It is my 3rd time reading the IPSec chapter and each time I'm learning some new details. One day I'll go through whole book, although some of the chapters are bit outdated. The link to the book:
http://www.amazon.com/Security-Principles-Practices-Professional-Development/dp/1587050250
Also I had privilege to attend recorded session from 2008 Networkers named: "Advanced Topics in Encryption Standards and Protocols"
Both of them are highly recommended.
I'm preparing for this exam, and I've decided to share a spreadsheet in which I'm tracking my progress and taking a note of the source that I'm using for the specific topic.
You can check my spreadsheet here:
http://spreadsheets.google.com/pub?key=tSdRewJTdEco1FVg2EgJznA&output=html
The plan is to take the exam in 30-45 days from now.
Recently I've read a good comments for this exams in IP Expert blog:
http://blog.ipexpert.com/2009/11/30/ccie-security-written-overview/
I've started to prepare for Written Exam. I've compared the blueprint with what I've read in the past for the CCSP exams, and seems like I'll repeat 75% of the material. I'll have another post on it, and I'll share the spreadsheet with all the resources that I've used for all the topics.
But I got lazy 2 weeks ago. I'm expressing interest in ethical hacking since 2 years, and I came across this books: Penetration Testing and Network Defense, by Andrew Whitaker and Daniel P. Newman. Very nice, fast read. (There are many screenshots, don't be afraid of the size of the book when you first open it) There are some tools and technics that I haven't heard before. Recommended if you're interested in the "other" side of Security. If you're planning to become an ethical hacker, you need to look into more serious sources. For example, the material for Certified Ethical Hacker will have more then this book.
It took me 2 weeks, spending 2-3 hours per day on it.
2 months ago I got my CCSP, the last 2 exams were the ASA ones. Materials that I've used:
Good Luck on the exams!
I would like to share resources that I used to improve my knowledge in cryptography. There are bunch of resources out there, below is the list that I used:
It took me 3 months, but now I feel much more comfortable with all those protocols. It was time well spent.
This looks quite simple. All what we need to do is to configure a tunnel interface, and to point a route to the destination network with gateway the tunnel interface. We are using the same topology as for PKI deployment, and the same config-u files for start.
interface Tunnel0
ip address 172.31.1.1 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 172.30.6.2ip route 10.10.3.0 255.255.255.0 Tunnel0
From now on, I'll include simple captures in the zip file.
You can get the files from here:
http://sites.google.com/site/cciesecurityattempt/Home/vpn-gre.zip
Update:
I have made a capture of an http connection between the routers, where you can clearly see GRE in action. The filename is http.cap, and the screenshot is named http-cap.png. Check the source and destination IP addresses, before encapsulation and after the GRE encapsulation. Also I have played a bit with tunnel interfaces. I have changed the IP address of the tun0 interface of router A to 169.254.254.254/24, and left the same IP address on router D and the tunnel was still working. If you remove the IP address of the tun0 interface, you'll not be able to bring up the tunnel.
Conclusion: The tunnel interfaces must have an IP address assigned, but they don't have to be in the same subnet in order for the tunnel to be brought up.
Recently we had to allow all public IP addresses through Cisco FWSM. I was googling for the list, but I wasn't able to find it. It took me approximately 2 hours to have that list compiled, and I decided to share it. Hopefully someone out there will find it useful. Here is the list. Feel free to copy paste it.
network-object 1.0.0.0 255.0.0.0
network-object 2.0.0.0 254.0.0.0
network-object 4.0.0.0 252.0.0.0
network-object 8.0.0.0 254.0.0.0
network-object 11.0.0.0 255.0.0.0
network-object 12.0.0.0 252.0.0.0
network-object 16.0.0.0 240.0.0.0
network-object 32.0.0.0 224.0.0.0
network-object 64.0.0.0 192.0.0.0
network-object 128.0.0.0 224.0.0.0
network-object 160.0.0.0 248.0.0.0
network-object 168.0.0.0 252.0.0.0
network-object 172.0.0.0 255.240.0.0
network-object 172.32.0.0 255.224.0.0
network-object 172.64.0.0 255.192.0.0
network-object 172.128.0.0 255.128.0.0
network-object 173.0.0.0 255.0.0.0
network-object 174.0.0.0 254.0.0.0
network-object 176.0.0.0 240.0.0.0
network-object 192.0.0.0 255.128.0.0
network-object 192.128.0.0 255.224.0.0
network-object 192.160.0.0 255.248.0.0
network-object 192.169.0.0 255.255.0.0
network-object 192.170.0.0 255.254.0.0
network-object 192.172.0.0 255.252.0.0
network-object 192.176.0.0 255.240.0.0
network-object 192.192.0.0 255.192.0.0
network-object 193.0.0.0 255.0.0.0
network-object 194.0.0.0 254.0.0.0
network-object 196.0.0.0 252.0.0.0
network-object 200.0.0.0 248.0.0.0
network-object 208.0.0.0 240.0.0.0
Note: Excluded ranges from the list are: 0.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/3. If you decide to include 0.0.0.0/8 on the list you'll save 2 lines by summarizing: 0.0.0.0/5.
Maybe for your needs you need to reconsider bogons (http://www.cymru.com/Documents/bogon-bn-agg.txt), but then this list will become much bigger.
