Monday, December 15, 2014

Network+ Done

Took and passed network+ with an 865. Woo, missed 4 questions. I think I whiffed a scenario, but I'm not sure. Funny.

Anyhow, regarding the material and test. Sorry, this wont be much help for a lot of folks.

Material: I quick glanced the material from WGU (Testout?). I took 4 notecards of notes. normally, I take a pile of them (50-150 cards depending). I had to beat into my head the 568A & 568B and 110 blocks. Ended up using WAG, BOW and BLOG for the scheme, A-GW (WAG), B-OW, Bl-O-G. The other cards had stuff on them. Don't even recall what. I took the practice tests, and did the scenarios in about 2/3rds of the sections. The ones testing ping, nslookup, dig, etc, I skipped. I've done these way too often in real life.
ping yourself
ping the gateway
ping your destination...

Took the full practice test, made a 96.

The test vs material: since I only quick-glanced it, I can't say how much it mapped up.  I simply used my experience (CWNA, CCNA, CCNA-Sec) to ferret out most of the answers technical answers. I think the study material gave me 3-4 questions I would have missed or 50/50'd. I still love "choose the BEST" solution questions. Basic things to know
  • IP networking (subnetting, broadcast, Classes, etc. One of the questions was on a CCNA level I thought. Good question, had to think and know your rules).
  • OSI model and service at each level and device relationships to said model (Physical - cables,hubs; datalink - bridge/switch; etc;)
  • devices to service provided (Firewall vs router vs switch vs packet filter vs content filter)
  • Ports and protocols (FTP, SMTP, SNMP, etc)
  • Cabling standards
  • troubleshooting steps
  • WiFi (a,b,g,n; security options/flavors; radio freqs; antenna basics; )
Test itself. 80ish questions, and like most of the CompTIA lead with scenarios. I think I had 6-8 out of the gate. One was a good question, but I'm guessing a lot of people get it wrong. Actually had to use the notepad to do the math. The rest of the non-scenario questions are straight forward. I thought most had the right answer well defined and the other choices weren't really an option, but that might be experience. Felt there were 10 questions where it was down to 2 answers, and it was pick the best. (IE, asking a layer 2 OSI model question, 2 answers were router and hub, other was switch and bridge -- pick the best).

Anyhow, there is a lot on this one. experience helped a ton and made it relatively easy for me. knowing the OSI to services helps a lot for this test. Probably need to know it very well.
Posted by at No comments:
Labels: ,

Tuesday, December 9, 2014

IINS 640-554 passed (CCNA Sec, WGU Course CNV1)

Passed. Only with a 918 out of a 1000.

Thoughts: This was a test with a high bar to reach. as stated in other notes, make sure you read the documents from the Cisco site beyond the book and the videos from CBTNuggets and Boson's tests. The books and videos will get you close, but the material from the others will get you the rest. I spent a lot of time in the CCP GUI and console the 2 days before the test. I re-reviewed my notes the night before.

GNS3 is almost required. I'm am using the most current version 1.2.1. Here is the practice I used (over and over and over).



