authentication chap dialins
     ppp authorization scoobee
     ppp accounting charley
    
    line 1 16
     autoselect ppp
     autoselect during-login
     login authentication admins
     modem dialin
    The show accounting command yields the following output for the preceding configuration:
    Code:
    Active Accounted actions on tty1, User rubble Priv 1
     Task ID 5, Network Accounting record, 00:00:52 Elapsed
     task_id=5 service=ppp protocol=ip address=10.0.0.98
    Configuring AAA Resource Accounting

    The following example shows how to configure the resource failure stop accounting and resource accounting for start-stop records functions:

    aaa new-model
    aaa authentication login AOL group radius local
    aaa authentication ppp default group radius local

    aaa authorization exec AOL group radius if-authenticated
    aaa authorization network default group radius if-authenticated

    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa accounting resource default stop-failure group radius
    aaa accounting resource default start-stop group radius

    =============================
    ** Objective: Configure and verify IP ACLs to mitigate given threats (filter IP traffic destined for Telnet, SNMP, and DDoS attacks) in a network using CLI

    IP Access List Overview [Cisco IOS and NX-OS Software] - Cisco Systems
    Configuring Commonly Used IP ACLs - Cisco Systems
    Configuring TCP Intercept and Preventing Denial-of-Service Attacks [Cisco IOS and NX-OS Software] - Cisco Systems

    telnet
    access-list 100 permit tcp host 192.168.100.1 host 192.168.100.2 eq telnet

    SNMP
    access-list 100 permit udp host 192.168.100.1 host 192.168.100.2 eq 161
    access-list 100 permit udp host 192.168.100.1 host 192.168.100.2 eq 162

    DDoS
    access-list 100 permit tcp any host 192.168.100.2
    ip tcp intercept list 100

    ====================
    ** Objective: Configure IP ACLs to prevent IP address spoofing using CLI

    Protecting Your Core: Infrastructure Protection Access Control Lists [IP Addressing Services] - Cisco Systems

    access-list 110 deny ip host 0.0.0.0 any
    access-list 110 deny ip 127.0.0.0 0.255.255.255 any
    access-list 110 deny ip 192.0.2.0 0.0.0.255 any
    access-list 110 deny ip 224.0.0.0 31.255.255.255 any

    access-list 110 deny ip 10.0.0.0 0.255.255.255 any
    access-list 110 deny ip 172.16.0.0 0.15.255.255 any
    access-list 110 deny ip 192.168.0.0 0.0.255.255 any

    access-list 110 deny ip YOUR_CIDR_BLOCK any
    access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
    access-list 110 permit ip any any

    ================================
    ** Objective: Use CLI and SDM to configure SSH on Cisco routers to enable secured management access

    Cisco Router and Security Device Manager 2.5 User Guide - Security Audit [Cisco Router and Security Device Manager] - Cisco Systems
    Secure Shell (SSH) FAQ - Cisco Systems
    Configuring Secure Shell on Routers and Switches Running Cisco IOS - Cisco Systems
    Configuring Secure Shell [Cisco IOS and NX-OS Software] - Cisco Systems

    Router# configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    Router(config)# ip http server
    Router(config)# ip http secure-server
    Router(config)# ip http authentication local
    Router(config)# ip http timeout-policy idle 600 life 86400 requests 10000

    Router(config)# username tomato privilege 15 secret 0 vegetable

    Router(config)# line vty 0 4
    Router(config-line)# privilege level 15
    Router(config-line)# login local
    Router(config-line)# transport input telnet ssh
    Router(config-line)# exit
    Router(config)# end
    Router#

    ================================================== ===
    ** Objective: Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server

    Cisco Router and Security Device Manager 2.5 User Guide - Router Properties [Cisco Router and Security Device Manager] - Cisco Systems
    Resource Manager Essentials and Syslog Analysis: How-To - Cisco Systems
    Cisco Guide to Harden Cisco IOS Devices - Cisco Systems
    Identifying Incidents Using Firewall and Cisco IOS Router Syslog Events - Cisco Systems


