One question I see often on the Net is “Is it worth my time to earn a CCNA / CCNP / CCIE certification?”
My personal answer to that is a resounding yes. The power of Cisco certifications has allowed me to create a tremendous career, and they can do the same for you.
There has never been a better time to accelerate your IT career, and earning a technical certification is a great way to do just that. I don’t care if you´re looking at earning an MCSE, a Cisco certification, Red Hat, or any other vendor – you are always better off having a technical certification than not having one. Technical certifications are an excellent way to market yourself and stand out from the crowd. Earning certifications shows a potential employer (and your current one) that you are willing to go the extra mile.
Sadly, when you ask this question on most Internet message boards, you´re going to get some very negative people giving you their “unbiased” opinion. Ask yourself this question: Do you want to entrust the direction of your career to someone you don´t know, has no accountability for what they say, and has some kind of ax to grind? Do you want someone like that to decide whether you should earn a CCNA or CCNP?
I can speak from experience on this point. When I told a few people that I was going to earn my CCIE, almost 100% of the responses I got were negative. “It´s too hard”, “no one can pass that”, “the CCIE isn´t worth the work”, etc. Every single one of these statements is false, and again I speak from firsthand experience. The same is true for the CCNA, CCNP, and MCSE. All of these certifications can add value to your career and put more money in your pocket. But you have to make the decision to earn them and to “keep your goals away from the trolls”.
Don´t ask anonymous strangers whether it´s “worth the time” to get a CCNA, MCSE, or other computer certification. The only person you should ask that question of is yourself. Whether you want to start an IT career or jumpstart your current one, make the decision to move forward in your career – and then follow through on that decision.
One of the most common questions I get from CCNA and CCNP candidates who are setting up their own home labs is “What cables will I need?”
The answer is “It depends.” As you know from your exam studies, the physical layout of your lab is what determines the cables you´ll need. Let´s take a look at the most common home lab cable types and when you will need them.
Straight-through cables have quite a few uses in a CCNA / CCNP home lab. You´ll need them to connect a switch port to an AUI port on a router (and you´ll need a transceiver for that as well). If you have an ISDN simulator, straight-through cables can be used to connect a router´s BRI port to the simulator.
Crossover cables are used to connect switches and allow them to trunk. If at all possible, get two switches in your home lab. This will allow you to gain valuable experience in manipulating root bridge election, working with STP, and creating EtherChannels.
DTE/DCE cables are used to connect two routers via their serial cables. If you are planning on using a frame relay switch in your lab, you´ll need several of these. You can also get some great practice in by directly connecting two routers and bringing the connection up (and making sure it stays up!). This is valuable practice for your CCNA exam.
Octal cables are used to connect an access server to each of the other routers and switches in your lab.
Finally, there´s that precious blue cable, the rollover cable. Rollover cables (sometimes called “rolled cables”) allow you to connect a host device directly to a router or switch´s console port. These cables have a way of disappearing around an IT shop, so make sure to take one home – and leave it there!
The BSD Certification Group (BSDCG) is a non-profit organization established to create and maintain a global certification standard for system administration on BSD-based operating systems. After a year of work, the group behind the BSD Certification project plans to complete the process for the first certification (BSD Associate) in the first half of this year, with the first exam to be available by the second quarter. We interviewed Dru Lavigne, BSD advocate and creator of the initiative.
Q: Why BSD certification?
Dru Lavigne: While the BSD family of operating systems is well-known and respected for its maturity, security, and stability, there currently isn’t a mechanism to quantify the skills of those who use and administer BSD systems. The BSDCG wishes to address this need by first determining and then assessing the skillsets required to successfully administer BSD systems.
Here is a practical example. Let’s say you’re screening employment candidates for a position that requires configuration of Cisco routers. It is quite likely that your job advertisement will indicate that a CCNA certification is preferred (or required), because the CCNA represents a defined body of knowledge and a minimum required skillset. You can go to the Cisco Web site and see for yourself which objectives one needs to master in order to achieve a CCNA certification. Armed with that knowledge, you can sort the resumes into a CCNA pile and then skim through related job experience to make a short list of interview candidates.