  • The Win7client was a VirtualBox Machine. It was used to manage all devices, ASDM and CCP. CCP IS dog-ass slow discovering. 
    • One Proc, 2Gigs of RAM, 40G HDD
    • Installed Apps included 
      • ASDM -- for the ASA
      • CCP -- for the routers
      • Notepad++ -- cause i can't remember anything two seconds after i see it
      • Chrome (w/adblock) -- my preferred
      • Tftpd64
        • to move asdm image back and forth to the ASA
        • to provide file downloads for the IOS IPS
      • default gateway was the IOS router (NOT THE ASA)
  • Local/Host workstation
    • Quad core Intel, 16gigs of RAM
    • Connected to ISP router with physical connection. Physical connection is the Local Area Connection 2
    • Served as VPN connection to the ASA.
  • Routers
    • 7200 series with IOS 15.0.x
    • All routers had a 1GE Interface
      • WANFU
        • had qty 2 -- 2 port 100FE cards
        • Was a DHCP client on g0/0 to get internet routable IP address. I hate looking at the damn yellow ! network icon on win7client box.
        • did NAT (hey! a test objective) for other networks.
        • Was known to blow up once IOS firewall was turned on (hey, another test objective!)
      • Area4 & Area5 Routers
        • Single 2 port 100fe cards
        • Not shown interface was the interface used for vpn (f1/1 on both)
    • Ran OSPF as the IGP. Redistributed on WANFU for default route.
  • ASA used the known working image within GNS3. It spent most of its life OFF. It WILL eat a single core of your processor when it is on. Plus it is very fickle about keeping configs between reboots. As this is an entry-level course, redoing the interfaces didn't take long, and was good practice.
  • The VMWare cloud hosted the ACS box. I'll figure out how to reconnect it. 
My practice labs I did a lot to get the commands down. Seeing enable secret level 6 0 level6pwd looks weird if you don't know what you are seeing. Test related info in bold. Maybe I'll write out a full step by step or some sort of solutions. Right now, please verify your work as you go. I just used this lab to reinforce what Keith Barker's Nuggets taught. I broke most of this out into sections. They can be done independently of each other AFTER the initialization section. 
  • Initialization: basic connectivity 
    • Give the routers IP addresses. I like loopbacks, so I added some. Mine were 10.0.255.25x/32. Also, make sure to set the g0/0 to DHCP client on WANFU
    • Get IPv4 routing working. I used OSPF, everything in area0. Don't advertise the 192.168.xx.y nets. They are your site-to-site VPN networks. Notice you don't have to advertise them to get VPN working.
    • Enable IPv6. Give the routers IPv6 addresses on all interfaces. 
    • Get some sort of IPV6 routing working.
    • Check your IPV6 interfaces and routing
      • show ipv6 int brief
      • ping 2001:... source 2001:..
    • Configure NTP . Make WANFU master (ha!). use encryption. Set Area4 to use WANFU. Area5 will be done later. 
  • Configure Users and CCP Login
    • Create the users listed at the privilege listed
    • enable secrets at the appropriate level with correct passwords
      • TEST; login; give some rights.
    • give all the boxes a domain-name (ip domain-name gns3.local is the syntax I used)
    • turn on the web server on each router 
      • turn on both insecure and secure methods
      • use local authentication
    • generate your certs for SSH
    • On all but Area5 Router, turn on AAA authentication, authorization. Area5 gets it in the GUI. that sounds wrong
      • Authorized exec and commands. Again use the user accounts for levels. practice with both default and NAMED method lists. I always set my lists to use local, then 2 or 3 of the other options (group tacacs, enable, local-case, etc). Heck create 2 types, MYTAC and MYLOCAL for authentication.
      • configure vty lines to use the aaa authentication and authorization, using the methods just created
    • On Area5 Router
      • configure login on the vty terminals WITHOUT AAA.
    • Turn on CCP. CCP FUN time. 
      • Create a group of nodes, MYGNS3 is what i called them.
      • I used loopback interfaces. Good practice in RL, but...up to you
      • Discover your nodes! (good time to drink, use the facilities, talk to your family, order dinner). Yeah, it can be slow.
      • Manage Area5 router's AAA in CCP
        • Turn on AAA
        • Configure the exact same method lists as WANFU and Area4
        • Push the config out
      • Manage NTP in CCP for Area5 Router. WANFU is the reference.
    • Back to the consoles. Sad, so sad....
      • enable views and login in with the root view. You did read what it told you when you turned it on?
      • create more views! Assign some rights. commands exec all show ip; show ipv6; etc. test that bad boy. 
    • Test everything now. Login right and wrong. 
      • Debug AAA authentication/authorization
      • test aaa group (yeah, no server, so what?). It fails, what a shock.
All right, i think we got most of the basics going and tested. CCP should work. AAA should work using local for SSH/Telnet. All routers are accessible. Life is good. NTP might work. I found NTP  tended to cause WANFU to suffer an emotional breakdown and have to be deleted and re-added. Saving would be good if all works in a way you like. Let's move on!