    Configure > Additional Tasks > Router Properties > Logging

    ==========================
    ** Objective: Describe how to prevent layer 2 attacks by configuring basic Catalyst switch security features
    http://www.cisco.com/warp/public/cc/...r/sfblu_wp.pdf
    Spanning Tree Protocol Root Guard Enhancement - Cisco Systems
    Spanning Tree PortFast BPDU Guard Enhancement - Cisco Systems
    Layer 2 Security Features on Cisco Catalyst Layer 3 Fixed Configuration Switches Configuration Example - Cisco Systems
    Configuring Spanning Tree PortFast, BPDU Guard, BPDU Filter, UplinkFast, [Support] - Cisco Systems
    http://www.cisco.com/web/CA/events/p...camp-final.pdf
    http://www.cisco.com/warp/public/cc/...t/vlnwp_wp.pdf
    http://www.sans.org/security-resources/idfaq/vlan.php
    ^^^ really good vlan hopping study here
    http://mark-heick.blogspot.com/2011/...rom-8021q.html
    ^^^ really good article, with pictures!
    http://www.cisco.com/en/US/docs/swit...e/swtrafc.html
    http://www.cisco.com/en/US/docs/swit.../swdynarp.html


    root guard
    bpduguard
    port security
    DHCP Snooping
    Dynamic ARP Inspection
    IP Source Guard
    CAM overflow
    VLAN hopping
    storm control

    ========================================
    ** Objective: Implement Zone Based Firewall using SDM

    Configuring Zone Policy Firewalls [Support] - Cisco Systems
    Zone-Based Firewall Troubleshooting [Cisco IOS Firewall] - Cisco Systems

    The following task order can be followed to configure a Zone-Based Policy Firewall:

    1. Define zones.
    2. Define zone-pairs.
    3. Define class-maps that describe traffic that must have policy applied as it crosses a zone-pair.
    4. Define policy-maps to apply action to your class-map's traffic.
    5. Apply policy-maps to zone-pairs.
    6. Assign interfaces to zones.

    The sequence of tasks is not important, but some events must be completed in order. For instance, you must configure a class-map before you assign a class-map to a policy-map. Similarly, you cannot assign a policy-map to a zone-pair until you have configured the policy. If you try to complete a task that relies on another portion of the configuration that you have not configured, SDM does not allow you to do so.

    ==============================
    ** Objective: Enable and verify Cisco IOS IPS operations using SDM

    Note: The CCP guide is quite similar to the actual SDM tasks
    Cisco Router and Security Device Manager 2.5 User Guide - Intrusion Prevention System [Cisco Router and Security Device Manager] - Cisco Systems
    Cisco IOS Intrusion Prevention System Deployment Guide [Cisco IOS Intrusion Prevention System (IPS)] - Cisco Systems
    Getting Started with IOS IPS ? A Step-by-Step Guide [Cisco IOS Intrusion Prevention System (IPS)] - Cisco Systems
    How to Use CCP to Configure IOS IPS [Cisco IOS Intrusion Prevention System (IPS)] - Cisco Systems

    Configure > Intrustion Prevention > Create IPS
    Configure > Intrusion Prevention > EDIT IPS > (IPS Policies/Global Settings/Signatures)
    Configure > Intrusion Prevention > Security Dashboard

    ======================================
    ** Objective: Configure and verify an IPSec site-to-site VPN with pre-shared key authentication using SDM

    SDM: Site-to-Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example - Cisco Systems
    Cisco Router and Security Device Manager 2.5 User Guide - Site-to-Site VPN [Cisco Router and Security Device Manager] - Cisco Systems

    Configure > VPN > Site-to-Site VPN

    ===========================
    ===========================
    ===========================
    ===========================

    Hope this helps!

