Posts Tagged ‘Security’


The first portion of INE’s new CCIE Security Advanced Technologies Class for the 3.0 blueprint is now available in both streaming and download formats.  Subscribers to the All Access Pass already have access to this new course, and can upgrade to the download version for $159.  Non-subscribers can purchase the standalone download for $299, or subscribe to the AAP for just $159 per month.  Customers who have access to previous versions of the CCIE Security ATC will get access to the new streaming version at no extra charge.

The current release of the class contains the first 18 hours of videos.  New videos will be posted incrementally over the next few weeks, to bring the final runtime somewhere between 40 and 60 hours.  Specifically the following topics are covered in this first portion of the release:
Continue Reading

Tags: , , , ,


Today’s challenge is drawn from the exciting area of CCNA Security. Enjoy. As always, you can find the answer in the comments area a day or two after the date of this post.

IINS-1: The CIA Triad seeks to define the three primary purposes for network security. These are to secure an organization’s data confidentiality, integrity, and availability. Define integrity as it is used in the CIA Triad. For bonus credit, provide the term texts often attribute the A for in CIA as opposed to Availability.

Answer: ______________________________________________________________________________

Bonus: _______________________

Tags: , ,


In this series of blog posts, we will examine WLAN security mechanisms in an even greater detail than in our popular 5-Day CCNA Wireless course. We will begin with one that is now considered legacy due to major weaknesses that were quickly discovered in its implementation.

We Don't Need No Stinken' Wires!

We Don't Need No Stinken' Wires!

This security mechanism receives the least coverage in the CCNA Wireless materials and exam, because, as we stated, it is indeed considered legacy. The official title for this technology is Preshared Key Authentication with Wired Equivalent Privacy. This name tells us a lot. We are not really truly authenticating someone using this approach, we are just ensuring that they possess a piece of information, the preshared key (password). Notice the Wired Equivalent Privacy portion of the name tells us that the creators of the technology were really trying to sell it to WLAN designers and implementers!

Continue Reading

Tags: , , ,


A big shout out to all the students in the Raleigh Security CCIE bootcamp last week.   I had a blast!   Thank you for all your hard work, as well as the after hours discussions about the unknown, and why people feel they know it.  :)

I promised a few blog posts related to security over the next few weeks, and this one is regarding Certificate-based ACLs.

This blog may also serve as a review on how to configure the CA clients so that their certificates contain various fields and values, such as subject-name.

Let’s use this diagram for the backdrop of our discussion:

3 routers in a row-NO-user

R2 will be the NTP and CA server with R1 and R3 as IPSec VPN peers.  (Remember, with certificates we really do need time to be on “our side”).  :)

R1′s configuration for the trustpoint is as follows:

crypto pki trustpoint R2
enrollment url
subject-name cn=R1,ou=ccsp,o=ine,st=NV,c=US
revocation-check none

Continue Reading

Tags: ,


I just returned from an awesome Security bootcamp in Raleigh, and am looking forward to more there in the future. Core knowledge is still alive and well in the Security LAB exam, as well as troubleshooting, which is integrated as part of the configuration section.

Often times, what seem like complex network troubleshooting scenarios are caused by overlooking simple fundamental components of the technology. Join me on Tuesday, June 8th as we discuss developing the Tier 1 knowledge that you need to know for the CCIE Security LAB, as well as strategy that may be used to continually build your base of knowledge as you prepare for your CCIE certification.

This v-Seminar is open to the public, and will be held online at

U.S.A. – Pacific) Tuesday, June 8, 2010 at 11:00:00 AM UTC-7 hours PDT
UTC Tuesday, June 8, 2010 at 18:00:00

To sign up for v-Seminars, click here, and select the link for Free v-Seminars.

To join the meeting listed above, click here now.

See you soon!

Tags: ,


In a recent post here on the INE blog, we received some follow-up questions similar to the following:

“Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?”

It is an excellent question, and here is the answer.   In a site to site IPSec tunnel the “mode transport”  setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other IP addresses.   When Crypto ACLs include IP addresses beyond of the 2 peer endpoints the “mode transport” setting is ignored, and tunnel mode is negotiated (due to IP addresses, other than the 2 peers, being part of the crypto ACL).       There is also an option for the key word “require” after “mode transport” which will prevent the peers from negotiating tunnel mode, and if the IP addresses in the Crypto ACLs are outside of the peers’s own IP addresses, IKE phase 2 will not successfully complete.

