|
0:00:13
|
Welcome everybody to Internetworking Experts CCIE Security Advanced Technologies Class
|
|
0:00:19
|
I am Brian McGahan and I would your instructor for these sessions
|
|
0:00:24
|
Now little bit about myself. I am a CCIE in Routing and Switching Service Provider in security.
|
|
0:00:30
|
When I took the Security exam in a couple of years back it was for the version 2 blue print.
|
|
0:00:36
|
so its one Blue Print previous to what most of you are going see today when you going to see exam
|
|
0:00:42
|
And if you have any questions during class or after class, now please feel free to send me an email
|
|
0:00:48
|
You can see my contact information that is bmcgahan@ine.com
|
|
0:00:55
|
Now of couple of offline resources that you can use after class
|
|
0:00:58
|
We have a discussions forum at ieoc for ine’s online community
|
|
0:01:04
|
And you will see a lot discussions there of the
|
|
0:01:06
|
different security products like Volume 1 or Volume 2 ccie security work box
|
|
0:01:12
|
So you if have very particular question that is related individual lab task
|
|
0:01:17
|
usually ieoc is the best place to search first
|
|
0:01:22
|
Then we also have our blog at ine.com
|
|
0:01:27
|
You will see a lot of different technologies write-ups
|
|
0:01:29
|
that are related to the security topics
|
|
0:01:31
|
and then also lot of technologies that are in the networking world.
|
|
0:01:38
|
Now the overall goal for this class
|
|
0:01:41
|
is to learn a structured approach not only for configuring
|
|
0:01:46
|
the technologies that are within the scope of this CCIE Security exam
|
|
0:01:49
|
but two additional points – the verification and the troubleshooting
|
|
0:01:55
|
which we will see is very very key for lot of the technologies that are within the scope of this blueprint
|
|
0:02:01
|
specially things like IPSec LAN-to-LAN VPN or the remote access VPN’s
|
|
0:02:07
|
The configuration of this topics since there are so many different lines of code that we need to do
|
|
0:02:14
|
in order to implement a particular design , if you miss one minor feature
|
|
0:02:18
|
or just one line of configuration
|
|
0:02:21
|
it can break your entire design
|
|
0:02:23
|
And if you don’t know how to actually figure out if this configuration working,
|
|
0:02:27
|
and if it is not , what type of show commands that you are going to use, what kind of debug commands you are going to use,
|
|
0:02:32
|
in order to actually troubleshoot this,
|
|
0:02:35
|
then its easy to get lost when you are implementing these kind of technologies.
|
|
0:02:40
|
So the structure of this class is that I am going to be talking about the theory behind the topics,
|
|
0:02:45
|
So things like what is the ASA? what are the diffent featues that it sports?
|
|
0:02:50
|
But then the best majority of time
|
|
0:02:52
|
I need to be doing lot of live demonstrations on the command line
|
|
0:02:55
|
going through the different configurations
|
|
0:02:57
|
either through
|
|
0:02:58
|
the console interface, the command line interface of the platforms
|
|
0:00:00
|
depending on which particular security topic we are talking about. We will also spend a lot of time going over the different show commands
|
|
0:03:17
|
anywhere externally in Cisco’s Website that really tells how to search through or how to read the debug outputs,
|
|
0:03:26
|
unless you ready know where to look for
|
|
0:03:29
|
it is going to be fairly difficult, to search through those in order to find what's going on
|
|
0:03:36
|
now in order to implement this type of structured approach
|
|
0:03:39
|
for doing the configuration
|
|
0:03:41
|
for verifying the topics that are actually working
|
|
0:03:45
|
and then troubleshooting any problem that we run into
|
|
0:03:48
|
we would like to use what we call our four stepped structured approach
|
|
0:03:54
|
now this approach you can basically use it for any type of learning of preparation you are doing in your career
|
|
0:04:00
|
and the thing is, unless you find some sort of ordered fashion
|
|
0:04:06
|
you typically end up with holes in your knowledgebase or not really understanding
|
|
0:04:12
|
100% what is going with a particular topic or a particular or configuration
|
|
0:04:16
|
so we are going to build this in a structured and modular fashion.
|
|
0:04:20
|
With the first step of this approach is that we first want to get just a basic understanding
|
|
0:04:24
|
of what the particular technology is,
|
|
0:04:27
|
what are the technology goals, what is the problem that this is trying to solve.
|
|
0:04:33
|
So once we know what is the topic
|
|
0:04:35
|
then we are going to look at some basic hands-on examples
|
|
0:04:39
|
to figure out how to we implement just the most basic design of this type of configuration
|
|
0:04:45
|
So for example with IPSec we are going to look at
|
|
0:04:48
|
Lan – to –Lan configuration between two IOS Routers
|
|
0:04:51
|
|
|
0:04:52
|
or two ASA firewalls
|
|
0:04:54
|
with just doint basic options
|
|
0:04:56
|
Things like pre-share keys,
|
|
0:04:58
|
static address assignments, not real advanced design configuration
|
|
0:05:04
|
So, once we know how the Basic implementations work,
|
|
0:05:08
|
what are some of the basic verifications, what are come of the basic troubleshooting commands,
|
|
0:05:12
|
then we can go into some of the more advanced understanding,
|
|
0:05:16
|
what we like call expert level of understanding of the particular topic
|
|
0:05:20
|
to figure out what are the corner-case design,
|
|
0:05:24
|
what are the more advanced applications,
|
|
0:05:26
|
may be things like of remote access VPNs that are using certificate authority and using AAA for downloadable ACLs
|
|
0:05:35
|
because we don’t wnet to go and implement
|
|
0:05:37
|
that very most complicated example of the design
|
|
0:05:41
|
before we really understand behind that
|
|
0:05:44
|
what are the fundamentals that make up this technology.
|
|
0:05:49
|
So once we have a expert level of understanding then we can finally go to our expert level of the application
|
|
0:05:54
|
with the expert level hand-on experience.
|
|
0:05:58
|
Now the reason I like to mention is
|
|
0:06:01
|
for any of these CCIE level classes before we get into the technologies
|
|
0:06:05
|
is that we are also going to spend some time talking about the general CCIE preparation strategy,
|
|
0:06:11
|
and what is good method to preparation for the lab exam
|
|
0:06:14
|
and what have we have seen as an unsuccessful method for preparation strategy for the lab exam
|
|
0:06:19
|
Over the different years we have been doing this.
|
|
0:06:21
|
Now me personally,
|
|
0:06:24
|
my CCIE is going to be the 10th Anniversary next January
|
|
0:06:29
|
and I have been doing this type of teaching for probably about may about 11 years or 12 6.34 years or so now.
|
|
0:06:35
|
We are … One one of the other instructors Biran Denesis
|
|
0:06:38
|
coming up on his 50th Anniversary for CCIE
|
|
0:06:41
|
so we have this , seen lot of different candidates
|
|
0:06:44
|
and we know basically what is a successful approach
|
|
0:06:47
|
to the certification and what is an unsuccessful approach.
|
|
0:06:51
|
Now the first one, what we like to call the learning by lab approach
|
|
0:06:57
|
is really what you do not want to when you are preparing for this expert level technologies.
|
|
0:07:03
|
And the problem is that instead of working through that structured approach
|
|
0:07:08
|
of getting the basic understanding,
|
|
0:07:09
|
the basic hands-on, advanced understanding, advanced application,
|
|
0:07:13
|
a lot of people just want to jump to the end
|
|
0:07:16
|
and start at the most complex implementations,
|
|
0:07:20
|
and try to work backward from there and figure out the basic syntax, what is really going on with the technology.
|
|
0:07:27
|
The problem though, when you start at the most advanced example and try to work backwards
|
|
0:07:33
|
is that you typically end up t\with gaps in your knowledgebase
|
|
0:07:36
|
or what some people refer to this what as, quote unquote, Gotchas of the technologies
|
|
0:07:41
|
Wherein reality there is not any gotchaor any tricks that go along any of these topics.
|
|
0:07:48
|
A gotchas is simply something that you really don’t understand
|
|
0:07:51
|
how it works at the fundamental level
|
|
0:07:54
|
and based on that lack of understanding
|
|
0:07:56
|
it might like to you like there is some sort of
|
|
0:07:59
|
magic going on behind it or you need to know
|
|
0:08:02
|
these various specific tricks and tips in order to get this implemented.
|
|
0:08:08
|
Now typically the people that use this approach
|
|
0:08:12
|
approach are the once threat you see taking the lab exams 6, 7, 8 or more time s before passing,
|
|
0:08:18
|
because they are essentially just trying to figure out the commands that they need to implement in order to do this
|
|
0:08:23
|
in order to do this or try to memorize the different types of lab scenarios.
|
|
0:08:29
|
So lot of the time they end up do passing the exam
|
|
0:08:32
|
but its going to take you a lot more time
|
|
0:08:35
|
than had you actually done it correctly in the first place.
|
|
0:08:39
|
This unfortunately this is the path that too many people use
|
|
0:08:44
|
and this one of the things that we are trying to get people not do
|
|
0:08:48
|
and figure out whats’s the correct approach
|
|
0:08:51
|
towards the lab exam
|
|
0:08:53
|
and what is the successful method that we have seen people use over the years.
|
|
0:08:57
|
Now you can see this kind of inverted pyramid that I have here
|
|
0:09:01
|
where when people are learning by lab approach
|
|
0:09:05
|
they are focusing too much on these tips and tricks and not really on what’s going on behind the scenes,
|
|
0:09:11
|
the fundamental knowledge or the foundation knowledge.
|
|
0:09:14
|
Now , really for the successful approach
|
|
0:09:18
|
this should be a normal looking pyramid
|
|
0:09:21
|
where the vast majority of our preparation is built on those fundamental
|
|
0:09:25
|
and may be there some minor caveats, minor tips and tricks that we need to know
|
|
0:09:30
|
but really that’s not going to be the vast majority of the focus of preparation.
|
|
0:09:34
|
Here the key is that if you learn really how the technologies work
|
|
0:09:39
|
then you are going to pass the exam just as a byproduct to this.
|
|
0:09:43
|
When you get there it doesn’t matters what questions they ask you,
|
|
0:09:46
|
what are the different variations of the configuration,
|
|
0:09:49
|
what are the different design problems,
|
|
0:09:51
|
because of you really understand how IPSec works
|
|
0:09:54
|
or how stateful firewalls works, or how intrusions prevention works
|
|
0:09:58
|
then really doesn’t matters what the questions are,
|
|
0:10:01
|
ideally you should be able to reason through this
|
|
0:10:05
|
and use the different resources that are available to you in order to solve the particular questions
|
|
0:10:09
|
in a manner that they are exactly looking for.
|
|
0:10:12
|
Now, ultimately if you do pass the exam this way
|
|
0:10:16
|
that where you really end up with the result of being a true expert or a true Internetwork expert.
|
|
0:10:22
|
And reason that I stress this so much
|
|
0:10:25
|
is that even if you do pass the lab exam using the previous approach,
|
|
0:10:29
|
the kind of memorizing how your configurations work
|
|
0:10:32
|
or just doing the lab scenarios over and over and over,
|
|
0:10:35
|
when you get to actually apply this stuff in the real world,
|
|
0:10:39
|
you don’t know whats going on behind the scenes,
|
|
0:10:42
|
then you are really not going to be useful when some one give you a technical interview
|
|
0:10:46
|
or where you are actually under a pressure situation in a production network
|
|
0:10:51
|
where you have network down emergency and it is up to you to fix it.
|
|
0:10:56
|
So if you are still in the early stages of your preparations,
|
|
0:11:01
|
its going to give you sometime kind of map out
|
|
0:11:04
|
what you long time goals are
|
|
0:11:06
|
and you make sure that you do go there this fundamental knowledge approach
|
|
0:11:10
|
if you have touched the later stage of your preparation
|
|
0:11:13
|
and you feel that you do have these gaps in your knowledgebase
|
|
0:11:16
|
this class is definitely going to help to fill that stuff in
|
|
0:11:19
|
and make sure that we can just take a couple of steps back
|
|
0:11:21
|
to figure out whats really going behind the scene
|
|
0:11:25
|
that ultimately results in this particular type of implementation.
|
|
0:11:32
|
Now, there is a question we have in a blog post, Peter outlined
|
|
0:11:37
|
doing routing and switching labs in various volumes and writing down the topics that you have problems with
|
|
0:11:42
|
and doing the volume 1 lab associated with them.
|
|
0:11:45
|
Is this approach okay? I find
|
|
0:11:47
|
during volume 1 labs linearly difficult with to recall.
|
|
0:11:53
|
Hey definitely can be one of the problems in preparation
|
|
0:11:56
|
because the scope of the blueprint is so large to begin with
|
|
0:12:00
|
sometimes you run into the fact where you may know something now,
|
|
0:12:04
|
and then 3 months later while you still studying
|
|
0:12:07
|
its been so long since you are working on that technology,
|
|
0:12:10
|
you might forget some of the finer details about.
|
|
0:12:12
|
We are going to talk about some ways you can fix this problem during the preparation.
|
|
0:12:18
|
And lot of it has to do with separating
|
|
0:12:21
|
what you need to really understand
|
|
0:12:24
|
and essentially memorize of the top of your head to be able to implement
|
|
0:12:29
|
versus the technology you just need to have a general idea of what they do
|
|
0:12:33
|
and then you can use the documentation as a reference.
|
|
0:12:37
|
So as I am going through these different topics this weekend and we are ging to spend a lot of time
|
|
0:12:42
|
going through the different documentations, examples
|
|
0:12:45
|
both for the syntax and the configuration.
|
|
0:12:48
|
Because we will see a lot of this topics are really really specific syntax-wise,
|
|
0:12:53
|
and ifyou leave out one individual line or one individual option
|
|
0:12:57
|
then its going to break the entire configuration.
|
|
0:13:01
|
So, I will talk about as we go through the topics, how can you make sure to know
|
|
0:13:06
|
whats really the foundation, you need to know of your topic ahead
|
|
0:13:10
|
versus kind of one-off things that you may want to try onoce or twice
|
|
0:13:12
|
may want to try once or twice
|
|
0:13:14
|
but then when get to the actual lab exam
|
|
0:13:17
|
you could just use the documentation as a reference.