    ===========================
    ===========================
    ===========================
    Last edited by instant000; 07-20-2011 at 03:12 AM. Reason: Added more links
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  9. Senior Member onesaint's Avatar
    Join Date
    May 2011
    Location
    Los Angeles
    Posts
    781

    Certifications
    CCNA, RHCSA
    #8
    Instant000, I'm enjoying keeping up with your posts. This will be a good road map when I pursue the cert.

    Let me ask you, how much time are you spending nightly and on weekends to keep up this pace?
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #9
    Quote Originally Posted by onesaint View Post
    Instant000, I'm enjoying keeping up with your posts. This will be a good road map when I pursue the cert.

    Let me ask you, how much time are you spending nightly and on weekends to keep up this pace?
    I'm not sure this is a "spectacular" pace.

    I try to get in four hours a day on weekdays, but some days, it'll be only one hour or less, depending on personal things. I try to get in 4-8 hours per day on the weekends.

    I'll confess that the most difficult part for me is the studying. I hardly ever studied when attending school. Flash cards work pretty well for me, so I put a lot of time into making those, just because it'll be worth it, to have the stronger retention once the test time arrives.

    If I would give myself a stricter "deadline" then yeah, I could probably do this cert from A to Z in two weeks, just cram it all in there, take the test, and pass it. However, in my case, I want the knowledge, so I'm just going to take my time and make sure that I understand everything.

    I guess I have the luxury of taking it slow, because I know that unless I certify to the IE level, I'm not going to make any more money just from gaining the certification.

    I feel sorry for this one guy I work with, who's only doing it for the "certification" and not for the actual knowledge. He already has CCNA: Security, but doesn't even know what a stateful firewall is. This same guy is going to take the Firewall test for CCNP:Security this weekend. I don't want that to be me.

    I know that the CCNA:Security is not that major a test. It has half the objectives of CCNA. Many of the concepts it goes over are covered in the Security+. I feel like I'm studying twice as hard for this one as I would really have to, maybe because I feel like so much of what is in this course will be useful to me later on. I feel that it is a terrific foundational course, if you take it seriously, and do side research into really understanding everything.

    If you get a solid foundation here, it'll be a lot easier to take the next level certifications.

    ... And there goes my "alarm" that tells me it's time to study! Laters!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #10
    I updated the "seventh update" post above. I added link for storm control and dynamic arp inspection, under layer 2 security.

    I realized I didn't have links for it, once I began studying my flash cards, so made a point to find an article about configuring storm control.

    Here are the links I added:
    Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE - Configuring Port-Based Traffic Control [Cisco Catalyst 3550 Series Switches] - Cisco Systems
    Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEE - Configuring Dynamic ARP Inspection [Cisco Catalyst 3550 Series Switches] - Cisco Systems
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #11
    Eighth Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    087.50% - Overall Preparation
    =============================
    100.00% - Reading
    100.00% - Carding
    100.00% - Labbing
    100.00% - Studying
    050.00% - Practicing
    099.99% - Confidence
    ====================
    Today's Update

    Reading - Other than my notes? N/A
    Carding - N/A
    Labbing - Finished labbing yesterday
    Studying - Studied my flash cards until I became tired of them.
    Practicing - Took one of the two practice exams available with my book. Scored VERY well on it, think I missed a few, but not worried in the least at this point.
    Confidence - Extremely confident at this point.

    After I completed the practice exam, I pulled the notes that are posted in this thread:
    CCNA Security Study Notes .... but have not reviewed them yet. These notes have had great "last mile of preparation" reviews. I'll see how they look in the morning.

    Right now, I have tomorrow off (since I worked last Saturday), but at this moment, am undecided on if I will schedule the test for tomorrow using same-day, or if I will try to get it Saturday, or even next weekend. At this point, I look at my flash cards, and already know the answer without thinking about it, so I just want to keep my mind freshened up until I get to the testing center.

    Hopefully, my next update will be about passing the exam.

    Right now, I'm so pumped about taking this exam in the near future, but I need to settle down from the caffeine-induced high, and try to get some sleep, and see how I feel in the morning. If I still feel "smart" tomorrow, then it's time for the exam. If I don't feel so bright, then I'll just push it back another week.

