Antonie passed his R&S lab.  I know about a month ago he was close on his 1st attempt, but it appears he managed to achieve his numbers yesterday.  Send him your congrats when you have a chance.

There wasn’t any turbulence on the flight, so I started another video.

07/12/2008

Actual Start Time: 3:05PM PST
COD Time: 0:00:00

-Configuring ASA Interfaces

[R2]—–[ASA]—–[R5]
e0/0 o e0/0 e0/1 i e0/0

host ASA
int e0/1.10
desc DMZ
nameif DMZ
vl 10
int e0/1.125
desc INSIDE
nameif inside
vl 125

**No DTP on PIX/ASA**

-PIX/ASA Routing
–Supports routing via and redistribution of
—static
—RIPv1/v2
—OSPF

**RIP routes learned inside will not traverse over to outside; vice versa**

-Configuring PIX Routing

Lo—[R3]—[PIX]—(RIPv2)—[R6]

host PIX

router rip
net 150.1.0.0
ver 2
no auto
redist static metric 1

ip route outside 150.1.3.0 255.255.255.0 150.1.39.3 1

router ospf 1
network 150.1.39.9 255.255.255.255 area 0

show ospf nei
show ospf int
sh route
p 150.1.4.4

router ospf 1
redist rip sub

router rip
redist ospf 1 metric 1
no redist static metric 1

host R3
sh ip route | i 39.9
O E2, AD=20
no ip route 0.0.0.0 0.0.0.0 150.1.39.9

-Configuring ASA Routing

AAA
|
|
(RIPv2)
|
|
[ASA]—(OSPF0)—[R2]
|
|
(OSPF100)
|
|
[R5]

-PIX/ASA Filtering
–State table is created for inspected traffic that goes from H-to-L sec int
–ALL TCP & UDP traffic inspected by default
–ICMP not inspected by default
–Application inspection via MPF
–W/o modifying MPF, filtering exceptions can be configured w/ ACLs

-PIX ACL Example
–Allow R6 and test PC to ping R3 via ICMP

-ACL Object Grouping
–object-grouping used in ACLs to cut down on repetitive manual ACL entries
–group addresses by
—Protocol
—-TCP/UDP/ICMP/ESP/GRE/etc.
—Network
—-IP/Subnet mask
—Service
—-TCP/UDP ports
—ICMP type
—-echo/echo-reply/unreachable/etc.

-Object Grouping Example
–Allow AAA server to
—Ping and send ping replies to R5 & SW2
—Telnet and web browse to R5 & SW2
—Reply to NTP and TFTP requests sent from R5 & SW2

AAA—[ASA]—[R5]—[SW2]

host ASA

object-gr network R5_AND-SW2
network-obj 150.1.5.5
network-obj 150.1.8.8
network-obj 150.1.8.0 255.255.255.0

object-gr icmp-type ECHO_AND_REPLY
icmp-obj echo
icmp-obj echo-reply

access-l DMZ_IN ext perm icmp host 10.0.0.100 object-gr R5_AND_SW2 object-gr ECHO_AND_REPLY

access-gr DMZ_IN in int dmz

object-gr service TCP_SERVICES tcp
port-obj eq 23
port-obj eq 80

object-gr service UDP_SERVICES udp
port-obj eq 69
port-obj eq 123

access-l DMZ_IN ext perm tcp ip host 10.0.0.100 object-gr R5_AND_SW2 object-gr TCP_SERVICES
access-l DMZ_IN ext perm udp ip host 10.0.0.100 object-gr R5_AND_SW2 object-gr UDP_SERVICES

Actual End Time: 4:15PM PST
COD Time: 1:09:15

Taking a 5.5 hour flight from LA to NY is a good time for me to hammer through and review a few videos. The CBS re-runs on the screen can’t hold my interest, so lucky for me I have my new APC airline adapter and can obtain juice to power up my laptop and watch these videos.