  • All right! more fun! Lets go out of order and do VPN! Why? Cause the longer before I make WANFU do a whole lot, the better off I was. Back to CCP! If you don't understand the jargon, read the study guide, watch Keith Barkers videos. These are just practice labs to reinforce.
    • Rediscover Area4 and Area5 Routers
    • Create an new site-to-site VPN on area4 router
      • DO NOT USE Defaults. be wild, be crazy, just dont DES. friends don't let friends DES. For your HAGLE, lets pick...AES192, MD5, Pre-shared (ilikevpn), DH group 5. Leave the lifetime alone. Seriously, pick your own options. copy-cat.
      • for the phase 2 portion, lets pick MD5-HMAC, and AES 256.
      • Your interest traffic will be....????
        • (192.168.40.x going to 192.168.50.x)
        • Your interface will be??? (f1/0)
      • Push that bad boy out. 
      • Ok, go clear the phase 1 that is pushed out by default by CCP. Defaults suck (well, not really, but what fun is letting someone else pick?)
    • And lets go Area5 router and do the same thing! Fun. Switch nodes in CCP to Area5.
      • Create a new site-to-site VPN. match it up with your others. 
      • your interest traffic might need an adjustment? (the answer is yes)
      • Push out the config. Destroy the default Phase 1 it sends. You are remembering what screen on CCP all this stuff is buried as you do this?
    • To the console. About time. keep the CCP up tho. You'll want to view both
      • Generate some interesting traffic. On Area4 Router; ping 192.168.50.1 source 192.168.40.1. If you did it right, the establishment of the tunnel might eat one or two packets, but otherwise work. nomnomnom. If not, well, crud. You get to troubleshoot! Haha! (or reboot the boxes and retry. i wont judge you. much. You have to suffer through a rediscovery in CCP. Another 5 minutes of your life lost waiting.).
      • Practice your show commands
        • show crypto ipsec ?; show crypto isakmp ?; show crypto map; show run. what does the map do and have in it? what does the sa option show you? Where is everything applied
        • go to the GUI. check the tunnel status. Answer all the questions you had in the console via the GUI. 
        • If you are feeling really spicy, turn on your debugs. debug crypto...bring the tunnels up/down etc.
        • Do a show run. see what is in the crypto map. what is in the isakmp part. what is in the ipsec part. what does the ACL do and which one is it?
  • We'll put off the ASA VPNs for a bit. Your host workstation will thank you.
Did your VPN work? if so, save it! we are moving on! Let do some more security, a security audit.
  • Is CCP up and everything discovered. Yep. do it. Pull up your favorite 3-5 minute youtube video while you wait.
  • Lets manage WANFU. Lets do a security audit!
    • OMG! what should you trust and not trust
      • No one trusts their internet. 
      • Although i don't trust the guy configuring the rest of this lab, lets say the rest of we do for now (f/x interfaces and loopback0)
      • DNS, use google 8.8.8.8, 8.8.4.4
    • Run the security audit! go ahead and let it do service password-encryption, and some others if you feel it.
    • Push it out if you are feeling lucky
  • ALright! lets do a one step lock-down. save your config before you start (and gns environment)
    • You'll need to see the screens.
    • let it push out one time. I've always had craptacular luck and had to reload the OS at this point.
  • read the screen. see what options you can turn up/down. 
That was fun? easy? simple? Onward. IOS based firewall next on WANFU
  • get CCP going. manage WANFU.
  • go ahead and turn up the down dmz interface, f1/1. 172.31.255.1/24 is good. I like using the boundary addresses to reinforce. everyone puts the lower bounds, practice on the upper. 
  • you'll have to do this one a couple of times
    • do a basic firewall
    • do an advance firewall
      • This is all virtual, so make up a virtual server for the dmz. if you are really feeling it, go ahead and connect it to the switch in a different vlan and attach some magic box running whatever service you let through
To be continued...


Posted by at No comments:
Labels: , , , , ,

Monday, December 1, 2014

Additional Resources for IINS 640-554 (WGU CNV1)

I am in the process of adding additional resources I used beyond the CBTNuggets and official Cisco book for the test.

This is based off of my actual test experience and Cisco's CCNA Security Exam Topics.


