I just passed the CCNA Security 640-553.
Obviously I can't go into the specifics - but its worth mentioning some highlights.
Lots on Zone Based Firewalls (being able to interpret zone-pairs -> policies -> class maps)
Layer 2 port security
Intimate understanding of how Phase 1 / 2 works in IPSEC. You should be able to teach this to a layman.
I had a couple questions on SSL VPNs (not sure if they were 'future' questions).
I used the Sybex study guide along with Jemery's CBT videos.
Good Luck
Tuesday, June 22, 2010
Sunday, June 13, 2010
Subnetting - Memory Dump Cheat Sheet
There are times when a subnet calculator may not be available - Apocalypse and for your CCNA.
So during an Apocalypse - if you decide that you need to be able to subnet you only need to remember how to create this cheat sheet. Using this table - you can ultimately solve all subnetting problems.
Then you must fill in the Bits column, starting from 1 to 8 bits (per octet).
Then you can fill in the Bits Borrowed, 2n (hosts/networks) column by simply doing the math. What is 2 to the power specified by the Bits (borrowed) row.
The next part is a little tricky. You must simply rewrite the 2n (hosts/networks) column into the Interval column in reverse order but skip 256 as this interval really means the interval is the whole octet. Think about what your doing, is 256 valid? so skip it.
Lastly, for the mask column - sum the intervals up as you go.
Now why do all this?
If you know what the mask is you can determine what the interval is. For example: 10.11.12.13 255.255.248.0
We can match 248 to the interval 8 in the third octet. Using this interval we can find the IP range. The nearest lower multiple of 8 in the third octet from 12 is 8. So the network address is 10.11.8.0. The next network address is an interval of 8 in the 3rd octet, so the next network address is 10.11.16.0. The broadcast address is then 1 less, 10.11.15.255. Knowing both the network and broadcast address we can determine the IP range as 10.11.8.1 - 10.11.15.254.
If we were to use CIDR notation, 10.11.12.13/21. We can determine how many bits we have borrowed. 8 (first octet) + 8 (second octet) + 5 (third octet). Using the table we can match 5 bits borrowed to the interval 8 and continue as we did before.
Lastly, we can solve problems like how many hosts do we have or many many networks do we have. 150.160.170.180/20 is a class B address. From the 16 bits associated with class B we have borrowed an additional 4 bits. The formula for networks is 2 n. So we find 4 and go to the 2 n column to find that we can have 16 subnets. We have 12 out of 32 bits left for hosts. To determine our hosts we use the formula 2 n - 2. But our table is not big enough. We simply extend it out by multiplying by 2 until it is big enough.
And now we know that we can support 4094 hosts in each subnet.
This is a tool that you can easily use during the CCNA as you can write it down on the provided paper as soon as you start your test.
Hopefully you find this helpful - let me know if you have any questions.
So during an Apocalypse - if you decide that you need to be able to subnet you only need to remember how to create this cheat sheet. Using this table - you can ultimately solve all subnetting problems.
| Bits (borrowed) | 2n(host/networks) | Interval | Mask |
|---|---|---|---|
| 1 | 2 | 128 | 128 |
| 2 | 4 | 64 | 192 |
| 3 | 8 | 32 | 224 |
| 4 | 16 | 16 | 240 |
| 5 | 32 | 8 | 248 |
| 6 | 64 | 4 | 252 |
| 7 | 128 | 2 | 254 |
| 8 | 256 | 1 | 255 |
Remembering how to create this table is not as hard as it looks. First you must remember the columns. Bits Borrowed, 2n (hosts/networks), Interval, and Mask.
Then you must fill in the Bits column, starting from 1 to 8 bits (per octet).
Then you can fill in the Bits Borrowed, 2n (hosts/networks) column by simply doing the math. What is 2 to the power specified by the Bits (borrowed) row.
The next part is a little tricky. You must simply rewrite the 2n (hosts/networks) column into the Interval column in reverse order but skip 256 as this interval really means the interval is the whole octet. Think about what your doing, is 256 valid? so skip it.
Lastly, for the mask column - sum the intervals up as you go.
Now why do all this?