    I know that I've done tons of note-taking, reading, and researching (and that's just for this thread alone), so it should hopefully pay off on the exam ... one of these days.

    Good night!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  13. Senior Member onesaint's Avatar
    Join Date
    May 2011
    Location
    Los Angeles
    Posts
    781

    Certifications
    CCNA, RHCSA
    #12
    Quote Originally Posted by instant000 View Post
    I'm not sure this is a &quot;spectacular&quot; pace.

    I try to get in four hours a day on weekdays, but some days, it'll be only one hour or less, depending on personal things. I try to get in 4-8 hours per day on the weekends.

    I'll confess that the most difficult part for me is the studying. I hardly ever studied when attending school. Flash cards work pretty well for me, so I put a lot of time into making those, just because it'll be worth it, to have the stronger retention once the test time arrives.

    If I would give myself a stricter &quot;deadline&quot; then yeah, I could probably do this cert from A to Z in two weeks, just cram it all in there, take the test, and pass it. However, in my case, I want the knowledge, so I'm just going to take my time and make sure that I understand everything.

    I guess I have the luxury of taking it slow, because I know that unless I certify to the IE level, I'm not going to make any more money just from gaining the certification.
    I'd say 4 hours on weekdays and 4-8 on weekend is great. Heck, I get 3-3.5 a night, do labs at lunch and if I'm lucky can put in 4-6 on the weekends. *insert sarcasm about family life here.

    I do flash cards on my iphone whenever I have down time. I think I might do some for the finer details and CLI stuff as I get closer to taking the CCNA. Take it slow, you'r going at it the right way from what all the thread I have read say. strong foundation leads to better over all skill.

    Good luck on the exam.
    Last edited by onesaint; 07-23-2011 at 08:01 AM. Reason: formatting
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #13
    Ninth Update:
    Certification: Implementing Cisco IOS Network Security (640-553 IINS) [note: required for CCNA:Security]
    100.00% - Overall Preparation
    =============================
    100.00% - Reading
    100.00% - Carding
    100.00% - Labbing
    100.00% - Studying
    100.00% - Practicing
    100.00% - Confidence
    ====================
    Today's Update:

    Reading - Since my last update, I read those techexam's CCNA Security notes, that were posted at this link:
    CCNA Security Study Notes
    These notes are indeed as good as advertised. Feel free to read them at least twice (I Know that I did.)

    Carding - N/A

    Labbing - Though I said that I was finished "labbing" in update 8, I went back over the SDM stuff again before sitting the exam. I had to make sure that everything was "fresh" in my head.

    Studying - I went over the mikem2te notes, that I pulled from the link earlier. They are very good to look at in your last couple days before the test. By the time you get to reading these, they should be like a review.

    Practicing - Since my last update, I tried that other practice exam, and did very well on that one, also. At this point, there isn't much else to do other than review the notes, just to keep everything fresh.

    Confidence - I was 100% confident that I would pass the exam.

    =========================================

    What I learned from my study preparation, versus what I ended up seeing on the test:

    Positives: (without these, I would have SURELY failed)
    - Time management
    - Memorizing configurations
    - Memorizing terms
    - Memorizing commands
    - Memorizing show outputs
    - Memorizing debug outputs
    - Using command preview in SDM
    - Configuring things using SDM
    - Verifying things using SDM

    Negatives: (I got by like this, but I know better for my next exam)
    - Not practicing the switching labs fully (see my labbing posts above), which was reflected in the grading that I received on the test
    - Familiarity level with SDM was lower than it should have been (everything at work is command line, so other than the labs for this exam, I'm not a big SDM user)
    - I went cold turkey on video games while preparing for this exam, which I didn't do while preparing for CCNA. I think it actually made me a bit too "uptight" If you read Ahriakin's thread, CCIE Sec Lab Diary - or how to make Ahriakin's brain implode, you can see that he blew off some steam from time to time playing something, and if you read jason_lunde's thread, Ccie# 29431, he made a point to spend time with family, so there is nothing wrong with downtime. I really feel that this uptightness hurt my overall score, as I did WORSE on this exam, than I did the CCNA.
    - Also, as part of my uptightness, I wasn't running every morning as I was before, which kinda sapped my overall energy, too, and I gained five pounds!
    - I have to drive an hour and a half, as it is the closest test center that does weekend testing on a regular basis, and/or same-day testing on short notice.