One notable exception to this, is GET VPN, where the KS policy of tunnel mode or transport mode will be used by the group members (whichever mode the KS has configured), regardless of the IP addresses used in the KS ACL for policy.

Below is a site to site example.  Let’s use the following topology, with R1 and R3 being peers, and a Crypto ACL that says to encrypt all ICMP traffic, regardless of the IP addresses.   This Crypto ACL will cause our peers to ignore the mode transport option, and negotiate tunnel mode.

3 routers in a row-NO-user

Below are the full configs, some debug output, and show commands to demonstrate that even with transport mode explicitly configured in the transform sets, if the crypto ACLs don’t exclusively include the endpoints of the VPN tunnel, the two peers go ahead and negotiate tunnel mode instead of transport mode.  Note the Crypto ACL includes all ICMP from any source to any destination.

First, here is R1: Continue Reading

Tags: ,


The two engineers, as they grabbed a quick lunch, looked over the following diagram.

3 routers in a row-tunnel-2

The network is GRE.   The routing in place, uses the tunnel interfaces to reach the remote networks of and   The IPSec policy is to encrypt all GRE traffic between R1 and R3.  R1 and R3 are peering with each other using loopback 11 and loopback 33 respectively.

The technicians considered the traffic pattern if a host on the network sent a packet to a device on the network.

Then they reviewed the configurations (below), and discussed them. Based on what they saw, they just couldn’t agree completely with each other regarding the following questions?

1. How many IP headers would be in each packet.
2. What would the source and destination address be of each IP header.
3. What order the IP headers would be in (beginning with the outside header).
4. Would the IPSec be using transport or tunnel mode.
5. Would this be called IPSec over GRE, GRE over IPSec, or something else, (like “nightmare”).

So they called for the expert, YOU, to assist in these questions.

Are you up to the challenge.   Answering even 1 of them will be appreciated, so take moment now, and GO FOR IT !

Post your ideas, and we will put all the people who post ideas into a virtual hat, and draw a winner to receive 100 rack tokens to our preferred lab gear provider, graded labs. Please have your posts in by
Continue Reading

Tags: ,


We are excited to announce that for the first time INE is traveling to Nigeria! In partnership with New Horizons, INE will be offering two classes in Lagos, Nigeria. We will be offering both our CCIE Routing & Switching Advanced Technologies Class and our CCIE Security Advanced Technologies Class. These classes will be held in New Horizons Training centers.

Both classes will be held from May 3-7, 2010. Both classes will be tentatively held May 24 – 28, 2010.

For additional information on classes held in Nigeria:


Class/Sales Information

Mr. Oluwaseyi Ojo

Class/Information Hotlines:

Seyi: 234-7030160944 or Edward: 234-8073809974

New Horizons Nigeria General:

234-1-7901013 or 234-1-8976386

INE is looking forward to providing training in a new location! For more information on the Advanced Technologies Class please visit our website.

Routing & Switching Advanced Technologies Class

Security Advanced Technologies Class

Tags: , , , , ,


In a word, “Way to GO” (without the spaces, that would be one word :) ). I am impressed at all the feedback and ideas we received regarding the IKE phase 1 riddle we posed last week. You can read the original post here. Ideas were creative and varied.

As one of our INE Instructors say, “If there are 2 different ways to configure something, as a CCIE candidate, you had better be prepared to know all 3 “.  If you would like to see “a solution”, read on. Continue Reading

Tags: , , , ,


One of our students asked me for a concise example of SNMPv3. James, here you go!  This blog has examples and explanations of the features used in SNMPv3.
Older versions of SNMP didn’t provide all the features of SNMPv3. V3 supports a User-based Security Model (USM) for authentication, and a View-based Access Control Model (VACM) to control what that user account may access.  Of course the user accounts don’t represent end users, they are just the configuration elements we configure on the SNMP devices, primarily for creating the connection to or from the SNMP device.

With version 3 we may use the following methods:

  1. noAuthNoPriv: requires username, but no MD5 validation of that user, and no encryption
  2. authNoPriv: requires username, provides MD5 validation, but no encryption
  3. authPriv: You guessed it. Requires username, uses MD5 validation, and encrypts too. Continue Reading

Tags: ,


CCIE Bloggers