07/12/2008

Actual Start Time: 1:46PM PST
COD Time: 0:00:00

PIX & ASA
-Overview
–7.x
–PIX features
—Stateful FW
—VPN termination
—Basic IDS/IPS functionality
–ASA features
—Stateful FW
—VPN termination
—Advanced IPS functionality
—Advanced content filtering (virus, spyware, spam, etc.)
–CLI is similar for both PIX & ASA

-PIX/ASA 7.x vs 6.x
–7.x more IOS-like
–NAT is now optional
—’nat-cont’ disabled by default!!
–Transparent FW
—in/out int in same L3 net
–Virtual FWs
—context modes for policy separation
–MPF
—MQC-like replaces fixup

-PIX/ASA Filtering Logic
–H-to-L sec level is inspected and tracked in state table
—inside to outside
–L-to-H sec level is permitted if an entry in the state table exists already
—outside to inside
—ACLs can be used to configure exceptions
–Traffic between interfaces of same security denied by default
—same-security-traffic permit {inter-interface | intra-interface}

-PIX/ASA 7.x interfaces
–Interfaces aren’t assigned names and sec levels

-Configuring PIX Interfaces

[R3]—[PIX]—[R6]
e0/0 o e0 e1 i e0/0

host PIX
policy-map global_policy
class inspection_default
inspect icmp

**This allows in-to-out ICMP testing**

logg on
logg con debug

access-l OUTSIDE_IN ext deny ip any any
access-gr OUTSIDE_IN in int outside

%PIX-4-106023: Deny icmp src outside:x.x.x.x inside:x.x.x.x (type 8, code 0) by access-gr “OUTSIDE_IN”

show conn

Actual End Time: 3:00PM PST
COD Time: 1:05:00

I’ve patiently waited for this COD material for quite some time. You may or may not recall, but I purchased the IEWB-SC-VOL1 and IEWB-SC-VOL2 workbooks in 2006 to prepare for my lab attempt. I never bothered to obtain the video material back then since I felt I had enough knowledge from the TrinetNT bootcamp I attended earlier that year provided by Khawar.

Now that it has been almost 2 years since my security lab failure, I find myself wanting to sit through another bootcamp but don’t want to fork over the money to do so. The main reason for this is I just need a refresher on a few topics. If I wanted to I could just throw up some banners on my site and ask the vendor to send some material my way, but then I may be limited in what I say when reviewing the vendor’s products. I’d rather not bother with any of the hoopla.

To obtain the COD material I had to search near and far across the Internet. If you look really hard, it shouldn’t be too hard to find. I’ll say this, the material within the videos are outdated, but serves its’ purpose of summarizing a few topics that I need to sharpen for my next attempt. Based on my score report for Security Lab v1:

I wasn’t far off on my attempt. Sections 1, 2, and 4 are no longer in the exam so I’ll have to make up the points elsewhere. Anyways, now I have a few new sections to deal with so here are my notes from the first video.

07/12/2008
Actual Start Time: 1:25PM PST
COD Time: 0:00:00

Introduction
-Lab Equipment & Software
–2600/3600/3700 Series Routers
—IOS 12.2T Ent/IPSec/FW/IPS
–Catalyst 3550
—IOS 12.2SEE
–Pix 500
—Pix OS 7.x
–ASA 5500
—Asa OS 7.x
–VPN3K
—Conc OS 4.7.x
—CLI & GUI
COD
–IPS 4200
—IDS 5.x
—CLI & GUI
–ACS
—Windows 4.x
—Certificate Authority Support

-Lab Exam Blueprint v2.0
–PIX & ASA FW
—Management ACLs, NAT, Filtering, AAA, Virtual FWs, Failover, QoS
–IOS FW
—ACLs, Dynamic, Relflexive, CBAC, Auth Proxy
–VPN
—IPSec, SSL, CA, VPN3K, WEBVPN, EZVPN, vpnclient, GRE, QoS
–IPS
—4200, IOS IPS, PIX, IDS, SPAN,RSPAN
–Identity Mgmt
—AAA, RADIUS, TACACS, ACS, NAC, 802.1x
–Advanced Security
—Mitigation, Marking, RFCs, SP Sec, TCP Intercept, CAR, NBAR, Policing
–Network Attacks
—Recon, Spoof, DoS, MiM, DHCP, DNS, SYN, MAC, Smurf

Actual End Time: 1:45PM PST
COD Time: 1:20:00