How to get ready for CCNA Security exam

First these are my personal notes, about areas I focused to understand CCNA objectives. My notes contain info, which concepts I learn, with support of CBT Nuggets videos. Finally master packet tracer activity. If you do not have access to ASDM, than choose other exam e.g. CCNA Cyber Ops.

Obtain this:
1/ Book CCNA Security Portable command guide through safari books. Start reading from the first chapter onwards.
2/ CBT Nuggets – Keith Barker CCNA Security 210-260
3/ PDF CCNA Security Lab 2.0 Manual
4/ PDF CCNA Security 1.0 Student Lab Manual

1. Fundamentals

Managing risk
Quantitative risk analysis – mathematical model
input – estimated value for an asset multiplied by likelihood of a threat being realized
risk – analysis provides an actual cash of expected losses, used to estimate an annual cost.
Example:
Datacenter value = $10000 (AV)
Estimated risk damage in flooding = 60% (EF)

SLE single occurrence, if specific threat exploits a vulnerability results in org’s potential loss
SLE = AV x EF
SLE = 10000X60=$600000

ARO = 1% (1/100)- likelihood of a flood occurring is estimated at once in 100 years
ALE = SLE x ARO
ALE = 600000×1% =6000

What does the key length represent?

  • Number of permutations
  • Cipher size

Threat control

  • Regulates network access, isolating infected systems, prevent intrusions and protect business assets.
  • This helps to mitigate malicious traffic before it affects a business

Cloud security
Threats in cloud:

  • Abuse of cloud computing
  • Account or service hijack
  • Unsecure API – we in AMP team work with API quite a lot, every single SIEM or CERT Analyst uses API at work.

2. Network foundation protection

#Management plane Security
– login and password policy
– role based access control
– Authorize actions – restrict actions and views by user, group, service
– record who accessed the device, what occurred, and when
– ACL -limit which IP are allowed to connect to the network device.
– use only secure protocols -SSH/HTTPS,SNMPv3

#Data plane security
– ACL – antispoofing – discards traffic that has an invalid source IP
– layer 2 security
– firewall
– IPS – deep packet inspection – if the traffic tunneling through port 25 is what is should look like
– VPN
– content security – web/email content policy

#Layer 2 Data Plane Protection
– port security – prevent MAC address spoofing, flooding attacks
– DHCP snooping – DHCP server and switch
– Dynamic ARP inspection – adds security to ARP

#Securing the management plane includes the following
– enforcing a secure password policy
– securing console, vty, aux lines
– secure and archive config
– enable logging record changes in real time
– use NTP to keep clocks synced, it can identify the order in which a specific attack occurred
– use appropriate logging levels for each device

—> Lab – configure Cisco routers for Syslog, NTP and SSH operations from CCNA security 2.0 Instructor Packet Tracer manual

#Securing the Data Plane on catalyst switches + see CBT Nuggets video
If a layer 2 switch is compromised, Layers 3-7 are also affected.
Review layer 2 attacks from CCNA Security Portable command guide.

—> LAB – CCNA security 1.0 Student LAB
Chapter 6 lab A Securing Layer 2 Switches – part 3 Secure trunks and Access ports
Use packet tracer 6.3.1.2 Packet Tracer – Layer 2 Security

—> CCNA Security 2.0 Configure extended ACL
—-> Layer 2 security
—-> Layer 2 VLAN security
—-> ASA Basic Settings and firewall using CLI

#Switching data plane
IP DHCP snooping

VLAN hopping – never use VLAN 1
– assign all ports to 999 or shut them down
– do not allow dynamic negotiation

Good overview of attacking the switching data plane is CEH course
Starts — network mapping tools
– getting IP address from rogue DHCP server leads to MITM password attacks and sniffing
– DHCP starvation
– cam table attack and port security
– DHCP snooping
– Dynamic ARP inspection (DAI)

Finally – Book CCNA Security Portable command guide, Configuring port security example. VLAN hopping attacks – mitigating VLAN Attacks
On non trunk links – disable trunking. Switchport mode access
All unused ports assign to unused VLAN e.g. 999 and disable the port. VLAN 999 is not used for any other traffic.

On the trunk links:
– Enable trunk
– Disable DTP and prevent DTP frames from being generated
– Switch the native VLAN to a dedicated VLAN.

The CBT nuggets course CCNA security is presented by Keith Barker. The information is consistent and presented in the well form understanding.

#Securing the infrastructure

1/ Management plane – SSH, Syslog +NTP current time written in logs, SNMPv3, RBAC give users access they need. Do not assign more than they need, otherwise there might be an accident.

2/ Control plane – routing protocol updates, routers authentication. Limit the number of sessions, number of inbound connections. The router can overload its CPU – DOS attack.

3/ Data plane – Forwd packets, transit packet, from end device to another. E.g. dns
ACL, for IPv4, IPv6, Use port security, Firewall, IPS IDS
– Switch is capable to memorize max 64K MAC addresses. If somebody sends million, the FIFO is full and switch does not know where anybody is. It start flooding all its ports with MAC addresses.
– Permit TCP traffic destined to our web server. What is really in the web traffic – IPS, is this packet typical for http traffic?

Hope this helps

David

CCNA security preparation Signature based IPS

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks or SAMSAM ransomware variant.
You get just general understanding and particullary this might get you puzzled.

AMP is cloud based reputation. It performs real time in suspicious events.
Signature engine uses string in regular expression-based patterns to detect intrusions.

See how Talos designed string patters to threat analysis.

https://www.talosintelligence.com/amp-naming/

CCNA security iins v3.0 study plan

Last year I had great experience in Anyconnect Tier3 support. This was an excellent exprerience to see all VPN related tickets. Company offered me 2 weeks intership in Boxborough (Boston) MA. At this moment I do review lessons in CBT Nuggets to get know iins v3.0 better.

I have to admit, that having access to ADSM Anyconnect ASA firewall, it’s the right way to prepare for this exam.

Exam questions type: “When ASA triggers the NAT process?” No tutorial other than live experience, gives you the training.

At this moment folks, please rather consider CCNA CyberOPS. CCNA Security certificate, really makes sense only if you can show and proof Yes I have worked with ASA, I know the difference between SSL and IPSec in ASDM
In next weeek, I’ll keep you informed how this plan to iins v3.0 goes.

Below is the Firefighter’s truck in Boston.

Why I do not study for CCNP R&S.

So a year passed since my CCNA R&S. After 2 years almost day-to-day study, 1 hour in the Morning. Building the mind maps for the exam. It was rewarding to me and I enjoyed it. However today I work at Cisco as the security engineer and gained a lot of experiences on the way here.

Please note, get to certification makes you learn everything, but you cannot be expert in everything.

Curious? Yes, do not overwhelme yourself.

Certification exam is designed to break you, to fail. It does not test your real knowledge. It´s a business and you need re-certification each 3 years.

CCNA is complex and gives you most of the professional orientation. Continuing to CCIE would make you antisocial “buddy”, while spending 3000 hours for THE exam without going out, working on the garden or doing pub socializing.
On top of this, CCIE has 2 years re certification period.

At our team the skills needed to become a good team mate, are:

  • Logic – just basic mathematical principles
  • Communication skills – be able to summarize customer problem, explain to the team and outline action plan.
  • Support engineer works with flustrated customer. That´s why they escalated the ticket to you, weren ´t they?
  • Criticism – not all problems are intended to solve. Let the front end engineers to do their job. Othewise they’ll lean on you more and more.
  • Do not reinvent the bicycle – trace down who had this problem before.
  • Relax – even when the people push to you, do not start 3rd world war.

Now some practical interlude for money&time management.

  1. Do not pay for study materials out of your pocket. A company should supply you with year subscription in safaribooks, lynda.com or cbtnuggest.com
  2. Ballance the time at work with study. Do not accept process, when you finish your work and you get immediatelly twice as much. Managers often call it as work ballance for the team.
  3. Regardless of the technical support position you’ve been hired for, the company is well aware of “longer you stay with us, better”. Every team is frightened of people coming in and leaving out. One year is the time they invest in you, Second year the effort pays them back.
  4. Managers have access to the team budget. That means you are eligible to get training per your interest. Do not accept, that study for CCNA is not related to your job, because company does not work with Cisco products.
  5. Finally for a long term and healthy life, stop working once you leave the office.

This way you should be always ready to say yes for better offer. Be sharp with your attitude and be professional. Loyalty is nice thing, but companies think this way: “We let you to gain experiences somewhere else, and than we try to hook you up”.

Working in an International company makes you deliver a professional support and get grown for your personal development. There is nothing between. Nobody will pay you back for unsuccessful attempts. Enterprise company pays you back, once you get certified.

Backup files to FTP server Lenovo EMC from CentOS 6.7 application server

This project perfectly fits to have valid backup, after ransomware attack. Wannacry was able to encrypt all mapped drives in Windows including local disk in seconds.

Prerequisities:

    CentOS 6.7 – application server, tomcat, Postgres, Java application
    NAS LENOVO EMC – in the same LAN, allows only FTP not SSH by factory defaults
  • yum install curlftpfs
  • CurlFtpFS is a filesystem for accessing FTP hosts. more info More info about curlftpfs

  • Your source directory is /home/djanulik/Documents/zalohy/keo4/
  • curlftpfs ftp://192.168.123.170/Backups/keo4 /mnt/w -o user=username:password
  • This mounts the FTP into local file system under /mnt/w

  • Please note, if you run directly the rsync to dest directory, you will receiver error 95.
    1. Operation not supported (95)

    The FTP does not allow to create temp files. Instead you should create those temp files locally. This is done directly with rsync using –temp-dir=/home/djanulik/Documents/temp/rsync

  • mkdir -p /home/djanulik/Documents/temp/rsync
  • rsync -rav –temp-dir=/home/djanulik/Documents/temp/rsync /home/djanulik/Documents/zalohy/keo4/a0-keo4-cosArch-vac_auto_2016-07-13.csv /mnt/w
    1. More info about RsyncRsync is a fast and extraordinarily file copying tool
  • Finally you can schedule the regular job with cron
  • Backup project

    The task was about choosing and configuring appropriate backup techlology for SBS 2011 server.
    1. Synology NAS DS411 Slim.
    2. Switch Cisco with 2GB ports other ports Fastehternet.
    To the first GB port, the server is connected.
    Second GB port is for NAS server synology.

