CCNA Security Home Lab

The CCNA SECURITY lab has most of its hardware roots from the routing and switching (R&S) track. You need one more piece of hardware if you already have 3 routers and 3 switches. Here is my input on finding the right hardware. I should note that these recommendations are based on my experience and outcomes.

Lets start with all the technologies that you must master for the CCNA Security:

Hash algorithms, digital signatures, certificates, Public Key Infrastructure (PKI), AAA, Adaptive Security Appliance (ASA), Virtual Private Networks (VPN), RADIUS , TACACS+, 802.1X, IPsecurity (IPSec), clientless SSL remote access VPN, AnyConnect SSL remote access VPN, IPsec site-to-site VPN on Cisco routers and ASA firewalls, Cisco IOS role-based CLI access, securing routing protocols, control plane policing, DHCP snooping, Dynamic ARP Inspection, L2 port security, BPDU guard, root guard, loop guard, private VLANs, Network address translation (NAT), Zone Based Firewalls(ZBF), , Intrusion Prevention System (IPS)

With this info, here are my recommendations :

Switches:

Catalyst 2960

If you got this switch for your CCNA, CCNP SWITCH studies, then you are already set!

Image result for cisco 2960 switch

I recommend getting 3 of each. The switches are mostly used for practicing AAA concepts, 802.1X authentication, Cisco IOS role-based CLI access, and layer 2 security. These topics are on the CCNA and CCNP SWITCH exams, so lab work will be a review mostly.

Routers:

2800 Series-

If you got this router for your CCNA, CCNP ROUTE studies, then you are already set!

Image result for cisco 2811 router

I recommend getting 3 of each. The 2800 is end of life, but is still supported by Cisco. It’s the best bang for the buck right now.  Like the switches, you will work on hash algorithms, digital signatures, certificates, Public Key Infrastructure, role based access, AAA, RADIUS, and TACACS+. The specific router topics you will master are: IPsec site-to-site VPN, routing protocol security, NAT, and ZBF. Make sure your are running the Advance Security code.

Security Appliance:

Cisco ASA 5505:

CiscoASA5505

 

The Cisco Adaptive Security Appliance 5505 model is designed for small to medium size security solutions. The good news for those building home labs is this device is now going to be sunset by Cisco in a few years, so look for decommissioned enterprise units to become available on the re-seller market! I suggest getting 1 ASA  with a Security Plus license.

Here are some of the other items you need to get up and running:

Router Modules:

WAN Interface Cards (WIC)- For your routers to make serial connections. WIC -2T will give you enough connections for your router triangle. Get 3 of these.

Cables:

Ethernet (straight through & cross over) cables and a console cable.

Serial cables for routing links. Use WIC-2T cables.

You should also invest in the Cisco lab workbook.

As always, do you research!

 

Places I buy equipment:

Ebay

Amazon

Cables and kits

 

My CCNA SECURITY Lab (phase 1)

2 x 2811 ISRs w 2 WIC-1T serial cards- enterprise edge routers

1 x 2610XM w/2 -WIC-1T serial cards – ISP router

3 x 2950 catalyst switches – LAN switches (1 installed)

3 x 2610  (using as end user test devices)

1 x 5505 (currently deployed as a firewall)

Not in use:

1 x 4402 Wireless LAN Controller (for phase 2 and testing)

Posted in Certification, Skill Development

CCNA Security Prep

So after looking at the CCNP SWITCH, I figured I would look at the certification I am studying for: CCNA Security. It is known that this exam is a bit tougher than in the past.  Knowing this, I am focusing on doing more lab work for all topics.

Like the SWITCH exam, I reviewed the CCNA Security exam blueprint and the official lab book.  This research is to find out what is not covered in the Cisco lab book and my plan of attack to create or find other labs to help solidify knowledge on the topic areas in question. Sure enough, there is gap in covered exam objectives in the lab book.

Like the SWITCH exam, some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.0 Security Concepts 12% 
1.1  Common security principles
1.1.a Describe confidentiality, integrity, availability (CIA)
1.1.b Describe SIEM technology
1.1.c Identify common security terms
1.1.d Identify common network security zones
1.4 Describe network topologies
1.4.a Campus area network (CAN)
1.4.b Cloud, wide area network (WAN)
1.4.c Data center
1.4.d Small office/home office (SOHO)
1.4.e Network security for a virtual environment

2.0 Secure Access 14%
2.1   Secure management
2.1.a Compare in-band and out-of band
2.1.b Configure secure network management
2.1.c Configure and verify secure access through SNMP v3 using an ACL
2.1.d Configure and verify security for NTP
2.1.e Use SCP for file transfer
2.2.d Explain the integration of Active Directory with AAA
2.2.e Describe authentication and authorization using ACS and ISE
2.3 802.1X authentication
2.3.a   Identify the functions 802.1X components
2.4 BYOD
2.4.a Describe the BYOD architecture framework
2.4.b Describe the function of mobile device management (MDM)

3.0 VPN 17%
3.1  VPN concepts
3.1.a Describe IPsec protocols and delivery modes (IKE, ESP, AH, tunnel mode, transport mode)
3.1.b Describe hairpinning, split tunneling, always-on, NAT traversal
3.2 Remote access VPN
3.2.e Identify endpoint posture assessment

4.0 Secure Routing and Switching 18% 
4.1 Security on Cisco routers
4.1.a Configure multiple privilege levels
4.1.b Configure Cisco IOS role-based CLI access
4.1.c Implement Cisco IOS resilient configuration
4.2 Securing routing protocols
4.2.a Implement routing update authentication on OSPF
4.3 Securing the control plane
4.3.a Explain the function of control plane policing
4.4 Common Layer 2 attacks
4.4.a Describe STP attacks
4.4.b Describe ARP spoofing
4.4.c Describe MAC spoofing
4.4.d Describe CAM table (MAC address table) overflows
4.4.e Describe CDP/LLDP reconnaissance
4.4.f Describe VLAN hopping
4.4.g Describe DHCP spoofing
4.6 VLAN security
4.6.a Describe the security implications of a PVLAN
4.6.b Describe the security implications of a native VLAN

