Archive for July, 2013

So You Want a CCENT…

Wednesday, July 24th, 2013

OK, so you want a CCENT…

You want Wendell Odom’s book: Cisco CCENT/CCNA ICND1 100-101 Official Cert Guide
You’ll then want the sequel for your CCNA: CCNA Routing and Switching ICND2 200-101 Official Cert Guide
You’ll then want to round things out with: CCNA Routing and Switching 200-120 Flash Cards and Exam Practice Pack

Wendell Odom is a great tech writer and I enjoyed his books for my CCENT/CCNA prep. I took the tests that expire in September. These books are for the new versions of the tests. Read them and do the practice tests until you get 95% or better every time you take a practice test. Repetitive? Yes. That’s how it’s done.

You’ll also want GNS3 and Cisco Packet Tracer to simulate hardware, unless you happen to have some handy in your house. If you do plan on getting your own hardware, check here and we can let you know if it’s a good deal or not… or what you may want to make sure about the product before you buy. I bought my own hardware after reading about people getting burned buying “certification lab bundles”. I’m glad I did, as I got more good hardware for less than what someone was charging for a bundle of gear that was good for the last rev of the cert exam…

Google is your friend. Ask a question, then Google up the answer. If you don’t understand the answer, Google some more or find a discussion forum for networkers and bring them your question. You learn a lot that way and you feel sure about your knowledge.

Segment Your Network

Friday, July 19th, 2013

Properly functioning, networked computers are the most polite things you’ll ever work with.

When one of them makes an announcement, they immediately all pay attention, drop whatever conversation they may have been having, and focus completely on what the speaker is saying. They spend enormous effort in listening to and carefully considering every announcement made in their presence.

Therefore, segment your network so it’s not bogged down by broadcast traffic.

Fibre Channel and iSCSI

Wednesday, July 17th, 2013

In SAN environments, admins can choose between Fibre Channel (FC), FC over Ethernet (FCoE), and iSCSI to get their data from users and servers to the storage system. So what are the differences?

FC is like the guys from Top Gear going down a perfect ribbon of road in three Italian supercars. They can floor it, swing around the corners crossing both lanes, and arrive at their destination in good order while telling us we all need a Ferrari convertible. iSCSI is a dozen Mini Coopers pulling off the Italian Job. They’ll get to their destination, just don’t ask how they got there.

iSCSI is also a good deal cheaper, unless you already have a massive fibre network that you want to justify keeping around. Just be careful to not overload your iSCSI system with nodes: gridlock with Mini Coopers is still gridlock… and the lads in the Ferraris will just laugh at you.

The Importance of Physical Security

Tuesday, July 16th, 2013

No amount of software hardening can overcome lax physical security with your network devices.

Let’s say a bad person, we’ll call him August Derleth, gets physical access to one of your Cisco switches that’s been tucked away in a broom closet. He gets it into ROMMON mode and sets it so it will reboot without challenging him for a password. Now he reboots the switch and then does a copy startup-config running-config command. He now has the original config loaded and full access to it. He can now create an account for himself, copy all the details on that config, and then choose a port on the access switch to open up for his own purposes, be it a rogue switch, server, or router. He could disable DHCP snooping and DAI so he could use a man-in-the-middle attack to capture all the voice traffic on that switch.

None of the software security configurations you have made will give you aid in the event of a physical access compromise.

So put a lock on that door. Now our man August cannot get to that switch because there is a lock on the door… so he can only try to attack it from the outside, which means BPDU Guard and Root Guard and DHCP snooping and DAI keep him frustrated in that respect.

OK, so Mr. Derleth gets a crowbar and breaks the lock and gets in… we are back at the original scenario. We have to face the possibility that an unauthorized person gains physical access to a system. There need to be alarms and cameras on that entrance so that when security is breached, we have a record of it. There needs to be a double entrance with a person on duty in the middle space at all times – a night backup operator, for example. Key cards, combination locks, etc. could all be considered.

Now for the switches themselves: There need to be keepalive monitors on EVERY sensitive device so that reboots and power outages are monitored and documented. Once the physical security has been breached, the main concern is not frustrating the further attacks of the hacker with configurations on the compromised device, but in gathering forensic data so he can be properly apprehended and prosecuted. The compromised device is a lost cause. Mr. Derleth may not care for alarms going off if he’s planning a smash and grab operation: his goal may be to gain access to an information store, copy it or physically transport it, and then get out before the police arrive. The alarms, however, provide a trail of evidence for later use.

So what if Mr. Derleth wants to implant systems to observe traffic and intercept communications from removals eastbourne? In that event, the alarms allow us to see where the breach began and logging servers will note when devices’ configs have been altered – or when devices have been logged into. Now we can hopefully check over those other devices and roll their configs back to an earlier saved config kept in a location inaccessible from the network.

Get your physical security house in order: locks, monitoring, and logging are all part of a complete physical security strategy.

What’s the Best Way to Learn? Teach.

Saturday, July 13th, 2013

If you’re pursuing any IT certification worth having, you’re going to have to learn lots of stuff. The higher the level of certification, the more information you’re going to have to have crammed into your tiny little human being brain. The best way to get that information into your head is to teach it.

Even if all you’re doing is to keep a diary of your learning progress, the act of composing your thoughts to communicate them to another person will force you to both understand and remember the particulars of what you communicate. Copying and pasting what another person wrote won’t cut it: you need to rephrase it in your own words.

Yes, this takes on the risk of being wrong. That goes with being a human, so quit whining and hurry up and make your mistakes so you can get on with learning from them. If you come out and say something wrong, ask someone to correct you, check the suggested correction, and go forward from there.

But above all, if you actually put down something that’s accurate – and if you do all you can in order to *be* accurate – then you’ll learn that topic in the best way possible.