Now, let’s say you need to hire a system administrator for your BSD servers. Until the upcoming certification goes live, you don’t have a predefined yardstick that states a prospective employment candidate has met a minimum defined knowledge base or skillset. While you can still use related job experience to make a short list of candidates, you will have to ask more probing questions at the interview to determine how the candidate learned his skills and whether the candidate has any obvious knowledge gaps.
Q: How did the project start?
DL: Interest in creating a standardized BSD examination has been around for quite a few years and there are numerous threads on the subject in the various BSD mailing lists and forums. As an IT instructor myself, I finally got to the point where I was tired of fielding the question, “Why isn’t there a BSD certification exam I can take?”, and my time and income had stabilized, so I could devote most of my time to a volunteer certification project and still manage to keep the bills paid.
Towards the end of December 2004 I emailed everyone I knew who had ever expressed interest in a BSD certification to see if they had the time to finally do something about it. Seventeen people responded favourably and we began to put together the resources we would need to get started: a Web site, a mailing list, an IRC channel, our ground rules, and a mission statement.
Q: Who’s involved?
DL: We’ve grown a lot in the past year and things evolve as we go through the various tasks needed to bring an examination to life. I won’t mention names as there are so many – most are mentioned on the Web site, and I fear I’ll inadvertently forget to mention someone. At the moment, there are:
- 17 members of the BSDCG (the original members minus one who is now on the Advisory Board)
- 5 members on the Advisory Board
- More than 80 translators for more than 20 languages
- 2 mailing lists with more than 1,000 subscribers who discuss the progress of the certification and volunteer to assist as required
We incorporated in the state of New Jersey in October and hope to receive IRS 501(c)(3) non-profit status by the end of January. We’ll be holding elections for the board of directors before the end of Q1 2006.
2006 will see even more changes. So far these announcements are on the horizon:
- A partner for psychometric assessment of the exam questions
- Partners for actual delivery of exams
- Corporate sponsorships
Part of creating the standard will include guidelines for testing and training centers. We would also like to create a plan for incorporating BSD certification into existing post-secondary programs.
Q: Do you plan to create official books and manuals?
DL: This has been the topic of much discussion. We originally thought we would stay away from this and just concentrate on defining the exam itself. One reason was accreditation; many accreditation bodies have rules prohibiting the organization that creates the exam from also creating, or even recommending, study materials. This makes sense from a conflict of interest perspective and is meant to prevent persons with “inside” information from having an advantage over other writers.
Since then, we’ve had a lot of requests and some convincing arguments for official courseware created by the BSDCG. In order to go this route, we would have to sort out two things. The first is a conflict of interest policy that assures the study material focuses on learning and understanding and is not a rehash of hidden exam questions or caters to the mentality of “read this book and pass the exam.”
The second is quite practical: money and time. A book is a huge time commitment and the BSDCG is made up of volunteers with day jobs and bills to pay. Monetary sponsorship, or lack thereof, to allow some BSDCG members to devote the time needed to create an official courseware will probably provide the ultimate answer to this question.
Q: Recently you started a fundraiser to pay the services of a psychometric agency and other startup costs. How is it going?
DL: This is my first fundraiser, so I’m still struggling with a mental image of standing on a street corner holding out a hat and smiling as people pass by. At the same time, I’m impressed at how much has already been accomplished and how generous the community has been.
As the annual report will show when it is published, we were extremely conservative in 2005, with our largest expenditure being the $500 fee for the IRS 501(c)(3) application. Thanks to generous donations of both hardware and bandwidth from FreeBSD Brasil LTDA and NYI, the fact that we only use BSD operating systems and open source applications, and that we administer our own systems on a rotating volunteer basis, our only operational cost has been the domain registration.
We still have some major startup costs to tackle, most notably the psychometric assessment of the exam questions. We spent Q4 2005 interviewing many agencies and have a short list of those with both experience in IT assessments and successful legal defenses. However, we won’t start the actual psychometric review until we have raised at least 85% of the projected $35,000 we need to ensure we’ll have all of the required funds when the bill comes due.