If you know what the mask is you can determine what the interval is. For example: 10.11.12.13 255.255.248.0
We can match 248 to the interval 8 in the third octet. Using this interval we can find the IP range. The nearest lower multiple of 8 in the third octet from 12 is 8. So the network address is 10.11.8.0. The next network address is an interval of 8 in the 3rd octet, so the next network address is 10.11.16.0. The broadcast address is then 1 less, 10.11.15.255. Knowing both the network and broadcast address we can determine the IP range as 10.11.8.1 - 10.11.15.254.
If we were to use CIDR notation, 10.11.12.13/21. We can determine how many bits we have borrowed. 8 (first octet) + 8 (second octet) + 5 (third octet). Using the table we can match 5 bits borrowed to the interval 8 and continue as we did before.
Lastly, we can solve problems like how many hosts do we have or many many networks do we have. 150.160.170.180/20 is a class B address. From the 16 bits associated with class B we have borrowed an additional 4 bits. The formula for networks is 2 n. So we find 4 and go to the 2 n column to find that we can have 16 subnets. We have 12 out of 32 bits left for hosts. To determine our hosts we use the formula 2 n - 2. But our table is not big enough. We simply extend it out by multiplying by 2 until it is big enough.
| Bits (borrowed) | 2n(host/networks) | Interval | Mask |
|---|---|---|---|
| 1 | 2 | 128 | 128 |
| 2 | 4 | 64 | 192 |
| 3 | 8 | 32 | 224 |
| 4 | 16 | 16 | 240 |
| 5 | 32 | 8 | 248 |
| 6 | 64 | 4 | 252 |
| 7 | 128 | 2 | 254 |
| 8 | 256 | 1 | 255 |
| 9 | 512 | ||
| 10 | 1024 | ||
| 11 | 2048 | ||
| 12 | 4096 |
And now we know that we can support 4094 hosts in each subnet.
This is a tool that you can easily use during the CCNA as you can write it down on the provided paper as soon as you start your test.
Hopefully you find this helpful - let me know if you have any questions.
Saturday, May 1, 2010
Webpage Mirage
Imagine that you have a domain (some_domain.com) and want another domain (some_other_domain.com) to point to the same files. While there are a number of ways to do this if you are running your own servers, but if you are using a hosting provider, most options are not available to you - or only at an extra cost.
A few months back I came across a rather unusual solution. I asked my hosting provider to implement this for me, and what they did is the following.
The result of this is when you go to some_other_domain.com, you will get the above html file, which contains a full screen frame that is actually some_domain.com. In most cases, the important thing here is the address bar. The address bar will reflect some_other_domain.com.
Essentially there is a mirage that you are on one domain, when the content is really coming from another domain.
I recently came across another use for this workaround. I have several files and links that are helpful in pursuing a CCNA. Directory Browsing works great for the files. If I delete a file or add a new file, the change will be reflected to the user when they next browse the directory. The problem is then links. A windows shortcut will not work directly from directory browsing, the user would have to download it to their computer and then open it as a windows shortcut - which is also limiting it to the windows platform. So I came up with what I thought was a clever little solution.
I created a very simple html file that simply redirected you to the desired destination - the user would never even realize it happened.
This worked great until one of my peers told me that the back button didn't work. Moments later it clicked - of course back doesn't work, back brings you back to this page - which then redirects you to the originally-desired page. Ever had to fight with the back button! This is usually why!
While I know I could write some javascript that would solve this problem. I decided to use the mirage approach. So the above is now:
There is a drawback here though - now it appears that my domain is hosting the above page when it really isn't (by just looking at the address bar). But given that I am just looking for a simple solution for a link; this does it as well as solves the back button problem and even has fewer lines of html.
A few months back I came across a rather unusual solution. I asked my hosting provider to implement this for me, and what they did is the following.
<html>
<frameset border="'0'">
<frame src="'http://some_domain.com'">
</frameset>
</html>
The result of this is when you go to some_other_domain.com, you will get the above html file, which contains a full screen frame that is actually some_domain.com. In most cases, the important thing here is the address bar. The address bar will reflect some_other_domain.com.
Essentially there is a mirage that you are on one domain, when the content is really coming from another domain.
I recently came across another use for this workaround. I have several files and links that are helpful in pursuing a CCNA. Directory Browsing works great for the files. If I delete a file or add a new file, the change will be reflected to the user when they next browse the directory. The problem is then links. A windows shortcut will not work directly from directory browsing, the user would have to download it to their computer and then open it as a windows shortcut - which is also limiting it to the windows platform. So I came up with what I thought was a clever little solution.