|
|
0:13:23
|
Now, specifically for this class,
|
|
0:13:27
|
the pre requisite that I would recommend
|
|
0:13:30
|
is that as long as every one has a basic working knowledge of the
|
|
0:13:34
|
different layer 2 technologies like Ethernet, frame relay
|
|
0:13:38
|
PPP and Bridging
|
|
0:13:40
|
I am not going to spend a lot of time fcusing on layer 2 topics,
|
|
0:13:44
|
nor am I going to spend a lot of time focusing on layer 3 routing topics
|
|
0:13:49
|
because most of these stuff is going to be required for security,
|
|
0:13:53
|
the kind of outside the individual topics we are trying to focus on.
|
|
0:13:59
|
So if you don’t understand how Ethernet VLANs or spanning tree works
|
|
0:14:04
|
then you definitely going to have a hard time to understand that how these security topics work on top of that.
|
|
0:14:10
|
Then we will talk about layer 2 security things
|
|
0:14:13
|
like VLAN Access lists,
|
|
0:14:15
|
port security,
|
|
0:14:17
|
dynamic ARP inspection.
|
|
0:14:19
|
So if you don’t understand at a fundamental level, how layer 2 works?
|
|
0:14:22
|
then you definitely going to have a problem with the
|
|
0:14:25
|
technologies that are related to this.
|
|
0:14:28
|
Same is going to go for routing.
|
|
0:14:31
|
So I am assuming that upto this point everybody has a pretty good understanding that how
|
|
0:14:35
|
the generics of routing protocols work,
|
|
0:14:38
|
how static routing works differently than OSPF, EIGRP and BGP.
|
|
0:14:43
|
Not going to spend a tonn of time talking about the design for those.
|
|
0:14:46
|
if u do have paricular questions on these topics w're going to learn more about them
|
|
0:14:51
|
What I will recommend to do is to look at the routing and switching advance technologies class
|
|
0:14:57
|
that does cover all the layer 2 and layer 3 topics in a great detail.
|
|
0:15:04
|
But really what we are going to be focusing on instead
|
|
0:15:07
|
are the specific security topic, so things like the ASA firewall,
|
|
0:15:11
|
the IOS Firewall,
|
|
0:15:13
|
the different IPSec variations for a LAN-to-LAN and remote access VPNs,
|
|
0:15:18
|
the intrusion prevention system build on this standalone sensor and the IOS,
|
|
0:15:23
|
AAA for things like the radius authentication TACACS command authorization
|
|
0:15:29
|
and the specific implementation of the Cisco ACS server.
|
|
0:15:34
|
and the specific implementation of the Cisco ACS server.
|
|
0:15:39
|
but if you don’t know what a firewall is or you never heard of IPSec
|
|
0:15:43
|
then its going to be kind of hard to fall along with the level of the topics currently covered.
|
|
0:15:48
|
So I will talk about some additional resources that you can use
|
|
0:15:52
|
like recommended readings for printed books or things you can find out on Cisco’s Website
|
|
0:15:58
|
you do see that you are having problems with general technologies here,
|
|
0:16:03
|
you want to make sure that you want to fall back to that foundational knowledge approach
|
|
0:16:07
|
that four steps structured approach,
|
|
0:16:09
|
because if you don’t know the basics about IPSec
|
|
0:16:13
|
ther is now way that you are going to be able to implement the
|
|
0:16:17
|
all the advanced functionalities of the protocol.
|
|
0:16:21
|
Hey there is a question here about the
|
|
0:16:25
|
recent changes to the security exam
|
|
0:16:28
|
effective August 15 2011 Security exam in all global occations will no longer will include the four open ended, core knowledge questions.
|
|
0:16:37
|
The content of the lab exam remains the same as the current exam topics
|
|
0:16:41
|
but the rule of the four now allows questions to utilize the total lab time of 8 hours for configuration and troubleshooting.
|
|
0:16:49
|
If you are going to take the exam today
|
|
0:16:52
|
the CCIE security exam is put into two separate sections.
|
|
0:16:56
|
Hey, the first one is known as the core knowledge or the open ended questions
|
|
0:17:01
|
where there four questions that they will ask you
|
|
0:17:04
|
that are free answer `
|
|
0:17:07
|
its not Multiple Choice questions its not choose the best three out of four
|
|
0:17:11
|
so those who ask you questions you need to type a couple of sentences about what they are asking
|
|
0:17:17
|
but in a couple of weeks the security blueprint is changing so that this is going to be no longer included.
|
|
0:17:22
|
As I said the format of lab exam,
|
|
0:17:25
|
the blueprint itself is not changing
|
|
0:17:27
|
so everything of the version 3 blueprint is remaining intact technology wise,
|
|
0:17:32
|
just they rolling back the core knowledge section,
|
|
0:17:35
|
so its only going to be the configuration.