    After taking it, how difficult is this test compared to the CCNA?
    I would say that the CCNA is four times as hard as this exam, simply due to the following:
    1. You're likely to be taking the CCNA as your first Cisco exam
    2. CCNA has WAAY more objectives
    3. You're more familiar with the equipment, by the time you're going for a CCNA Specialization
    4. Even with that said, take your time to know the material. This may be more or less time, depending on your experience level and familiarity.
    ====================================

    What materials did I use to prepare?

    - CCNA Security Study Guide, by Tim Boyles, from Sybex
    - Cisco Systems, Inc (for exact links, see earlier posts in this thread)
    - Welcome to The TCP/IP Guide!
    - mikem2te's excellent CCNA Security Study Guide: CCNA Security Study Notes
    - Flash Cards - 1,191 of them
    - GNS3
    - Practice Exams included with my text above
    - This thread itself, as I found myself coming back and reviewing the links I posted here.
    - I posted a pic of my study materials for CCNA, but not this time around. Suffice it to say, it's just a textbook, and several 3 loop binders , not very spectacular to look at.

    =====================================

    What's next for me?

    - Short term: submit CPE for my security certs.
    - Medium term: I start my Master's @ WGU on 1 August, so my priority is more than likely going to revolve around the work required for that. I have to work with Juniper on a daily basis at work, so I may end up getting a basic cert for that one, too.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #14
    Quote Originally Posted by onesaint View Post
    I'd say 4 hours on weekdays and 4-8 on weekend is great. Heck, I get 3-3.5 a night, do labs at lunch and if I'm lucky can put in 4-6 on the weekends. *insert sarcasm about family life here.

    I do flash cards on my iphone whenever I have down time. I think I might do some for the finer details and CLI stuff as I get closer to taking the CCNA. Take it slow, you'r going at it the right way from what all the thread I have read say. strong foundation leads to better over all skill.

    Good luck on the exam.
    Yeah, just remember that I said that sometimes, that's only 1 hour

    I passed today, so I guess I studied enough for that. Very hard to hit that exact minimum number to only pass, so the only recourse is to over-prepare
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  16. Senior Member onesaint's Avatar
    Join Date
    May 2011
    Location
    Los Angeles
    Posts
    781

    Certifications
    CCNA, RHCSA
    #15
    Quote Originally Posted by instant000 View Post
    Yeah, just remember that I said that sometimes, that's only 1 hour

    I passed today, so I guess I studied enough for that. Very hard to hit that exact minimum number to only pass, so the only recourse is to over-prepare
    Fantastic!
    Over preparedness is the way to go. It's a big fear of mine to be in situations where I am under prepared. Some times the magic works and sometimes it doesn't.

    Agreed about the time. All one can do is their best.

    I'm curious to know what your binders contain and how you do your flash cads (i.e., just normal phrase/question on front, answer on back?). Congrats again and thanks for the great thread.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    Dec 2007
    Location
    Grand Rapids, Michigan
    Posts
    1,835

    Certifications
    Network+ : A+ : Security+ : eJPT : Life+
    #16
    That's great!! Congratulations on the pass!!!

    The first thing I said when the page loaded was "woah" in response to the big red letters lol.
    Booya!!
    ------------------------------------------------------------------------------------------
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #17
    Quote Originally Posted by onesaint View Post
    Fantastic!

    I'm curious to know what your binders contain and how you do your flash cads (i.e., just normal phrase/question on front, answer on back?). Congrats again and thanks for the great thread.
    Thanks

    With regards to the flash cards ...

