RE: security portion of the ccie lab

From: Victor Cappuccio (vcappuccio@desca.com)
Date: Sun Jan 21 2007 - 22:09:27 ART

• Next message: shank shank: "bgp updates no propageted"
• Previous message: Ayodeji Steve-Fagbemi: "RE: IEWB-RS Technology Labs - 3550 QOS"
• Maybe in reply to: Michael Zuo: "security portion of the ccie lab"
• Next in thread: Petr Lapukhov: "Re: security portion of the ccie lab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Segey, many thanks for the information, Just one question, since
over configuration is not penalized

What about over configuring something like this

@ R1:

R1#clock set 00:00:00 1 Jan 2000
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ntp master 1
R1(config)#ntp authentication-key 1 md5 CISCO

********** over configuration added ***************
R1(config)#ntp authenticate
R1(config)#ntp authentication-key 1 md5 CISCO
R1(config)#ntp trusted-key 1

@ R2:

R2#clock set 00:00:00 1 Jan 2000
R2#conf t Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ntp authenticate
R2(config)#ntp authentication-key 1 md5 CISCO
R2(config)#ntp trusted-key 1
R2(config)#ntp server 12.0.0.1 key 1

Many thanks for your replies
Victor.-

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sergey Golovanov
Sent: Saturday, January 20, 2007 3:01 AM
To: secondie; Jeffrey Fry
Subject: Re: security portion of the ccie lab

I would disagree with that statement!! I always tell my students, if you
configure something extra, and that configuration wasn't explicitely
prohibited... then you won't lose any points!!!

Example. You are asked to setup BGP between two peers. You setup BGP
peers with MD5 password. They didn't ask you to configure secure BGP
sessions. And they didn't tell you not to configure them. You will not
lose your points.

As long as you achieve the task "correctly", you are ok.

Anyone else have thoughts on this?

--------------------------------------------------------------------
Sergey Golovanov, CCIEx5 (R&S/Security/Voice/Service Provider/Storage)
"Please, don't ask me for my ccie #, there are reasons why I can't
release it"
ieMentor Instructor and Content Developer
sergey.golovanov@iementor.com
http://www.iementor.com

> -------Original Message-------
> From: secondie <secondie@gmail.com>
> Subject: Re: security portion of the ccie lab
> Sent: Jan 19 '07 23:14
>
> Good for trouble shooting but you can loose points if you leave the
deny
> there. Unless requirements say log the denied traffic, I would not
it.
>
> -Manjeet
>
> Jeffrey Fry wrote:
> > One piece of advice is that the last line in your ACL should be:
> >
> > Access-list x Deny any any log
> >
> > The Log command will allow you to see what is hitting the DENY
> > statement. This way you can make sure that what you want is being
> > denied, and if something is getting through, you will see it.
> >
> > Just my .02 cents.
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
> > Robert Watson
> > Sent: Friday, January 19, 2007 4:11 PM
> > To: 'Michael Zuo'; ccielab@groupstudy.com
> > Subject: RE: security portion of the ccie lab
> >
> > Sometimes its not a ripple out effect but a reverse ripple, heh is
that
> > a
> > new term. Where enabling an acl but forgetting to add in that
permit
> > because of a previous requirement, or enabling aaa but forgetting
to add
> > the
> > login default or login line portion so that console and telnet
access
> > doesn't change. Or port security but forgetting the hsrp mac
address.
> > Security and qos to me is one of the holistic approach if I
configure
> > this
> > what happens to all the other requirements.
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
> > Michael Zuo
> > Sent: Friday, January 19, 2007 12:41 PM
> > To: ccielab@groupstudy.com
> > Subject: security portion of the ccie lab
> >
> > Hi Group,
> >
> >
> >
> > I need some advice on how to approach the security portion of the
lab
> > (tricks, lessons and words of wisdom are also appreciated). I
think I
> > have a fairly good understanding of various security features and
how
> > they work and ACLs are never a problem when I do practice exams
from
> > different vendors. But my exam score is 33% even though I did not
> > encounter any difficulties in that section (I didn't even have to
look
> > at the Docs). Also, security section of the exam is not like the
core
> > topics where one mistakes can ripple throughout the setup, so my
problem
> > most likely is not something I missed in one section and affected
> > everything else. I am scratching my head trying to figure out what
the
> > problem could be? Because I know covering the same topics in my
studies
> > will not give me more points if I don't approach it differently.
> >
> >
> >
> >
> >
> > Any thoughts?
> >
> >
> >
> > Thanks a lot
> >
> >

• Next message: shank shank: "bgp updates no propageted"
• Previous message: Ayodeji Steve-Fagbemi: "RE: IEWB-RS Technology Labs - 3550 QOS"
• Maybe in reply to: Michael Zuo: "security portion of the ccie lab"
• Next in thread: Petr Lapukhov: "Re: security portion of the ccie lab"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART