Dec
01
Catalyst switch port security is so often recommended. This is because of a couple of important points: There are many attacks that are simple to carry out at Layer 2 There tends to be a gross lack of security at Layer 2 Port Security can guard against so many different types of attacks such as MAC flooding, MAC spoofing, and rouge DHCP and APs, just to name a few I find when it comes to port security, however, many students cannot seem to remember two main points: What in the world is Sticky... Read More
Oct
16
In this series of blog posts, we will examine WLAN security mechanisms in an even greater detail than in our popular 5-Day CCNA Wireless course. We will begin with one that is now considered legacy due to major weaknesses that were quickly discovered in its implementation. This security mechanism receives the least coverage in the CCNA Wireless materials and exam, because, as we stated, it is indeed considered legacy. The official title for this technology is Preshared Key Authentication with... Read More
Jun
15
A big shout out to all the students in the Raleigh Security CCIE bootcamp last week.   I had a blast!   Thank you for all your hard work, as well as the after hours discussions about the unknown, and why people feel they know it.  :) I promised a few blog posts related to security over the next few weeks, and this one is regarding Certificate-based ACLs. This blog may also serve as a review on how to configure the CA clients so that their certificates contain various fields and values, such as... Read More
May
28
In a recent post here on the INE blog, we received some follow-up questions similar to the following: "Why do IPSec peers end up using tunnel mode, even though we had explicitly configured transport mode in the IPSec transform-set?" It is an excellent question, and here is the answer.   In a site to site IPSec tunnel the "mode transport"  setting is only used when the traffic to be protected (traffic matching the Crypto ACLs) has the same IP addresses as the IPSec peers, and excludes all other... Read More
May
17
The two engineers, as they grabbed a quick lunch, looked over the following diagram. The 13.0.0.0/24 network is GRE.   The routing in place, uses the tunnel interfaces to reach the remote networks of 1.1.1.0 and 3.3.3.0.   The IPSec policy is to encrypt all GRE traffic between R1 and R3.  R1 and R3 are peering with each other using loopback 11 and loopback 33 respectively. The technicians considered the traffic pattern if a host on the 3.3.3.0/24 network sent a packet to a device on the... Read More
Apr
05
We are excited to announce that for the first time INE is traveling to Nigeria! In partnership with New Horizons, INE will be offering two classes in Lagos, Nigeria. We will be offering both our CCIE Routing & Switching Advanced Technologies Class and our CCIE Security Advanced Technologies Class. These classes will be held in New Horizons Training centers. Read More
Mar
27
In a word, "Way to GO" (without the spaces, that would be one word :) ). I am impressed at all the feedback and ideas we received regarding the IKE phase 1 riddle we posed last week. You can read the original post here. Ideas were creative and varied. As one of our INE Instructors say, "If there are 2 different ways to configure something, as a CCIE candidate, you had better be prepared to know all 3 ".  If you would like to see "a solution", read on. Read More
Mar
22
One of our students asked me for a concise example of SNMPv3. James, here you go!  This blog has examples and explanations of the features used in SNMPv3. Older versions of SNMP didn’t provide all the features of SNMPv3. V3 supports a User-based Security Model (USM) for authentication, and a View-based Access Control Model (VACM) to control what that user account may access.  Of course the user accounts don't represent end users, they are just the configuration elements we configure on the SNMP... Read More
Mar
22
Bob took a moment to reflect back, and realize how far he had come over that past several months. He smiled to himself as he remembered how much he has learned about the technologies of  DMVPN, the ASA Firewall and IPSec, including GET VPN. He had also improved his skills in MPLS, Multi-Protocol BGP, IOS IPS, EEM, and many other areas by using the sweet blog articles at INE.  (Shameless Plug :) ). One Monday morning, as he was feeling refreshed from a rare weekend of no support calls, he was... Read More
Mar
14
Last week I had the opportunity to spend time with several CCIE security candidates in Texas, and had a blast. One of the questions that came up was regarding ARP inspection on the ASA in transparent mode. This topic comes up a lot, so I wanted to share it with y'all :)  in this blog. Here is the diagram we can work with: ARP inspection on the ASA in transparent mode, is really very simple. The intent is to stop attackers from spoofing the L2 address of another host, such as a default gateway... Read More

Subscribe to INE Blog Updates

New Blog Posts!