Once we partner with a psychometric agency, we’ll have a better idea of whether there will be any startup costs to deliver the exam itself or if that cost can be entirely incorporated into the exam price.
Q: What type of skills will the project certify?
DL: Our current mandate is to test system administration skills. The results from our Task Analysis Survey [PDF] show a need to test the skills of two separate audiences. The first audience covers those who are currently working as or who would like to find employment as an entry-level BSD systems administrator. The exam objectives [PDF] for the BSDA, the name of the exam intended to certify this audience, show that these testing candidates are expected to prove competency in basic Unix skills. They are also expected to be aware of the features found in the FreeBSD, OpenBSD, NetBSD, and DragonFly BSD operating systems.
The second audience covers those who have more experience administering BSD systems and who want to prove that they really know their stuff. We won’t be releasing the exam objectives for this audience until after the BSDA exam has gone live, but you can expect this to be a much more demanding exam.
There has also been interest expressed in an end-user exam that tests BSD desktop usage skills, as well as an exam for BSD developers. We will take a closer look at those once the first two exams have been released.
Q: Do you plan to include hands-on tests in the certification process?
DL: Exam methodology is a very important topic to the BSDCG as we want to create a certification that accurately assesses the skills, or lack thereof, of the testing candidate. This is one reason why a psychometric assessment is so important, as it maps each exam question to the exam objectives (known as a blueprint), assigns it a weight, and determines the percentage of candidates expected to answer that question correctly (known as a cut-off score). Psychometrics also deals with how the question is worded and presented so that, for example, even a multiple choice question can require the testing candidate to understand a concept rather than just memorize a tidbit of knowledge.
We won’t know the exact design of the questions until after the psychometric review for the exam is complete, though I suspect that the BSDA will be a mix of different types of questions. Once we know the design, we will explain it on the Web site and provide examples of each type of question, so the testing candidate knows what to expect on the actual exam.
Exam methodology also brings up the constraints of existing test delivery software. Once we know the design of the exam, we will have to compare our requirements to the current software offerings. There is a good chance that we will have to create our own customized component if we wish to deliver either some questions or the entire exam as a hands-on component.
Q: You talked about a “standardized BSD examination,” and this sounds like those Linux certifications that just cover one or a just few particular Linux distributions, but call themselves “Linux certification.” Why didn’t you choose to make separated certifications, one for each BSD project? After all, the four BSDs (FreeBSD, NetBSD, OpenBSD, and DragonFly BSD) are complete (and incompatible) operating systems, while Linux is just a kernel used by more that 350 distributions.
DL: Yes, I’ve always found the term “Linux Certification” a bit of an oxymoron as none of the Linux exams I have seen expect you to understand the kernel. I’ve taught dozens of Linux classes and the first question I always ask is “what is Linux?”, and so far only one student has answered that question correctly.
The question of four separate exams versus one integrated exam has been a lively topic within the BSDCG and was posed to the public in the Task Analysis Survey. A legitimate complaint is, “Why should I be forced to learn four separate operating systems when I only plan on using one?” The answer to that became more obvious once we ascertained that there were two different audiences.
As we created the BSDA exam objectives it became obvious that it was more beneficial to have one all-inclusive exam rather than four separate exams. The bulk of the BSDA is demonstrating proficiency in basic Unix and system administration skills, and most of these commands are the same on all four operating systems. Where there are differences, these are listed in the exam objectives and on the Web site in a Rosetta Stone-like chart [PDF]. We feel it is a good thing to know ahead of time that in the real world command A is slightly different on the different BSDs, as it can save some frustration when it doesn’t work as one expects. Also, bear in mind that the BSDA doesn’t expect the candidate to be a guru, and won’t be drilling down on the deep nuances of each operating system — just the basics.