    I do this.

    1. use cuecard to make the cards This is freeware, and it hasn't crashed my computer ... yet
    2. Print them to PDF, one-sided, 8.5 x 11, 4 cards per sheet
    3. Print the PDF to the printer (have printer set to duplex)

    ^^^ The logic behind choosing "one-sided" inside cuecard, is that I like my question and answer on the same side of the paper, and this is how I got it to work for me. (i figure I can just cover up the answers with a sheet of paper, and just slide straight down the sheet, to study). If I want to study at the computer, i can just use the application. I prefer to read paper to study, so this works out for me.

    I used index cards a lot with CCNA, but here, I just made them electronic (due to the ability to copy/paste from the PDF)

    Of course, this bring up a whole nother issue, which I might as well cover here:

    1. The PDF included with my text was locked, and I was unable to copy/paste from it, so I unlocked it, so that I could make my flash cards. It saved me about five to ten seconds per flash card, I estimate (if not more).
    2. Also, there are flash cards on the CD, included with my text, and in order to find the text for those flash cards, there was a .xml file on the CD, that contained the flash card contents ... I was able to copy/paste from the XML file, to make flash cards from those, too.

    Note: I'll just show this one chapter set of flash cards, and that's it. I won't show any of the others, for this reason: I used material from the book to make my flash cards. If you look at my flash cards, and questions included with the text, (or even the book text itself) they'd be VERY similar. So, my best advice is to make your own.
    Attached Files Attached Files
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #18
    Quote Originally Posted by jamesleecoleman View Post
    That's great!! Congratulations on the pass!!!

    The first thing I said when the page loaded was "woah" in response to the big red letters lol.
    Thanks.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  20. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #19
    Congrats man!
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #20
    Quote Originally Posted by SteveO86 View Post
    Congrats man!
    Thanks
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  22. Senior Member alan2308's Avatar
    Join Date
    Apr 2010
    Location
    Ann Arbor, MI
    Posts
    1,807

    Certifications
    CCNA, CCNA Sec, MCSA 2008, MCSA 2012, CISSP
    #21
    Congrats!
    Reply With Quote Quote  

  23. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #22
    Quote Originally Posted by alan2308 View Post
    Congrats!
    Thanks!
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  24. All Inclusive IT Joshuab009's Avatar
    Join Date
    Jul 2011
    Location
    Georgia
    Posts
    64

    Certifications
    Network +, Security +, CASP, CCNA R/S, ITIL Foundation
    #23
    Instant000, Thank you so much. Your notes are awesome and your flash cards are already helping me prepare for this exam.
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #24
    Quote Originally Posted by Joshuab009 View Post
    Instant000, Thank you so much. Your notes are awesome and your flash cards are already helping me prepare for this exam.
    Those flash cards were just for one chapter of the book. I hope you are supplementing those with some of your own. Also, there are some typos in there, be careful! I don't have a full-time editing staff!

    And another thing: mikem2te's (or however you spell it) has an excellent thread on CCNA Security notes, here:

    CCNA Security Study Notes
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  26. Senior Member worldmac1's Avatar
    Join Date
    May 2006
    Location
    NC
    Posts
    112

    Certifications
    CCNA:Sec, CCNA, MCTS, MCP, Security+, Server+, A+
    #25
    Instant000, This is a totally awesome document! This is much much more than a post, it's an Event! You have inspired me to do the same as far as logging and tracking my study habits. Creating a log for myself will keep me more focused and attentive to the books than being distracted by TV, and other things that normally talk me out of studying. I think I will try this same approach and blog about it as well. Blogging about it will definitely keep me honest and on track...I hope Currently I'm on chapter 2 of the Cisco Press Cert guide, but will definitely try my hand at the Sybex book you mentioned once I'm done.

    Thank you again and good luck on your future certs!

    I appreciate the advice, help, and the well documented road to becoming CCNA:Security certified.
    Certs in Progress:
    CCNP:Routing 300-101 15%
    OIIIIIIIO
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks