Security, Anyone?
13 April 2019
You’ve passed the CCNA Routing & Switching exam and if you’re an InfoSec cat like us, you’re still hungry for more. Hence, your desire to obtain the CCNA-Sec certification. I’ve been in your shoes and one of the ironic things I came to realize while I was prepping for the exam was the lack of “free” information available on the web. I even sought out advice and info from various communities on Twitter regarding the exam with such hashtags as #infosec, #ccnasec, etc. To my surprise all I received was birds chirping in response. So in order to help anyone else from being in the grave position that I’d found myself in, I’ve decided to put together a series of blog posts covering the CCNA-Sec exam and what you’ll want to master before taking it. (I realize that there are currently more people in my circle that are aiming for the Routing & Switching exam. I do intend to cover that exam also in the future. However, given the circumstances I feel the CCNA-Sec topic to be of utmost importance).
The topics that I’ll wax on will not be in any specific order. Why not? I’ve chosen not to categorize nor order them simply because they are not going to be presented to you in exam mode in any certain order nor category. Nor will they be presented to you like this in life. They just happen and you, my friend, are expected to know them. So, let’s get into em’.
Configuring a static point-to-point virtual tunnel interface (VTI). Before we go here first let me say this. You will not be expected to dive into configuration mode on a simulated device and tackle this. Go ahead, you can breathe now. But, you will be expected to be able to identify the command that you’d use to do this and also when you’d use the command. What do I mean? Well, as you know, there are five major steps to follow when configuring a Cisco IOS CLI-based site-to-site IPsec VPN and I’ve put those below in bold. Let’s have a look at them.
Step 1: Ensure that all Access Control List in the IPsec VPN network path are compatible.
Step 2: Configure an ISAKMP policy.
Step 3: Define the IPsec transform set.
Step 4: Create a crypto ACL.
Step 5: Create and apply a crypto map.
Given the steps involved in configuring a static PTP VTI, the when you’ll need to know is in Step 3, even though it’s listed as “define” as opposed to “configure”. The command that you’ll need to be able to identify is this – crypto ipsec transform-set.
Thus, if your senior engineer asked you to configure a static point-to-point VTI using 128-bit encryption, upon first hearing this you may look at him crazy, like what the heck! On the other hand, since you’re a CCNA-Sec certificate holder who actually knows their ish’, you’d drop into configuration mode and issue the following command- crypto ipsec transform-set set1 esp-aes esp-sha-hmac.
Let’s go over this. The syntax of the command is crypto ipsec transform-set transform-name transform1 [transform2] [transform3] [transform4]. Where up to four transforms can be specified in an IP Security transform set. These four include one Encapsulation Security Payload (ESP)<– authentication transform, one Authentication Header (AH) transform, one ESP encryption transform, and one IP compression transform. If we break down the above command we get one ESP encryption transform, one ESP authentication transform. Furthermore, an AH transform and IP compression transform could also be specified. There are quite a bit of keywords that can be used to specify the ESP encryption transform, like so:
- esp-aes
- esp-aes 192
- esp-aes 256
- esp-des
- esp-3des
- esp-seal
- esp-null
When the esp-aes keyword is issued without additional parameters, the 128-bit Advanced Encryption Standard (AES) encryption algorithm is used. When the esp-aes 192 or esp-aes 256 keyword is issued, 192-bit AES or 256-bit AES is used, respectively.
In closing, I’d like to point out that I will not be covering all the topics that you’d normally encounter in your typical CCNA-Sec preparation course. One, because this is not your typical course. Two, because my aim is to enlighten you on the topics that, through personal experience I know, you are more than likely to encounter on the exam. That being said, if your goal is to pass the CCNA-Sec Exam, I invite you to join me back here for future post and by all means share this knowledge with others you know who may have the same plans because like I said, when I was prepping I couldn’t find anyone on the internet willing to share this knowledge with me. In your case, fortunately, that’s what I’m here for. So, until next time peace out and you know the mantra —>
Hack on, Ladies and Gentlemen…
