Skip to Content

Security

Base Config: ASA IPSec Remote Access VPN Template

Icon from Nuvola icon theme for KDE 3.x.


With the iPad making it's debut, I've had a couple clients wanting an IPSec Remote Access VPN so they can access the corporate network remotely from their iPad. Here's the starting template I use:

CCDA

Cisco has an entry level design certification called the Cisco Certified Design Associate, or CCDA. This is similar to the CCNA in that it is a foundational certification that goes a mile wide and an inch or two deep. If you have passed your CCNA and you are looking for the next challenge, take some time to consider the available options...

  1. Specialize in an area of networking with Cisco's Voice, Security, or Wireless CCNA Certifications.
  2. Take your CCNA level knowledge to the next level and focus on the CCNP
  3. Focus on the design track, starting with the CCDA.

If you are interested in persuing the CCDA, there are some great resources to get started. First, check out the Tekcert articles section for writeups on the CCDA or on specific topics that align with exam topics. Also, check out the Exam Topics, CCO login required.

Cisco Revises CCNP Certification Track

Cisco recently revised their CCNP track to make it align with actual job requirements (such as troubleshooting problems on networks full of Cisco equipment).What do these changes mean for current Cisco Certified Network Professionals? Well, not much other than  you still get to take a 642 level exam to renew it. However, for all you non-CCNPers out there, tighten your belts and sharpen your pencils because you are in for a bit of a change.

Base Config: ASA Site-to-Site VPN

It doesn't matter how many times I've done this, I always forget one piece. Here's a template for the future:

Cisco Test Forensics Explained

ThumbprintA few months ago, I posted on the new VUE Cisco text requirements that would be coming in 2008 to combat Certification fraud. These included:

-Thumbprint scanning
-Digital signatures
-Test forensics

The first two are obvious ways to prevent impostors from taking certification exams for you. However, this is nowhere NEAR as big of a problem as brain dumps / illegal "practice exams". This is the aim of the test forensics...but what does THAT mean? How can a certification exam tell if you're cheating?

Last month, Network World magazine posted a great article on the subject...and I quote:

CCNA Specialties - $250.00/exam? Is This a Typo?!?

I just went to register to take the CCNA Security exam...it looks like all the CCNA specialty exams are $250.00! I just took the CCNA Voice a couple months ago and it was $150.00... I'm hoping this is a mistake...

UPDATE: Called and spoke with both VUE and Cisco Certification support folks...it's not a typo - the CCNA Specialty Exams are all $250.00/attempt. Ouch. Apparently, the CCNA Voice exam I took earlier was a "pre-release" version & price.

Cisco Updates CCSP

It's official - the CCSP is updated. I'm really digging the "core exams + electives" option. Allows you to become a CCSP who specializes in some security technology (ASA, MARS, NAC) without requiring you to know everything to get a CCSP certification. Wish they'd do the same for the CCVP program...I'm sure they will...

Book Review: Voice over IP Security

voipsecurity.jpg

I've always been interested about VoIP security...it seems many networks running VoIP are now considering their security options (years after initial deployment). When I first looked through this book, I was unimpressed. It seems like the book spends A LOT of time talking through foundations of H.323, MGCP, SIP, encryption, authentication, etc... (just general security topics and voice concepts).

Automatic Err-Disable Recovery

Someone showed me a great feature today. One of the constant pains in the network is when you get a port err-disabled on the switch. Regardless of how many times I see it, it always seems to be the last thing I check. There's a little-known feature in the IOS called "err-disable recovery" which automatically turns a err-disabled switchport back on after 5 minutes (by default). The good news is that this command allows you to choose specific reasons where you'd like to re-enable the port, such as re-enabling ports disabled because of a port-flap instance but keeping mac-address security violations error disabled. Here's the syntax to make it happen:

New CCNA Certifications: The Cat is Out of the Bag!

Finally, on Tuesday afternoon, Cisco announced the new CCNA-level certifications...and they are (drum roll please):
CCNA Security
CCNA Voice
CCNA Wireless

I'm actually creating the CCNA Voice Official Exam Certification Guide for Cisco Press as we speak. I've got to tell you - this certification is awesome. It completely fills a much needed gap of knowledge that's needed before you get into the CCVP program. I can't speak for the Security & Wireless certs, but in the CCNA Voice, you'll be learning:
VoIP & Legacy System Integration
CallManager Express setup
Unity Express setup
Basic QoS, Dial-Peers, and other technical nuances
Having this foundation before someone gets into a CCVP will be awesome. Yesterday afternoon, Cisco Press conducted a "podcast video interview" with me about the cert. I'll post the link as soon as it's available. I was actually interviewed by none other than Jeff Doyle (the TCP/IP routing genus) - I'm honored!

My New Favorite IOS Command

I know I mentioned this command in passing a few posts ago, but this command has become so valuable to me, it needs its own post. It's the show run | section command. This allows you to define any "major heading" from the IOS configuration and it will filter the running configuration down to just those sections. This is very similar to how the ASA "show run" command works.
For example, I'm working on a book focused around CallManager Express (CME) right now. In CME, you create "ephones" which represent the IP Phones on your network.

Want to take a Cisco Exam? Smile!!!

Interesting new information from Cisco on their updated certification security. Certification exam takers will now be required to take a digital photograph and give a digital signature at VUE exam centers:
Cisco and Pearson VUE Improve Security Innovations in Global Test Delivery
...
Cisco is now requiring that all VUE test centers delivering Cisco certification exams collect digital photos and digital signatures during the admissions process, in addition to the current identification requirements. This new layer of identity authentication will help to ensure candidate identity and result in increased assurance that individuals are presenting accurate certification records in the marketplace. The new authentication technology will be implemented in phases around the globe over the next year.
I'm curious if this will really help in securing the exam information itself.

Network Security and Netflow

end-to-end

 

A couple things I'd like to mention in this post...First off, I just finished looking through End-to-End Network Security from Cisco Press...Very nice. If you've ever wanted to get into network security, this is a great starting point. It talks about major areas of network security to address and the tools you can use to do it.
So that brings me to my second thought...Someone talk to me about Netflow. Netflow is one of the tools this book mentions that you can use to analyze your network traffic. In it's basic form, Netflow tracks all the "flows" (aka traffic) going through your router. You can categorize it per-application and even get down to a per-user level (so you can finally figure out who is killing the Internet connection with their peer-to-peer traffic).

CCNA Update

Well, it looks as though Cisco has finally done a MAJOR update to their famous CCNA program. This update will indeed make it more difficult to attain a CCNA...and for good reason! Many people are just getting their CCNA certification and stopping (not moving on to the CCNP, CCSP, or whatever). So...Cisco decided, if that's all your going to do, then we'll make it so you really have an idea of what you're doing!
I've been contracted to write the new CCNA Exam Cram / Exam Prep series and to record the new CBTNuggets CCNA series, so I've been researching what is new for quite some time...Here's the scoop:

The Coolest Cisco Links of All

Okay, here's my thought. I've got some links that I have found very handy in the Cisco world over the years...links that I typically forget about, but then someone shows me the same link months later and I get all excited about them again. Rather than continuing the cycle, I was hoping to enlist your help to create a post that has all sorts of great links. Eventually, we can compile a list and put them in some permanent place on the website. These links include cool resources, utilities (cheap or free), and "tips". Please don't include blogs in this list (not that they're not valuable...just a different category). So, here's what I've got so far:

Syndicate content


by Dr. Radut