The second exam aimed at the more experienced BSD system administrator will have a different layout. While we have yet to create the exam objectives or determine the testing methodology for this second exam, we will be keeping the audience being assessed in mind. As an example, this audience will be expected to know how to choose the best tool for the job at hand, so we are aiming for a testing methodology that allows the testing candidate to choose his own operating system and applications.
Q: Do you think companies will be able to trust the certifications assigned by the BSDCG more since it is run by BSD experts, and not by a company that does this for money?
DL: Trust has different meanings depending upon one’s context. Those that are already within the BSD community are familiar with the BSDCG members and the talents they bring with them as they help define the BSD certification standard. I’m sure that this segment is more comfortable with a certification created by experts from the BSD arena and would be less likely to trust a certification created by “strangers,” regardless of the prominence of the name of the company sponsoring such a certification.
The world outside of the BSD community operates in a different context wherein the BSDCG, and possibly BSD itself, are the “strangers.” Creating trust outside of the BSD community requires the creation of an infrastructure, and this will take time.
Some of that infrastructure can be created by the BSDCG and some of it needs to be created by the BSD projects and the BSD community itself. Much of the work we did in 2005 helped to define which parts of this infrastructure are already in place and which bits need to be worked on.
While the BSDCG is committed to creating superior examinations that provide an accurate assessment of the testing candidate’s skills, we realize that there is more to creating an exam than just creating the exam. We would eventually like to see an infrastructure that includes elements such as:
- Testimonials from companies that have benefitted from BSD certification
- Guidelines for integrating BSD certification within existing college and university degree programs
- Focus groups with IT departments to help keep the exam objectives in line with real world needs
We have many other ideas on the back burner and always appreciate input and assistance.
When you’re preparing to pass the BSCI exam and earn your CCNP certification, one of the biggest challenges is learning BGP. BGP is totally different from any protocol you learned to earn your CCNA certification, and one of the differences is that BGP uses path attributes to favor one path over another when multiple paths to or from a destination exist.
Notice I said “to or from”. In earlier free BGP tutorials, I discussed the BGP attributes “weight” and “local preference”. These attributes are used to favor one path to a destination over another; for example, if BGP AS 100 has two paths to a destination in AS 200, these two attributes can be set in AS 100 to favor one path over another. But what if AS 100 wants to inform the routers in AS 200 as to which path it should use to reach a given destination in AS 100?
That´s where the BGP attribute “Multi-Exit Discriminator”, or MED, comes in. The MED value can be set in AS 100 to tell AS 200 which path it should use to reach a given network in AS 100.
As with many BGP attributes, the MED can be set with a route-map. What you need to watch is that there is no “set med” value in route maps. To change the MED of a path, you need to change the metric of that path. Let´s say that there are two entry paths for AS 200 to use to reach destinations in AS 100. You want AS 200 to use the 18.104.22.168/24 path over the 22.214.171.124/24 path. First, identify the two paths with two separate ACLs.
R1(config)#access-list 22 permit 126.96.36.199 0.0.0.255
R1(config)#access-list 23 permit 188.8.131.52 0.0.0.255
Next, write a route-map that assigns a lower metric to the more-desirable path.
R1(config)#route-map PREFER_PATH permit 10
R1(config-route-map)#match ip address 22
R1(config-route-map)#set metric 100
R1(config-route-map)#route-map PREFER_PATH permit 20
R1(config-route-map)#match ip address 23
R1(config-route-map)#set metric 250
Finally, apply the route-map to the neighbor or neighbors.
R1(config-route-map)#router bgp 100
R1(config-router)#neighbor 184.108.40.206 route-map PREFER_PATH out
The key points to keep in mind is that while many BGP attributes prefer a higher value, the MED is basically an external metric – and a lower metric is preferred, just as with the protocols you´ve already studied to earn your CCNA certification.
To pass the CCNA exam and earn that coveted certification, you’ve got to know Cisco switches inside and out.
Among the many important details you’ve got to know are the three methods that Cisco switches use to forward frames, and the differences between the three.