I created a very simple html file that simply redirected you to the desired destination - the user would never even realize it happened.
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
Redirecting to <a href="http://www.securecottage.com/demo/rsa2.html">http://www.securecottage.com/demo/rsa2.html</a>
</body>
<script type="text/javascript">
window.location = 'http://www.securecottage.com/demo/rsa2.html';
</script>
</html>
This worked great until one of my peers told me that the back button didn't work. Moments later it clicked - of course back doesn't work, back brings you back to this page - which then redirects you to the originally-desired page. Ever had to fight with the back button! This is usually why!
While I know I could write some javascript that would solve this problem. I decided to use the mirage approach. So the above is now:
<html>
<FRAMESET border='0'>
<FRAME SRC='http://www.securecottage.com/demo/rsa2.html'>
</FRAMESET>
</html>
There is a drawback here though - now it appears that my domain is hosting the above page when it really isn't (by just looking at the address bar). But given that I am just looking for a simple solution for a link; this does it as well as solves the back button problem and even has fewer lines of html.
Sunday, March 14, 2010
Server 2003 FTP to SSH
I recently found myself needing to setup an FTP server on my MS Server 2003 back home. No big deal right!
I knew FTP required 2 ports, 21 and 20. I am using RRAS (Routing and Remote Access Server[Service]), and had opened up ports before, no big deal.
So I opened the ports and was able to open a connection, SUCCESS! Then i entered ls to list out the contents of the directory, and FAILURE!. After too long (way too long) on google. I learned that their are two modes passive and active. In active, the server tries to open then data connection with the client. (http://slacksite.com/other/ftp.html) Of course NAT is going to frown on that so passive dominates. In passive the client chooses a server port >1023 and initiates with the server. This got me really confused, cause I thought it was going to be port 20. I really don't want to open up a big range of ports (>1023) for ftp.
In the end, I decided FTP's model of 2 ports doesn't work for me and went with SSH, minutes later I was up and running.
So I installed http://www.freesshd.com/ on my server. Using the GUI I was able to start the service, add a user, and choose my directory. In RRAS I closed my ftp ports and opened 22 for SSH. And voila!
For a client I was using FileZilla for FTP and "knew" it wouldn't work with SSH, but tried it anyway. It worked!
Curious, I even found a web shell http://www.anyclient.com which will allow me to SSH into my files without having to install a client (java based). Keep in mind that using a web shell like this defeats the security part of SSH. Your password is transmitted to anyclient.com in clear text before it even touches SSH.
In the end, I am very disappointed with FTP and very impressed with SSH. I was even more impressed by the FTP clients that allow me to use SSH as if it were FTP.
I hope that this helps someone.
I knew FTP required 2 ports, 21 and 20. I am using RRAS (Routing and Remote Access Server[Service]), and had opened up ports before, no big deal.
So I opened the ports and was able to open a connection, SUCCESS! Then i entered ls to list out the contents of the directory, and FAILURE!. After too long (way too long) on google. I learned that their are two modes passive and active. In active, the server tries to open then data connection with the client. (http://slacksite.com/other/ftp.html) Of course NAT is going to frown on that so passive dominates. In passive the client chooses a server port >1023 and initiates with the server. This got me really confused, cause I thought it was going to be port 20. I really don't want to open up a big range of ports (>1023) for ftp.
In the end, I decided FTP's model of 2 ports doesn't work for me and went with SSH, minutes later I was up and running.
So I installed http://www.freesshd.com/ on my server. Using the GUI I was able to start the service, add a user, and choose my directory. In RRAS I closed my ftp ports and opened 22 for SSH. And voila!
For a client I was using FileZilla for FTP and "knew" it wouldn't work with SSH, but tried it anyway. It worked!
Curious, I even found a web shell http://www.anyclient.com which will allow me to SSH into my files without having to install a client (java based). Keep in mind that using a web shell like this defeats the security part of SSH. Your password is transmitted to anyclient.com in clear text before it even touches SSH.
In the end, I am very disappointed with FTP and very impressed with SSH. I was even more impressed by the FTP clients that allow me to use SSH as if it were FTP.
I hope that this helps someone.
Subscribe to:
Posts (Atom)