5.0 Cisco Firewall Technologies 18%
5.1  Describe operational strengths and weaknesses of the different firewall technologies
5.1.a Proxy firewalls
5.1.b Application firewall
5.1.c Personal firewall
5.2 Compare stateful vs. stateless firewalls
5.2.a Operations
5.2.b Function of the state table
5.3 Implement NAT on Cisco ASA 9.x
5.3.a Static
5.3.b Dynamic
5.3.c PAT
5.3.d Policy NAT
5.3 e Verify NAT operations
5.4 Implement zone-based firewall
5.4.b Self zone
5.5 Firewall features on the Cisco Adaptive Security Appliance (ASA) 9.x
5.5.g Describe security contexts
5.5.h Describe firewall services

7.0 Content and Endpoint Security 12% 
7.1  Describe mitigation technology for email-based threats
7.1.a SPAM filtering, anti-malware filtering, DLP, blacklisting, email encryption
7.2 Describe mitigation technology for web-based threats
7.2.a Local and cloud-based web proxies
7.2.b Blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, TLS/SSL decryption
7.3  Describe mitigation technology for endpoint threats
7.3.a Anti-virus/anti-malware
7.3.b Personal firewall/HIPS
7.3.c Hardware/software encryption of local data
This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

Posted in Certification

CCNP SWITCH Prep

While preparing for this weekend’s CCNP study group session, I reviewed the CCNP switch exam blueprint and the official lab book. I noticed a major gap in covered exam objectives in the lab book.  Having passed the CCNP SWITCH exam, I wanted to share with my study group colleagues what is not covered in the Cisco lab book and what we should do to create or find other labs to help solidify knowledge on the topic areas in question.

Now some topics may not have a lab as the topic may be only testing on your understanding of the topic (highlighted green). Some topics are ones where you need to understand how to configure, test, and troubleshoot (highlighted red). See below:

1.1 Configure and verify switch administration
1.1.a SDM templates
1.1.b Managing MAC address table
1.1.c Troubleshoot Err-disable recovery

1.2 Configure and verify Layer 2 protocols
1.2.a CDP, LLDP
1.2.b UDLD

1.5.d EtherChannel misconfiguration guard

1.6 Configure and verify spanning tree
1.6.c PortFast, BPDUguard, BPDUfilter
1.6.d Loopguard and Rootguard

1.7 Configure and verify other LAN switching technologies
1.7.a SPAN

1.8 Describe chassis virtualization and aggregation technologies
1.8.a Stackwise

2.1 Configure and verify switch security features
2.1.a DHCP snooping
2.1.b IP Source Guard
2.1.c Dynamic ARP inspection
2.1.e Private VLAN
2.1.f Storm control

2.2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS
2.2.a AAA with TACACS+ and RADIUS
2.2.b Local privilege authorization fallback

This list is not 100% accurate as I am using the table of contents as a reference. However, seeing a lot of exam objectives that need to you to know the commands and output leads me to believe that supplementation is needed.

The official lab book also has some topics that are not mentioned in the exam blueprint:

Chapter 5: InterVLAN Routing
Lab 5-1 Inter-VLAN Routing
Lab 5-2 DHCP
Chapter 7: Network Management
Lab 7-1 Synchronizing Campus Network Devices using Network Time Protocol (NTP)
Lab 7-2 Configure Campus Network Devices to Support Simple Network Management Protocol (SNMPv3)
Chapter 8: Switching Features and Technologies
Lab 8-1 IP Service Level Agreements and Remote SPAN in a Campus Environment

Posted in Certification

The ASA is here!

It took some time to find one, but I have got a Cisco ASA5505!

20170508_202410.jpg

This ASA comes with the Security License.  Now I can start working on my CCNA security firewall labs!

Tagged with:
Posted in Certification

The end of an era…

The count down to the end of the Cisco ASA 5505 has begun. Announced in late February, the baseline security device will be retired in 2022. So if you are studying for the CCNA Security, get your ASA now! I sure cost of the ASA will start to go down, making this hardware a easier pickup for the home labs.

 

Cisco ASA 5505 End of Sale Announcement 

Posted in Cisco Rants

NAT/PAT

The planning and configuration of Network Address Translation/Port Address Translation is similar for security device as a router.

Define your internal IP address space to translate. This will help with choosing the right network translation scheme for your application. You will configure an access list in order to define the ip address to be translated.

Define your inside and outside interfaces. Make sure you have configured IP addresses for these interfaces.

Map out your ports! This will be helpful for the firewall policies that will need to be built later.

 

 

 

 

 

 

Posted in Certification, Skill Development, Uncategorized

Hairpinning

I have found myself asking when and where would this be useful? What architectures or campus designs would this be implemented?

The idea is that you can route traffic from the same interface it came in on is similar to the idea of reverse path forwarding(RPF) in routing. The major difference is that Hairpinning focuses on the routing packets traversing the same security level in a virtual private network (VPN), while RPF focuses on keeping routing loop free.

 

 

Posted in Certification, Skill Development, Uncategorized
Archives

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 690 other followers

Mr Bart

Cisco certification and other topics

TTy BroadCast

A network engineer blog

ccdewiki

Cisco Certified Design Expert Study Guide

mrn-cciew

My CCIE Wireless Journey & More.....

PacketLife.net Blog

The path to becoming a fully realized network architect