  • Overall information to review and study directly from Cisco itself is here. They have several resources that are beyond the scope of the material from CBT and the books.
  • Chapter 6, For Layer 2 Security/Common Layer 2 attacks, the link doesn't appear to work. I used this resource from Pearson. This beyond what is in the the book. Since it is 25 pages and the reference link is 25 pages, I'm guessing it is the resource link we are to use. Based upon experience, I am confident this is the material. Seriously, read it, take notes.

I'll add more as I get back into this test.


Posted by at No comments:
Labels: , , ,

Friday, November 21, 2014

CNV1 -- IINS 640-554 Test -- Failed

I recently took the Cisco CCNA Security 640-554 test and failed with a 888 with an 898 needed Yeah, big suckage. 5 days for Cisco before retake and I do know now how long for the WGU retake.

Thoughts on the test without hopefully violating the terms.

  • Know the CCP GUI for all the sections and material you are responsible for. The test expects some level of knowledge here
    • This includes how to do a configuration of the selected tasks.
    • What the path/where to click to access the task or information. (IE, where do you go to configure NTP Servers in CCP).
    • The tasks to know
      • How to view and configure everything related to an access-list
      • How to view and configure everything related to IOS VPN
      • How to view and configure everything related to IOS Firewall
      • How to view and configure everything related to AAA
      • How to view and configure everything related to time
      • The tasks and steps under the security audit tab
  • Know the same topics from the command line too. :)
  • Know your ASA for SSL VPN options and setup
  • The books provide most of the test information you will need. However, some areas that I think the books, practice tests, video (CBT) were short on.
    • IPv6
    • IPv6 access-lists
    • PVlan
    • Layer 2 (books and video especially)
  • Have a better understanding than the books give for the other Cisco products basically outside the scope of the test. Inside the scope would be CCP, ASA, IOS, IOS IPS, & ASDM. The books do cover these other items (SecureScan, IronPort, SCM). You don't need a detailed knowledge of how to configure or use these devices, but know the feature sets they offer.
  • Have a good understanding of layer 2 protocols and protections. Understand Layer 2 from what the Boson practice test quizzes you over. The books and videos aren't enough.
  • Know the Cisco answer to the question. I got a question that there were 3 rights and I had to pick 2. It wasn't one of the, "which of the following is the best..." either. Experience in the real world can be good AND bad.
  • The study material probably covers only 85-90% of what I was tested on.
  • Review the official Cisco Exam topics. Like everything else in life, what you don't prepare for  always seems to show up.
Personal thoughts:
  • I think I might have got a pretty crappy role from the RNG on what I was tested over in certain areas. I'm sure life evens itself out eventually.
  • Never forget Cisco certs are highly sought after so the questions and material will reflect it. Lots of opportunity for "bad" people to dump answers and raise the bar for the rest of us. Cisco has to make it harder somehow so they will do the following:
    • Expect poorly worded questions to distract, confuse or frustrate you.
    • Expect to see some minutiae questions. They will test you over a single sentence from the book.
    • Test outside of the book & video but still within exam objectives (NOT NICE!)
  • Studying for this one isn't fun. You will spend quite a bit of time messing with the environment to get enough hands on practice. You will be reloading OS, configs, scenarios, waiting for CCP, etc...
From the WGU Perspective:
  • There's NO help in the forums for the current version of the test. You are on your own.
  • Again there is a large gap between the test and the material. As a college course you kinda hope to have materials that provide you an environment to simulate the material on the test especially if it is hands on. Access to IOS, ASA, ASDM, IOS IPS, CCP are either memorize the lecture steps (hahahaha), buy equipment to practice, or find emulators to practice.

Posted by at No comments:
Labels: , , ,

Monday, November 17, 2014

WGU -- CNV1, IINS 640-554 Studying

Well this has been among the most frustrating courses to study. I have grabbed my voucher and am looking to schedule the test this week. Wish me luck. Onto the study material.

First, the course of study read likes, here's the material, good luck. The forums mention little to worse. So, based on the C.O.S., the CBTNuggets are entertaining and good. The only thing is having to setup a lab or 2 that emulates the commands. Even having 10+ years of experience on Cisco gear, learning zones, zone pairs, ccp, etc are newish to me. I can't imagine learning this from start. Here is what I did and built.

