IT Certification Study Guide share & Training Preparation Ebooks free download
CCSP Training
Cisco Certified Security Professional (CCSP®) validates advanced knowledge and skills required to secure Cisco networks. With a CCSP certification, a network professional demonstrates the skills required to secure and manage network infrastructures to protect productivity, mitigate threats, and reduce costs. The CCSP curriculum emphasizes Cisco Router IOS (ISR) and Catalyst Switch security features, Adaptive Security Appliance (ASA), secure VPN connectivity, Intrusion Prevention Systems (IPS), Cisco Security Agent (CSA), Security Enterprise and Device Management, Network Admission Control (NAC) as well as techniques to optimize these technologies in a single, integrated network security solution. In addition, CCSP leverages the new CCNA Security certification as a prerequisite.
ASA and PIX using http inspection to filter URLs and Hosts in HTTP
Aug 16th
With ASA/PIX OS release 7.2, the inspection engines now can utilize regular expression lists for filtering.
In the following example, HTTP URL filtering for hosts/domains and URL content with regexes is shown. The example denies HTTP requests to host 136.3.9.2 that contain the strings “/cd/” or “/show/” in the URL.
!-- regex for the show URI string regex SHOW ".*/[Ss][Hh][Oo][Ww]/.*" !-- regex for the cd URI string regex CD ".*/[Cc][Dd]/.*" !-- regex for destinatinon host, can be a domain name also regex HOST "136.3.9.2" !-- now the host regex is used in a class map !-- multiple regexes can be matched in class map !-- note the "match-any", meaning that one match is sufficient class-map type regex match-any CM_DOMAINS match regex HOST !-- the URI string regexes are combined together in a class map !-- note the "match-any", meaning that one match is sufficient class-map type regex match-any CM_FORBIDDENURI match regex SHOW match regex CD !-- now the host and the uri class map are combined !-- note the "match-all", meaning that both conitions must match !-- so the host and either one of the two URI regexes class-map type inspect http match-all CM_H_BADREQUEST match request header host regex class CM_DOMAINS match request uri regex class CM_FORBIDDENURI !-- now the last class-map is used in a policy map !-- where the action is defined (reject and log) policy-map type inspect http PM_DENYBADHTTP parameters class CM_H_BADREQUEST reset log !-- the last step: the policy is applied to the default policy !-- by stating it as an additional parameter to the inspect http command policy-map global_policy class inspection_default inspect http PM_DENYBADHTTP ! service-policy global_policy global
Popularity: 4% [?]
ASA Asymmetric Routing
Aug 16th
If you’re having issues with Cisco ASA and asymmetrical routing this should save you the night.
This new feature is called TCP State Bypass and is available on from ASA v8.2(1).
inside: 10.1.1.0/24 ASA (default gw): 10.1.1.254 secondary gateway on the inside zone: 10.1.1.3 Host behind the secondary gateway: 10.0.0.113
Things to do:
- Enable same security traffic intra interface (Permits communication in and out of the same interface).
same-security-traffic permit intra-interface - NO NAT ACL
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Apply the NON NAT ACL
nat (inside) 0 access-list nonat - Add the static route
route inside 10.0.0.113 255.255.255.255 10.1.1.3 1 - Add the STATE BYPASS ACL
access-list state_bypass extended permit tcp 10.1.1.0 255.255.255.0 host 10.0.0.113 log - Create the STATE BYPASS CLASS MAP
class-map state_bypass
match access-list state_bypass More >
Popularity: 4% [?]
AAA: Attributes for local user database
Aug 16th
Usually, user attributes for AAA, like ip addresses, callback numbers, routes or acl names, are set via external AAA servers during authentication and authorization. In the past, the IOS local database didnt had lots of options to provide such attributes for locally configured users.
IOS 12.3(14)T introduced the concept of AAA attribute lists. You can create such a list, and specify lots of AAA attributes in there. Define an attribute list with
aaa attribute list list-name
and type in attribute type ? to get an idea what attributes can be provided.