The first switching method is Store-and-Forward. The name is the recipe, because that’s just what the switch does – it stores the entire frame before beginning to forward it. This method allows for the greatest amount of error checking, since the Frame Check Sequence (FCS) can be run before the frame is forwarded. As always, there is a tradeoff, since this error checking process makes this the slowest of the three frame forwarding methods.
The quickest method is Cut-Through, where only the destination MAC address of the frame is examined before the forwarding process begins. This means that the part of the frame is actually being forwarded as it is still being received! The tradeoff here is that the FCS does not run, so there is absolutely no error checking with Cut-Through switching.
The middle ground between these two extremes is Fragment-Free, so named since fragmented frames will not be forwarded. The switch examines only the first 64 bytes of the frame for errors, since that is the part of the frame that will be damaged in case of a collision. There is error checking, but it is not as thorough as Store-and-Forward.
Keeping these three switching schemes straight is vital to your CCNA exam efforts, and it will help you in working with Cisco switches in the real world as well. Keep studying!
BGP is one of the most complex topics you’ll study when pursuing your CCNP, if not the most complex.
I know from personal experience that when I was earning my CCNP, BGP is the topic that gave me the most trouble at first. One thing I keep reminding today’s CCNP candidates about, though, is that no Cisco technology is impossible to understand if you just break it down and understand the basics before you start trying to understand the more complex configurations.
BGP attributes are one such topic. You’ve got well-known mandatory, well-known discretionary, transitive, and non-transitive. Then you’ve got each individual BGP attribute to remember, and the order in which BGP considers attributes, and what attributes even are… and a lot more! As with any other Cisco topic, we have to walk before we can run. Let’s take a look at what attributes are and what they do in BGP.
BGP attributes are much like what metrics are to OSPF, RIP, IGRP, and EIGRP. You won’t see them listed in a routing table, but attributes are what BGP considers when choosing the best path to a destination when multiple valid (loop-free) paths exist.
When BGP has to decide between such paths, there is an order in which BGP considers the path attributes. For success on the CCNP exams, you need to know this order. BGP looks at path attributes in this order:
- Highest weight (Cisco-proprietary BGP value)
- Highest local preference (LOCAL_PREF)
- Prefer locally originated route.
- Shortest AS_PATH is preferred.
- Choose route with lowest origin code. Internal paths are preferred over external paths, and external paths are preferred over paths with an origin of “incomplete”.
- Lowest multi-exit discriminator (MED)
- External BGP routes preferred over Internal BGP routes.
- If no external route, select path with lowest IGP cost to the next-hop router for iBGP.
- Choose most recent route.
- Choose lowest BGP RID (Router ID).
If you don’t know what these values are, or how they’re configured, don’t panic! The next several parts of this BGP tutorial will explain it all. So spend some time studying this order, and in part II of this free BGP tutorial, we’ll look at each of these values in detail. Keep studying!
Cisco’s newest version of this exam for aspiring CCSPs requires a foundation of security knowledge with some hands-on experience.
A Cisco Certified Security Professional (CCSP) requires knowledge and hands-on experience with many Cisco network security technologies. Unlike most of the other exams required for CCSP certification, which are focused more on particular areas of security, the SND exam covers these from a high-level identification, implementation and configuration point-of-view. I’ll address some of the main areas to study for this new exam by mapping to the official exam objectives.
Much of the exam tested my general knowledge of how to identify, secure against and mitigate common network attacks, as well as technologies like IPSec, VPN, and authentication, authorization and accounting (AAA). There were, however, a few product-specific questions asking, for example, how to configure a Cisco PIX firewall and how to secure Cisco Layer 2 devices.
For the 90-minute exam period, I was given 62 questions, including two simulation questions. The passing score was 825 on a scale of 300 to 1,000 points. Like all the Cisco exams I’ve ever taken, you can’t move back through the question set or mark or review your answers like you can on most other certification exams. But I find Cisco exams easier overall, with many of the questions in the form of one or two lines with only one correct answer to choose from.