Host machine: Win 7 box with quad core proc and 16G of rams with dual monitors. I wish it had 3. One for the lab setup (including putty), one for the CBT at full screen, one for the virtual machines in the labs. It has worked well.

Software (sorry to my Linux/Apple host friends, but you can get pretty close, or better. GNS3 and most of the software works everywhere, and supposedly better in others. Lucky):

  • Oracle's Virtualbox. If you are WGU student you should have it from your linux+ stuff. I used this to emulate some win7 and a radius boxes. And use your  WGU licensing from MS to spin up and clone. Plus, when you clone in the Virtualbox, the sheep makes me laugh every time. I have 3 win 7 clones sitting there. These boxes will need to be attached to GNS3. You don't have to setup the radius boxes, but i'm a nerd. 
  • VMWare's VMPlayer -- This is so you can spin up the ACS server to see how tacacs+ works (if you want).
  • Some people will find the need for MS loopback adapter for...
  • GNS3. Godsend. If you want to practice without actually buying the hardware, you NEED this. This software is awesome. I will grab a list of links. Right now, they have just launched 1.0/1.1 version and a lot of the links are for 0.86 etc. here are some quick notes...
    • First, it lets you spin up Cisco equipment sufficient enough to practice on the command line. Until you are can type en, cisco123, conf t, username admin secret 0 cisco, etc, until you are blue in the face. Plus these same boxes can be manage by your VM win7 box running in the same virtual environment. 
    • On the ASA, do not put in options if you use 8.4.2. it simply works. However, it will chew up one of your 4 cores (at least it did mine). My proc runs at 25% all the time when i have an ASA up.
    • Make sure you find a good idle time value. 
    • If your connecitons are working but you -know- you have it setup right. save your GNS3 config, save your device configs, and restart GNS3. 
    • GNS3 lets you attach your VMs to it. 
      • Virtualbox works out of the box directly connected. Find the articles how to do it. I say this is pretty f-ing cool. 
      • VMPlayer has to be attached via a cloud/loopback adapter. I used the Virtualbox adapters here. VMPlayer doesn't have the hooks to directly connect and the ACS boxes require VMWare in their hardware check. (Yes i am sure you can make it not, but my google-foo was exhausted, and my patience was gone by then. If you have the details, i'll add 'em). 
My actual study routine. I read the book first online. I used Safaribooksonline. I like this resource better than the WGU option. same book, different location. I took notes. I used 5*7 notecards. I take notes on concepts, not word x = definition. For example, my card on IKE Phase 1 has HAGLE, with all the parts of hagle broken out with details such has DH supports 1 @ 768, 2 @ 1024, and 5 @ 15xx, H has SHA1 (@ 160), and MD5 (@128). And it is a single bi directional tunnel. 
After reading the books, i watched the cbtnuggets material. Keith is a good lecturer. Most of the lectures takes 2 or 3 times the running time of the material for me. I typical pause and rewind him as he does the configuration. I made 2 or 3 instances of setup within my GNS setup. repetition makes perfect. 

Now I am on to the practice tests from Boson. It scares me to read the reviews. Not promising. Old test, missed material. We will see. This is the only test we have score an "A" on and our material and testing have left quite a few out in the cold. Scary. I made right at 80% on my first time through on Boson. I always use the practice method. Question, my answer, grade my answer, review the material. Also had my favorite, questions on material that my material didn't cover. They asked a concept PVLANs that are in the official cisco curriculum stuff, but not i don't recall it in either study material (book or cbt). Some of the details they asked, i didn't recall, but that's why we take practice test. honing and focus and repetition. 