    NAS Synology
    – it provides iSCSI service an alternative to SAN.
    – this solution was chosen ration price/service
    – iSCSI provides SCSI across the LAN and TCP/IP encapsulates SCSI packets.
    – The connected disk is accessible as a local disk in Windows server, without needing to install any drivers.

    The NAS synology consist from 2 hard disks with 450 GB capacity per each.
    This is failover solution if one of the disks is broken.
    First I created a volume. RAID collects several hard disks into one functional topology. This collection of disks is called RAID.
    We use RAID 1, which provides mirroring of data stored on each disk.
    The content is recorded on both disks by RAID 1. If one disk fails, the copy is immediately ready to use.

    Second I had to set up iSCSI LUN. The storage capacity is assigned, if data was physically created.
    This process is controlled by iSCSI LUN at the NAS Synology.

    Finally I configured DiskStation as the iSCSI target and connect it to the Windows server.
    I connect iSCSI target to the LUN unit. Windows server provides easy iSCSI initiator.
    I looked up iSCSI portal using IP address of Synology and default port 3260.
    This iSCSI target is listed in Disk Management. Initialization is a must before the first use.
    At the end I assigned label F: for this volume and after formating the disk appeared in Windows.

    Summary:
    iSCSI LUN assignes dynamically space for stored data. This process is provided by virtualization techlogy.
    Although we use iSCSI for backup, the disk is visible in Windows server as a local disk.
    It can provide more disk capacity for existing server. e.g. storing logs. Windows SBS 2011 server provides built-in backup technology. Each night server performs backup schedule and stores data in NAS.

    Installation of the MySQL Windows 10 using Powershell

    You can download the last MySQL server zip file directly from the web page. There are several steps such as1:

    First part of the script extracts the zip to destination

    $BackUpPath = “D:\WebDevelopment\mysql-noinstall-5.1.50-winx64.zip”

    $Destination = “D:\Install\”

    Add-Type -assembly “system.io.compression.filesystem”

    [io.compression.zipfile]::ExtractToDirectory($BackUpPath, $destination)

    Second part is to copy my.ini to MySQL folder

    if ([System.IO.File]::Exists(‘D:\Install\MySQL51\my.ini’))
    {
    mv d:\Install\MySQL51\my.ini d:\Install\MySQL51\my.ini_bak
    cp d:\WebDevelopment\my.ini d:\Install\MySQL51 -Force
    }

    else
    {
    cp d:\WebDevelopment\my.ini d:\Install\MySQL51
    }

    Finally you install the Mysql service

    “D:\Install\MySQL51\bin\mysqld” –install MySQL51 –defaults-file=”D:\Install\MySQL51\my.ini”

    Create an exclusion in the Firewall
    New-NetFirewallRule -displayName “MySQL 3307” -LocalPort 3307 -Protocol TCP -Action Allow

    This is an old way, which I did without Powershell.

    • You should extract the file into the folder e.g. D:\MySQL\server
    • Run Command line and type net user Administrator /Active :yes
    • This enables in-built Account Administrator
    • Next step is to run command line with administrator privilegies
    • runas /noprofile /user:David-PC\Administrator cmd
      Write password for David-PC\Administrator:
    • type cd %programfiles%
    • We need to look for MySQL directory if it is already located in %programfiles%
    • dir “*MySQL*” /s/a:d
    • The last step is to copy MySQL server in the %programfiles% directory
    • xcopy D:\MySQL\server\mysql_server_5.1.50_win32 “Pro
      gram files\MySQL\” /s /e
    • The last step is to edit my.ini with the pspad and set the format as ANSI
    • Finally install the service
    • install the MySQL service “C:\Program Files\MySQL51\server\bin\mysqld” –install MySQL51 –defaults-file=”C:\Program Files\MySQL51 \server\my.ini”
    • Start the service
    • sc start MYSQL51
    • Check if the service is running
    • sc qc MySQL51
    • sc query type=service state=running | sc qc MySQL51
    • sc query type= service | find /v “x0” | find /i “MySQL”
    • Disable Super Administrator account
    • net user Administrator /Active :no
    • log in to MySQL server
    • cd “c:\Program Files\mysql\MySQL Server 5.0\bin”
    • mysql -u root -p