|
|
0:17:40
|
So that’s mainly what we are going to be focusing on this week. Its how do you implement these technologies configuration wise
|
|
0:17:46
|
and then what are the different show commands, different debug commands we need to do when we run into problems with that.
|
|
0:17:54
|
Now the blueprint itself for the lab exam is thing to talk about.
|
|
0:17:59
|
What is the hardware and software used?
|
|
0:18:02
|
And then what are the actual topics that are within the scope.
|
|
0:18:06
|
Now in either case you can find this information if you go to
|
|
0:18:12
|
the main cisco website that is go to cisco.com/go/ccie,
|
|
0:18:20
|
then down to security
|
|
0:18:23
|
and you see on the right its ‘Lab Equipment and IOS’
|
|
0:18:28
|
and the lab exam topic.
|
|
0:18:31
|
Now for the lab Equipment
|
|
0:18:33
|
there is number of platforms that are involved in this exam
|
|
0:18:37
|
the first and foremost is going to be Routers
|
|
0:18:40
|
where they are running 12.4T Advance Enterprise Services,
|
|
0:18:44
|
the platform itself doesn’t really matter,
|
|
0:18:47
|
the are generally using a mix of the 1800 and 3800 ISRs
|
|
0:18:51
|
but you could get same effect if you are using 2800s
|
|
0:18:55
|
you can use 3700s, 2600s
|
|
0:18:57
|
as long as you can run 12.4T Advanced Enterprise Services
|
|
0:19:02
|
or atleast 12.4T Advanced Security
|
|
0:19:05
|
then you should be able to cover all the topics that you need for the exam.
|
|
0:19:10
|
Now Advance Enterprise Services is basically the entire IOS image with all possible features
|
|
0:19:16
|
but there is lot stuff in there that is not really in the scope of security.
|
|
0:19:20
|
So things like call manager express or mpls
|
|
0:19:24
|
that stuff is not there in this scope of security.
|
|
0:19:28
|
So you do have some older equipment or a lower level platforms
|
|
0:19:31
|
that cannot use the full 12.4T Advance Enterprise Services Image
|
|
0:19:36
|
its fine as long as you can get to advanced security.
|
|
0:19:41
|
Now, if you want to see specifically what are the exact differences,
|
|
0:19:45
|
if you go to cisco’s website
|
|
0:19:47
|
and go to cisco.com/go/fn
|
|
0:19:52
|
for the feature navigator
|
|
0:19:54
|
you can compare two software images side by side
|
|
0:20:00
|
or look for a specific feature.
|
|
0:20:03
|
So if I want see IOS to IOS, I could pick up this sub options
|
|
0:20:09
|
then look out for, lets say 1841,
|
|
0:20:13
|
whats the difference between Advanced Enterprise Services
|
|
0:20:16
|
versus a 2600 Router that’s running 12.4 Advanced Security.
|
|
0:20:21
|
And you will see that a vast majority of security topics,
|
|
0:20:25
|
they are not going make a difference between the two images.
|
|
0:20:31
|
Now specifically the demos that I am doing this week are going to be on ISRs
|
|
0:20:36
|
that are running 12.4T Advanced Enterprise services
|
|
0:20:39
|
but again as long as you can get at least 12.4T Advanced Security
|
|
0:20:43
|
then you are going to be able to pretty much do any other topics that you need.
|
|
0:20:48
|
Now for layer 2 and layer 3 switching,
|
|
0:20:51
|
we are using the Catalyst 3560 switches running anything that is at least 12.2(44)
|
|
0:20:58
|
So it could be a later release but its going to be at least 12.2(44)
|
|
0:21:02
|
where you can again pretty much use any layer 3 switching platform
|
|
0:21:07
|
as long as you can pair what the particular image between them.
|
|
0:21:13
|
And Now Some of the minor differences that you are to use like a 3550 instead of a 3560,
|
|
0:21:20
|
really only means security difference that 3560 supports private VLANs
|
|
0:21:25
|
where Catalyst 3560 does not
|
|
0:21:28
|
but once you go to exam you will see its not really something that
|
|
0:21:32
|
I would want if you are building your own LAN
|
|
0:21:34
|
to spend 500 extra dollars or more on the platform just to test that one individual feature.
|
|
0:21:42
|
Now the ASAs that’s going to be running 8.0,
|
|
0:21:46
|
some sort of sub variation of 8.0. are they are not running 8.3.
|
|
0:21:52
|
Which we will be getting into some more details about the ASA’s
|
|
0:21:56
|
but there is a key difference between the syntax change between the 8.3 and 8.2 and before
|
|
0:22:04
|
where lot of the syntax for the network address translation has a major change
|
|
0:22:10
|
that’s now what we are going to be focusing on.