Although this exam does include simulation-based questions, they seem easier than those I’ve had on the new CCSP SNRS and retired CSPFA exams. The simulation questions present a company’s network scenario, topology and usually a partial configuration. You’re required to complete the remaining configuration by navigating the Cisco device command-line environment. The opening screen of the simulation-based exams warns you about spending too much time on any one simulation question; it recommends no more than 10 minutes each. Running short of time on this exam shouldn’t be an issue for most candidates, but you’ll need to pace yourself during the simulators.
Naturally, there are questions that pop up about the simulation problems: Is there partial credit? If you don’t save your configuration, will it be marked incorrect? I approach simulation questions just as I would in the real world: I execute the required commands to configure the router, switch or firewall; show the configuration; save; and verify my work. Many times the question-mark command is available and limited help is there if you need it. The simulation questions are generally more difficult than the more common multiple-choice questions. This exam also includes a number of pick-and-place type questions.
While there’s currently an official Cisco instructor-led SND course available, no exam-specific self-study guides have yet been published. On its Web site, Cisco usually includes a link to Cisco Press with recommended reading for each exam. For the SND exam, I found most everything I needed to learn in the Cisco Press book “Network Security Fundamentals” (ISBN 1578051672). Cisco Press also offers the CCSP Flash Cards and Exam Practice Pack, which can help you prepare for all five of the CCSP exams. I also highly recommend you read the free online chapter from “Cisco Access Control Security: AAA Administration Services.” Generally, for self-study I prefer Cisco Press’ books, but nothing made a better resource for the CCSP exams than the popular Sybex self-study guide written by Todd Lammle. (Note: This guide covers the CCSP’s previous series of exams.)
The main objectives of the SND exam are to identify Cisco security products, implement security, describe and configure IPS and HIPS, and deploy a PIX security appliance. Since a valid Cisco Certified Network Associate (CCNA) is a prerequisite, that’s where you should start to obtain the fundamental knowledge about how to configure and troubleshoot Cisco devices. The CCNA will also introduce you to the wonderful world of LANs, WANs, ACLs and many other fundamentals that are essential to your understanding before taking this exam.
The core topics of the SND exam include:
- Describe the products in the Cisco security portfolio and explain how they mitigate security threats to a network.
- Describe the security features available for a Cisco Layer 2 device in a secure network.
- Implement security on a Cisco IOS Router.
- Describe and configure Cisco IPS and HIPS.
- Configure and verify basic remote access on a Cisco VPN 3000 Concentrator.
- Implement a Cisco PIX security appliance.
Although I didn’t receive any specific questions on my exam regarding configuration and management of the Cisco VPN 3000, I’ll provide a link to information you should know.
Cisco’s Security Products
Cisco routers, switches and firewalls all include many technologies to secure them and today’s networks. Securing a network starts with a security policy — without it, it would be hard to follow the Cisco security wheel of secure, monitor, test and improve. Cisco routers can be used to secure the network to a point. And they also need to be secured.
Starting with access lists, where more specific checks should be at the top, packet filtering can be used to limit traffic to secure hosts and networks. The Cisco PIX firewall includes the adaptive security algorithm (ASA), which can inspect network traffic all the way up to Layer 7 (i.e., Application).
Tip: The reload command can be used to restart a Cisco router or firewall.
Ensuring proper time-of-day configuration using network time protocol (NTP) and external logging can be just as important. The commands for configuring logging are logging on and logging host.
Tip: CDP operates at Layer 2 and can be disabled on a device with the command no cdp run.
The PIX also supports Turbo ACLs just as Cisco routers 7200 and 7500 do. Configuring a Cisco router or firewall for SSH is another method of defense and security. The device acts as an SSH server.
Tip: Reflexive ACLs allow packets to filtered based on upper-layer protocol session information.