There are several hooks for attribute lists, like for EZVPN server (crypto aaa attribute list) or PPPoX headends, but you can use attribute lists also to enhance AAA functionality for CLI access. The following simple example shows how to deny CLI access for a user completely by returning an invalid privilege level.
Unfortunately, I couldnt figure out how to revoke permission for the service “shell”, it seems that denying services cannot be done with attribute lists. More >
Popularity: 3% [?]
Dynamips MPLS/VPN Lab
Aug 16th
The ISCW certification guide has a short chapter on MPLS/VPN, but it doesn’t get into any detail about VRF’s, or how it’s configured. I wanted more then that, so I set out to create a lab in Dynamips.
Lab Topology
Routers and IOS
- 3x 7200 w/ 12.4(18) IOS (c7200-jk9s-mz.124-18.bin) for PE and P routers
- 6x 7200 w/ 12.2(46)a IOS (c7200-jk9s-mz.122-46a.bin) for CE routers (less memory needed)
on the digram CE_A1 and CE_A2 are having same IP address of PE1 same CE_B1 and CE-B2 are having same ip add of PE2 More >
Popularity: 2% [?]
CCIE Security: Certificate-based ACLs
Jul 23rd
A big shout out to all the students in the Raleigh Security CCIE bootcamp last week. I had a blast! Thank you for all your hard work, as well as the after hours discussions about the unknown, and why people feel they know it.
I promised a few blog posts related to security over the next few weeks, and this one is regarding Certificate-based ACLs.
This blog may also serve as a review on how to configure the CA clients so that their certificates contain various fields and values, such as subject-name.
Let’s use this diagram for the backdrop of our discussion:
Popularity: 7% [?]
New QoS Class : Answers and Explanations
Jul 21st
Try these questions on for size! Learn all this and much more in the new QoS class.
1. Based on the following configuration, what traffic will be policed?
class-map C_MUSIC
match protocol kazaa2
match protocol napster
!
class-map match-any C_WEB
match protocol http
match class-map C_MUSIC
!
policy-map P_WEB
class C_WEB
police 64000
!
interface serial 0/0
service-policy output P_WEB
Popularity: 3% [?]
CCIE CCSP full notes
Nov 20th
CCIE CCSP full notes
For the candidates who participate in Cisco’s top-level is the most helpful tool.
free download link:
http://www.ziddu.com/download/7430422/CCIECCSPfullnotes.pdf.html
Popularity: 2% [?]
642-515 SNAA Exam Topics
Nov 12th
642-515 SNAA Exam Topics
Exam Description
The Securing Networks with ASA Advanced exam is one of the exams associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the SNAA course. This exam includes simulations and tests a candidate’s knowledge and ability to describe, configure, verify and manage the Cisco ASA Security Appliance product.
Exam Topics
The following topics are general guidelines for the content likely to be included. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
Popularity: 2% [?]
642-545 MARS Exam Topics
Nov 12th
642-545 MARS Exam Topics
Exam Description
The Implementing Cisco Security Monitoring, Analysis and Response System exam is associated with the Cisco Certified Security Professional certification. Candidates can prepare for this exam by taking the Implementing Cisco Security Monitoring, Analysis and Response System course. This exam tests a candidate’s knowledge of the Cisco Security Monitoring, Analysis and Response System.
Exam Topics
The following topics are general guidelines for the content likely to be included. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
Popularity: 2% [?]
642-591 CANAC Exam Topics
Nov 12th
642-591 CANAC Exam Topics
Exam Description
The 642-591 CANAC Implementing Cisco NAC Appliance exam is associated with both the Cisco Certified Security Professional and the Cisco Network Admission Control Specialist certifications. Candidates can prepare for this exam by taking the Implementing Cisco NAC Appliance course. This exam tests a candidate’s knowledge of the Cisco NAC Appliance solution.
Exam Topics
The following topics are general guidelines for the content likely to be included on the Remote Access exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.
Popularity: 2% [?]
Recent Comments