|
|
0:22:12
|
In the version 3 blueprint is using some variation of 8.0.
|
|
0:22:17
|
So as long as you can run 8.0, 8.1,8.2 you are going to be fine.
|
|
0:22:22
|
Now if you are building your own equipment
|
|
0:22:25
|
for the security lab exam
|
|
0:22:27
|
you want to make sure for the ASAs that you need atleast two of them
|
|
0:22:31
|
and they have to be atleast 5510 and they have to be running the security plus image.
|
|
0:22:38
|
The reason why is that the security base image ,
|
|
0:22:41
|
or the ASA 5505s
|
|
0:22:44
|
it doesn’t supports multiple contacts mode
|
|
0:22:48
|
and it does not supports active active failover.
|
|
0:22:51
|
Which we will see, some of the two key features
|
|
0:22:55
|
that you are going to understand how work at ASA
|
|
0:22:58
|
because if you haven’t tested these out and then you do get tested on in the exam
|
|
0:23:03
|
there is lot of different caveats that change
|
|
0:23:06
|
in a ASAs behavior when it is running in a multiple contacts mode
|
|
0:23:10
|
and when it is running active-active failover versus active-standby failover.
|
|
0:23:19
|
Okay, there is question that Is it impossible to use 3550?
|
|
0:23:23
|
– No 3550s are fine.
|
|
0:23:25
|
therefore the vast majority of my demos I am going to use the 3550s.
|
|
0:23:30
|
the only difference that you when you into get the layer 2 security topics
|
|
0:23:35
|
I am going to use the 3560s for some other various specific demonstrations
|
|
0:23:40
|
which again is mainly going to be just the private VLANs.
|
|
0:23:44
|
So the other minor differences is like some Quality of Service differences between the platforms
|
|
0:23:49
|
there is some minor differences in the default options
|
|
0:23:52
|
but 99.9% the platforms are the same.
|
|
0:23:56
|
For the step that is different is not really going to be in the scope of the security lab exam.
|
|
0:24:06
|
And there is another question – Can we emulate the complete set of practice INE workbook volume I atleast ?
|
|
0:24:13
|
Technically you can. I am assuming you are talking about dynamics for GNS 3. Technically all of these platforms, the routers,
|
|
0:24:22
|
not the switches , but all of the other security platforms the ASA,
|
|
0:24:27
|
the IPS and then the AAA server,
|
|
0:24:31
|
you can actually run those virtually,
|
|
0:24:33
|
but the problem is that its pretty time consuming to do this,
|
|
0:24:36
|
there are some very specific hacks that you need to run
|
|
0:24:39
|
on the ASA code and the IPS code in order to get it run
|
|
0:24:44
|
and the virtual licence environment.
|
|
0:24:47
|
So I have seen some students do it before,
|
|
0:24:50
|
personally I have not because it takes a lot of time to figure out how it works
|
|
0:24:54
|
and if you are trying to debate between the two of them,
|
|
0:24:58
|
what you may want to to do is use the virtualisation just for the routing topics.
|
|
0:25:05
|
So for any of the IOS to IOS, firewall, or the LAN-TO-LAN VPNs with the easy VPN server
|
|
0:25:12
|
that’s where it is fine with the IOS.
|
|
0:25:14
|
When you get to the real advanced stuff ,
|
|
0:25:16
|
its probably better just to ?? ??
|
|
0:25:21
|
or if you want to buy the equipment, you can actually do it.
|
|
0:25:26
|
The problem is now , we can look at the ASA,
|
|
0:25:29
|
even if you look it the cheapest version. Lets go to the ebay.com
|
|
0:25:39
|
and I want to say its asa 5510 sec bun k9 I think is the part no.
|
|
0:25:52
|
which is this one, the security plus licence.
|
|
0:25:54
|
So even if you look at the lowest price for this,
|
|
0:26:00
|
its still about $ 1900, this is the cheapest.
|
|
0:26:03
|
Its really, this is the most expensive platforms
|
|
0:26:07
|
that is used in the exams but you cannot get away
|
|
0:26:12
|
by not using two of these and not using the security plus license.
|
|
0:26:16
|
You could get a security 5505 real cheap
|
|
0:26:20
|
and test out some of the basic firewall features.
|
|
0:26:26
|
So here lets see the cheapest one.
|
|
0:26:39
|
So less than a $ 100.
|
|
0:26:42
|
Ah! The thing is that, the thing that you can only be using this for
|
|
0:26:45
|
would be for testing the Statefull firewall features.
|
|
0:26:49
|
Lot of the VPN stuff are not going to be there,
|
|
0:26:52
|
things like the SSL and the web VPN
|
|
0:26:59
|
and then any of the multiple context mode
|
|
0:27:02
|
and the advance failover stuff that you need to handle of this security plus
|
|
0:27:05
|
that has to be at least 5510.