Mitigating Security Threats
To identify security issues, threats to a network and how to deal with them, start with identifying targets, attackers and your security policy. Reconnaissance or fingerprinting is the technique of identifying targets through ping and port scans. Once an attacker identifies a target, he can then start such things as dictionary or brute force password attacks. As previously mentioned, securing device passwords is crucial! Securing data as it moves across the network is also important in secure environments. DES, 3DES, AES, MD5 and Diffie-Hellman are all acronyms and technologies you should be familiar with for this exam. The first three are encryption algorithms for message confidentiality; MD5 is a hashing algorithm for message integrity; and Diffie-Hellman is used for IPSec peer authentication.
Tip: DES uses a 56-bit key for encryption.
For more information on IPSec encryption, go here.
Tip: IPSec prevents against replay detection.
Mitigating security threats to a network also includes fighting worms. The primary steps are:
- Containment – limiting the spread of a worm infection to areas of the network that are already affected.
- Inoculation – patching uninfected systems with the appropriate vendor patch for the vulnerability.
- Quarantine – tracking down and identifying infected machines within the contained areas and disconnecting, blocking or removing them.
- Treatment – the process of removing the worm from actively infected systems.
Security Features of Cisco Layer 2 Devices
Layer 2 security is implemented within the network’s switches. Here you can use port filtering and 802.1X authentication to prevent CAM table overflow and MAC address spoofing. You’ll most certainly want to read and study this Cisco SAFE white paper.
Tip: CAM table overflow can be mitigated with the command port security.
VLANs provide a robust method of security at Layer 2. Private virtual local area networks (PVLANs) are defined by two main types of ports:
- Promiscuous – a port that can communicate with all interfaces, including the isolated and community ports within a PVLAN.
- Isolated – a port that has complete Layer 2 separation from the other ports within the same PVLAN but not from the promiscuous ports.
PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
A host-based intrusion detection system (HIDS) can detect attacks occurring on a host. It works by intercepting OS and application calls, securing the OS and applications, validating incoming requests and analyzing log files in response to an attack. A network-based intrusion detection system (NIDS) is usually first at detecting an attack occurring at the network level and then either taking corrective action or notifying a management system where an administrator can take action. Attacks are discovered by looking for their signatures in traffic flows in the network.
Tip: A DoS attack can occur at a network device, host or the entire network.
Securing Cisco IOS Routers
Securing Cisco routers can be done by choosing secure passwords and ensuring they are encrypted. The IOS command service password-encryption will make this happen. You can also configure the router for password length with the command security passwords min-length.
Configuring Cisco IPS and HIPS
Intrusion prevention system (IPS) is the latest in the Cisco arsenal for detecting and reacting to network and device-based attacks. Similar to an IDS, IPS uses the attack signature database to send alarms, drop packets or reset the connection when an active attack is detected. For more information on IDS and IPS, study SAFE document “IDS Deployment, Tuning, and Logging in Depth.”
You may be required to configure a Cisco router for AAA on the exam. Be sure and review the guide “Configuring Basic AAA on an Access Server,” paying particular attention to the commands for TACACS servers.
Tip: The command aaa new-model enables AAA on a Cisco device and erases all previous AAA configuration.
Cisco VPN 3000 Concentrator
The two basic types of VPN services are access VPNs and site-to-site VPNs. Their three main applications are remote access, intranet and extranet connectivity. The basics of configuring these using the Cisco VPN 3000 concentrator could be covered in your exam. I recommend you read and understand this Getting Started guide.
Firewalls come in a variety of configurations and implementations. Packet-filtering firewalls limit the information transmitted into a network based on static packet-header information (routers with access-control lists). Proxy server firewalls control the connections between a client on the inside network and the Internet. Finally, stateful packet filtering firewalls combine the best of both worlds.
Cisco PIX Firewall
The Cisco PIX provides command-line modes and an Unprivileged mode, referred to as the user mode, which is available when you first access the PIX through a console or telnet session. After typing enable and the correct password, you enter the privileged mode. From here you can issue most write, show and even copy commands. You must enter the configuration mode with configuration terminal to perform any device configuration.
Tip: The PIX command write memory saves all configurations.