Anyhow, the frustrations of this course...Once you figure out that GNS3 and VM and Virtualbox can solve some problems.
  • Where do i get software?!? And what do I need to do.
    • Ask your account mgr if you have a contract with Cisco. This will be the 1, most frustrating problem through the course. Plus from my understanding, the internet comes with a search function. 
    • You will need IOS router software. I used 7200's with 15.0x running for my labs
    • You will need to get IOS IPS Signatures. 
    • You will need ASA software, 8.4.2 is supported.
    • I used 3 Win7 virtual boxes, one for CCP, one for ADSM, one for AnyConnect.
    • You can spin up the attack box our instructor uses. The product name has been updated. 
  • GNS3 is excellent except for....
    • My ASA won't save its config beyond a GNS restart (save a script, best i got so far)
    • My ASA doesn't do DHCP right (save a script and restart the project)
    • My ASA's chew up my processor. (agreed, shut 'em down when not in use)
    • My cloud doesn't work right ( again saving and reloading my project)
    • My switch doesn't work right (again, saving and reloading project worked for me)
    • My routers cook my CPU (find your idle-timeouts and use a supported IOS).
    • I get strange console errors (meh, i am not doing routing labs, so don't care -- yet).
    • Where are the Cisco switches (not supported).
  • Seriously, where do i get software. Search for GNS3 IOS images. I agree, frustrating, that a university, vendor, can get us time-bombed material so we can practice. 
  • The forums are 0 help here WGU students. Sorry. Normally, they serve as a great guide.
  • Pacing guide, read 2 chapters a week. That's not a guide....
I'll post an update how i do this week. Thursday is looking to be test day. Plus, I want to forget over Turkey day. 






Posted by at No comments:
Labels: , ,

Saturday, November 1, 2014

CNV1 - Designing Custom Security Solutions -- IINS 640-554 Setup

Wow. This course does not have much pre-test help. The forums were very lacking in information on how to prep. Listen to the CBT nuggets, read the book and do the practice test. That makes getting hands on practice kinda difficult if you don't have gear. Not good.

I decided to use GNS3 and virtualbox to do the routers and such. It has taken a 2 days to get the environment setup. I read the manual after getting lost for an hour or two. I try the click until something good happens at first. Helps me learn where everything is before reading a manual cold. Next, Getting IOS images is a challenge. Plus setting the idle time is important. Last, connecting virtualbox into the system is cool. Yay, practice for tacacs+ and radius. Good thing to save those practice Win7 and Linux machines from earlier courses.


Posted by at No comments:
Labels: ,

Tuesday, October 28, 2014

CTV1 -- SY0-022/SY0-401 -- Security+ Passed

Yay! Passed another one. This was one of the harder or more intimidating courses to pass. You have to get a 750/900 and that translates to between an 81-83%. That's a bit high than the 600 or 700/900 on most of the CompTIA courses so far in the curriculum. Anywho, rambling. Back to the course.

Study Material: Again, after checking the forums and reading what other students had done, I went with a 3rd party source for studying, not the official WGU material. I used the book from Darril Gibson (kindle -- $9.99)along with the practice tests ($19.99 or 29.99) on his website. The book is a relative easy read, and it doesn't get lost in the woods like many of the other resources. It has the level of detail needed for the test, but not too much more.

Practice Test: I used Mr. Gibson's website practice test material for the majority of my practice sessions. I was scoring 98% on his site, but 90% in real life. (If you get the material, you'll understand that statement). I did take the Transcender's material offered with the course, but I thought several of the question banks could use some work. (Look at the sources for the questions when reviewing the answers. Seriously, if it isn't part of the official study guide certified by CompTIA, why is it being tested?). I was making 75% to 82% on the transcender material the day of the test.

Test: 70 questions, 90 minutes. Yikes. Gotta hustle. The test had your standard simulations like most CompTIA courses now. There were 6-8 of those. Rest were multiple guess based on two to three sentence scenarios or pure definition questions. Along the way there were multi-select multiple choice just to spice it up.

The scenarios can chew into your time. I always find the hardest part is getting enough screen real-estate to see the test question, the diagram, and the answer area. I end up having to move windows around all the time. Grrrr. Those took 3 minutes or so each. I am starting to think on the scenarios, don't even read the question. Just open the scenario, quick view the diagram, and then read the question after looking at the diagram(s). The question always hovers sonit is readily available to view.

The whole test took me 55 minutes total. Some of the questions are awkwardly worded (as usual). Made an 816 for my troubles.


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)