|
|
0:27:08
|
So figure, if you were to build this topology yourself
|
|
0:27:12
|
even if you want to virtualise the routers
|
|
0:27:14
|
and virtualise the switches,
|
|
0:27:16
|
it still going to cost you atleast, may be 5 or 6 thousand dollars to put it together.
|
|
0:27:21
|
And just for the ASAs and the IPS. If the IPS is running 6.1
|
|
0:27:30
|
which I want to say is supported minimum as 4240
|
|
0:27:36
|
and you can see that 4240 is about the same price as the ASA.
|
|
0:27:40
|
Its edge little bit more, its about 25-26 hundred dollars are the the cheapest.
|
|
0:27:45
|
So the key is that, its really up to you, how you want to spend your time.
|
|
0:27:53
|
You can virtualise this stuff,
|
|
0:27:55
|
but the students I have seen do it before
|
|
0:27:57
|
they have literally stand a month on a project,
|
|
0:28:00
|
getting the virtualization setup to work everything is stable.
|
|
0:28:04
|
Now, me personally I would just spend the extra money and use that for preparatioin versus trying to figure whats the cheapest solution.
|
|
0:28:13
|
Really I could not wasting a lot of time in my preparation schedule.
|
|
0:28:17
|
Because at the end of the day, your time is worth money.
|
|
0:28:20
|
Once you spend that time you never ever going to get it back.
|
|
0:28:25
|
So, I would probably go towards more using the real equipment.
|
|
0:28:30
|
Atleast the ASA and the IPS stuff.
|
|
0:28:33
|
You want to virtualise the routers? That’s fine.
|
|
0:28:35
|
Just because it does takes much effort to do so.
|
|
0:28:40
|
Now for the rest of the platforms
|
|
0:28:43
|
we have the IPS sensor which is running version 6.1.
|
|
0:28:48
|
The Sensor is going to be accessed by both from the command line and from the web interface.
|
|
0:28:54
|
Now we will see where we actually get to this,
|
|
0:28:57
|
there are some problems you can run into with the IPS device manager
|
|
0:29:01
|
and its Java interface.
|
|
0:29:04
|
Where sometimes Java crashes or there is basically just bugs in the code
|
|
0:29:10
|
or you can end up in a case where you can’t actually accomplish the configuration you want through the web interface
|
|
0:29:17
|
and then you are forced to back to the command line in order to implement that.
|
|
0:29:21
|
So for the IPS Sensor, its going to be easier to lot of a changes from the web interface.
|
|
0:29:27
|
That you do want to do make sure that you know how to do both ways.
|
|
0:29:31
|
So, what we are going to do is go through
|
|
0:29:34
|
the basic set from the command line,
|
|
0:29:38
|
like how do we setup a ip address,
|
|
0:29:40
|
how do we setup sensing interface,
|
|
0:29:42
|
whether we are running in the promiscuous mode or inline mode,
|
|
0:29:45
|
once we get the basic functional portion
|
|
0:29:50
|
then we are going to look into the web interface to doing things like signature customization
|
|
0:29:54
|
or anomaly detection customization.
|
|
0:29:57
|
Because when you look at the CLI
|
|
0:29:59
|
its very complicated and there is lot of different syntax you need to piece together in order to accomplish those topics,
|
|
0:30:07
|
what I would recommend to do
|
|
0:30:09
|
is make the configuration changes from the web interface
|
|
0:30:12
|
then look at the result of this on the command line
|
|
0:30:16
|
so as a last ditch effort you will have some idea how you would need to piece the syntax together using the CLI as opposed to the IDN.
|
|
0:30:28
|
Hey, we also have the, this is called ACS Server running on windows
|
|
0:30:33
|
particularly we are using version 4.1.
|
|
0:30:40
|
And then we have the regular cisco VPN client which is called the easy VPN client
|
|
0:30:46
|
along with the anyconnect SSL VPN client
|
|
0:30:51
|
that is going to connect us to either the IOS or ASA.
|
|
0:30:56
|
Ok any questions upto this point on the hardware blueprint
|
|
0:31:03
|
and again you could see this,if you go to cisco website cisco.com/go/ccie
|
|
0:31:09
|
then go under security
|
|
0:31:12
|
then the lab equipment and IOS.
|
|
0:31:34
|
Hey, again you can see that on the particular hardware blueprint
|
|
0:31:37
|
and what are the software versions.
|
|
0:31:40
|
Then if we go to the Lab Exam Topics,
|
|
0:31:44
|
this going to be the actual technical blueprint that is the,
|
|
0:31:48
|
the features that are going to within the scope of the exam .
|
|
0:31:55
|
now the blueprint itself is going to be broken down into eight major categories.