There are six basic commands to configure a PIX:
- ip address
The nameif command is used to assign the names inside, outside, dmz and so on to the physical ports of the PIX. It’s also used to assign interface ASA security levels. For example, nameif ethernet2 dmz sec50 assigns a name of dmz and security level of 50 to the third physical interface in the PIX. Interface numbering starts with E0 security level 0, which is the default for the outside interface, and E1 security level 100 for the inside.
Tip: Network traffic cannot flow by default from a lower-level security interface to a higher level.
The interface command identifies hardware, sets the speed, and administratively enables an interface. For example, interface e0 100full enables the outside interface and configures it for 100Mbps, full duplex.
The ip address command assigns an address to a specified interface. For example, ip address dmz 172.16.0.1 255.255.255.0.
The PIX Firewall Management Console centralizes the management of multiple PIX firewalls. And the PIX can be configured to use both RADIUS and TACACS servers for AAA. Finally, the PIX firewall switching module (FWSM) can be installed in Cisco Catalyst 6500 or 7200 switches for greater throughput.
Well, that’s that. If you’re confident in your knowledge of Cisco’s portfolio of security products and their related technologies, you should be good to go. Next month, I’ll review the new CCSP exam 642-511 Cisco Secure Virtual Private Networks (CSVPN). Good luck!
While the 640-801, 640-811, and 640-821 exams may ask you about one or two of these, you really have to get hands-on experience with these commands to master them. Even better, there are some key combinations that Cisco routers mention, but then don’t tell you what they are! Let’s take a look at a few of the more helpful key combinations, and conclude with the “secret” way to stop a ping or traceroute.
The up arrow on your keyboard is great for repeating the last command you typed. Let´s say you mis-enter an access-list. Instead of typing it from the beginning, just hit your up arrow to repeat it, then fix the problem.
CTRL-A takes the cursor to the beginning of a typed line. If you´ve written an extended ACL, you know that can be a very long command, and one you probably don´t want to retype. If you get a carat indicating there is a problem with the line, use your up arrow to repeat the command. If you see the error is near the beginning, use CTRL-A to move the cursor immediately to the beginning of the line. CTRL-E takes the cursor to the end of a typed line.
To move the cursor through a typed line without erasing characters, you’ve got a couple of options. I personally like to use the left and right arrows, but you can also use CTRL-B to move back and CTRL-F to move forward.
Finally, there’s the combination that Cisco mentions to you when you run ping or traceroute, but they don´t tell you what it is! If you send an extended ping or a traceroute, you could be looking at asterisks for a long time if you don´t know this one. In the following example, a traceroute is obviously failing:
R2#traceroute 10.1.1.1 Type escape sequence to abort. Tracing the route to 10.1.1.1 1 * * * 2 *
The problem is that you’re going to get 30 rows of those asterisks, which is frustrating and time-consuming at the same time. Note the router console message “Type escape sequence to abort”. That’s helpful – but what is it?
Here it is: Just type CTRL-SHIFT-6 twice, once right after the other. You won’t see anything on the router console, but the traceroute will terminate.
R2#traceroute 10.1.1.1 Type escape sequence to abort. Tracing the route to 10.1.1.1 1 * * * 2 * * * 3 R2#
The traceroute was successfully terminated. This combination works for pings as well, both extended and regular. Of all the keystrokes you can learn, this one is the most valuable!
The value and popularity of IT certifications are tied to supply and demand, said John Challenger, CEO of IT outsourcing and jobs analysis firm Challenger, Gray & Christmas. There is no question that after Microsoft and Cisco certifications, the next most important certs are for Linux, he told LinuxInsider.One thing is clear: Although Microsoft Windows and Cisco certifications continue to be the biggest, the importance of Linux certifications is on the rise. Linux occupies prominent positions in CertCities “10 Hottest Certifications of 2006” list, for example. For the first time, the list was led by Linux, with the Red Hat Certified Engineer (RHCE) credential on top.
Cisco Systems today announced the addition of the Rich Media Communications Specialist certification to its Career Certifications program. The Rich Media Communications Specialist certification validates the skills and knowledge required to successfully plan, install and manage rich media communications in an IP network.
Read the full article here.