|
|
0:32:00
|
We have the ASA firewall, the IOS firewall,
|
|
0:32:05
|
VPN which would be on both the ASA and the IOS ,
|
|
0:32:09
|
The Intrution Prevention System both on the standalone sensor and the IOS,
|
|
0:32:15
|
identity management which is our AAA services with radius and TACACS
|
|
0:32:20
|
control and management Plane Security,
|
|
0:32:23
|
which would be things like controlling Policing
|
|
0:32:26
|
or Routing Protocol authentication then the last two – Advanced Security and the Network Attacks
|
|
0:32:33
|
are going to be pretty close to each other,
|
|
0:32:36
|
where the advance security is kind of like the features and the tools we have access to
|
|
0:32:41
|
and then the Networks Attacks is how to we actually apply the tools in order to prevent it from problems
|
|
0:32:46
|
security problems from happening in the first place.
|
|
0:32:51
|
Now the blue print that they have on the website,
|
|
0:32:54
|
this one is
|
|
0:32:56
|
pretty generic or it says like your configure CBAC, configure zone based policy firewall.
|
|
0:33:00
|
There is lot of sub topics that under this individual topic domains like IPSec LAN-to-LAN,
|
|
0:33:07
|
so what I would recommend to do
|
|
0:33:10
|
is under the security exam there is this link for lab exam checklist
|
|
0:33:18
|
and this a really good outline
|
|
0:33:20
|
that they put together that you can use as you going through your preparation,
|
|
0:33:26
|
just like as they say a checklist, so you are going through the topics, just check them off just to make sure that you have covered everything
|
|
0:33:32
|
that’s in this list.
|
|
0:33:33
|
Hey, this is basically how I came up with the outline of the class,
|
|
0:33:38
|
that out of all of the tracks this is probably the most detailed checklist that they have
|
|
0:33:43
|
on the CCIE website
|
|
0:33:45
|
so would definitely recommend to print this out
|
|
0:33:48
|
make sure you hit all of those line items
|
|
0:33:50
|
or atleast some of the obscure stuff,
|
|
0:33:52
|
you know where it is located in the documentations.
|
|
0:33:56
|
So some of the stuff like Application-ware Inspection for the ASA.
|
|
0:34:02
|
We are going to talk about that and I am going to go through some basic demos
|
|
0:34:05
|
but in the lab exam they do expect you to be an expert in topics like this.
|
|
0:34:10
|
Here the same thing like URL filter.
|
|
0:34:13
|
So if you are to be tested on this stuff,
|
|
0:34:15
|
most of the answers probably could be found by using the documentation
|
|
0:34:21
|
and then changing some of the examples around, in order to match exactly with what you are looking for,
|
|
0:34:27
|
then on the flipside you do need to know
|
|
0:34:30
|
like the zone-based policy firewall using multiple zones.
|
|
0:34:33
|
If you don’t understand the logic of this
|
|
0:34:36
|
then the documentation is not really going to help you.
|
|
0:34:39
|
Or configuring IPSec on IOS or ASA.
|
|
0:34:45
|
Then we will look at some of the more corner-case examples that we can use the documentation for
|
|
0:34:50
|
but you atleast want to know the general structure of how these technologies are supposed to fit together.
|
|
0:34:58
|
Its that the majority of the core security topics
|
|
0:35:01
|
you do know how to configure off the top of your head.
|
|
0:35:07
|
So as we get to this individual topics domains.
|
|
0:35:10
|
I will have some more detail outlines to show exactly we are going to cover.
|
|
0:35:14
|
Where in today’s class we are mainly going to be focusing on the ASA.
|
|
0:35:20
|
So ideally or the general flow for the class is going to be, we will go through ASA first,
|
|
0:35:26
|
then the IOS firewall, then look at VPN on both the ASA and IOS,
|
|
0:35:33
|
so all the LAN-to-LAN variation, all the remote access variations,
|
|
0:35:37
|
including both easy VPN and SSL VPN and web VPN.
|
|
0:35:43
|
Then the identity Management for local authorization, remote authorization/authentication,
|
|
0:35:51
|
then how this would integrate into the VPN topics,
|
|
0:35:55
|
so for example if we have an easy VPN client that’s connecting,
|
|
0:35:59
|
when it goes to authenticate we can pass it to the radius server,
|
|
0:36:03
|
then if authentication is successful we can give them the split tunneling ACL ,
|
|
0:36:08
|
or we can give them the banner message as it comes down from the AAA server.
|
|
0:36:15
|
Then we will finish up from the last three
|
|
0:36:17
|
sections the control plane, actually IPS is after that, so IPS is after identity Management
|
|
0:36:23
|
then the last three topics are finally going to grouped together
|
|
0:36:27
|
– the control and Management Plane Security then the Advanced Security and the Network Attacks.
|
