CompTIA Security+: Fresh look at the Test

Early last week I mentioned that I would be sitting the CompTIA Security+ exam soon. Well, soon has passed and so did I. While I feel I could have done a little better, I’m more than satisfied with my score, but we’ll break down why I feel that way in a moment.

First, disclaimer! This article does not intend to teach any course nor do my opinions of the exam comprehensively address the topics or format of the CompTIA SYO-401 exam. Further, my only experience with taking this exam is in the 401 series exam current to only my experience. CompTIA’s website states that (paraphrasing) they reserve the right to change the exam at any time, and do so even between major revisions, to best keep the exam current.

Glad that’s over, both the exam and the disclaimer.

So, my plan was to go over my final review of annoying tidbits of deprecated protocols evening last, get to bed around 10, have a good night’s rest, and then go rock the test. Didn’t quite happen that way. My seven month old daughter got her six month vaccines a few days ago, so the little febrile ball of adorable decided we were staying up until half-after midnight. I have to give credit to my wife for addressing the baby’s fussiness for the rest of the night, she tried really hard to let me rest before the test, but I was still woken up by her cries every half hour until 4:30a.m. at which point I gave up. I plodded into my office and began to study drooled over the Homeseer home automation system for the next four hours. Trudged my way through the morning and to the testing center we go!

Nothing new to see here. Same place I went to take ICND1, same setup, so let’s get into the meat of it.

I have to hand it to CompTIA because that was one of the more difficult tests I’ve had the pleasure of taking. Yes, pleasure. The exam began with what would be the hardest 3 questions I can remember on any exam. These 3 consecutive lab-like scenarios easily covered two-thirds (objectives 1-4) of the information in my books. They were a very serious brain drain and time burner. No preparation, other than understanding the material, could get you through those. You may find more, less, or none of these questions when you sit, but seriously, do not underestimate the lab questions. I would say that real-world experience with packet analyzers, signing, network design and config, PKI, 802.1x, and Linux command line saved my butt on these. These three alone took a little more than 10 minutes.

After the brain-burners, the rest of the exam was all multiple choice and multiple answer. Let’s break down what I did and didn’t see.

Let me say again that your experience would likely be very different from mine. This was my experience with the question the engine generated for me. This isn’t a study guide.

Topics Encountered and Expected

  • Secure Network Design and Config (VLANs and Firewall/IPS/IDS placement)
  • Preventing Physical Breach, Mitigating Damage. These had really cool backstories to the questions. im deliberately obfuscating “Hackers drove a bulldozer through you data center to defeat K12 rated fence you implemented in response to a recent breach in which a greenpeace member drove a prius through the wall of your power hungry data-center. Which technique would you implement to stop this in the future?” Anti-tank Mines or High Explosive Mines. Anti-tank, which use shaped-charges resulting in a less powerful shockwave while still disabling locomotion; important because no one will authorize new hard drives and the HE mines may exceed the G rating of the bubblegum holding together your 20 gig disks, resulting in an outage.* In all seriousness, I actually would recommend knowing your physical controls in just a tad more detail than your study guide addresses.
  • Management Controls (literally addressed each control that show up in my books)
  • AAA systems and their appropriate use case. I think I saw LDAP, AD, multiple 802.1x strategies, radius v tacacs/+ v MS DC stuff, and a few questions about which wireless encryption best protects ____ authentication scenario.
  • A surprisingly high number of scenarios addressing wireless encryption and wireless MITM attacks.
  • Mobile Device Risks, in nearly all aspects, especially asset loss management and data leakage/theft management.
  • PKI/certs. A ton or PKI fundamentals, controls, architectures, on-wire identification. (If XXXXX data was captured, where the hash, key, data, etc.)

Topics Not Encountered, but Expected

  • Well Knows Ports. There may have been 1, but I wouldn’t bet anything on that. I really think there may not have been a single port question on the test. That’s disappointing, as the previously mentioned deprecated protocols were the ports I was reviewing the night before.
  • Input Validation Techniques. I expected to see a question or two addressing secure php forms or the like. Nope.
  • Data Sharing Relationships. I few years ago I would have told you I hate the corporate jargon and and goings-on of conducting business relations. On the contrary, I discovered that I’m so interested in the security side of this stuff, I was honestly looking forward to these questions.
  • Hardening…anything. Beyond “hey do you care if I put this heavy DMZ just anywhere?” which I wouldn’t quite call hardening anyways, and a round-about mention of port security, Nothing.
  • BYOD.

Topics Encountered and Unexpected

  • Is it foggy or is that just CLOUDS! From reviewing my score-sheet, this is the only area I struggles with, and I knew it when it happened. I used a plethora or different study techniques, guides, and self-study courses. I still did not know enough about cloud security methods. This bugs me so bad, I’ve already looked through 3 books, CompTIA Certmaster and Prof Messer’s vids. None, repeat none, make any mention of the slew of acronyms I’ve never seen before. I’ll have to dig into the Cloud+ and CCNA Cloud materials in my Safari Books Online to try and see where my deficiency is.
  • Fire Suppression Methods. Don’t know why but I didn’t expect to see it. Studied it, but honestly didn’t think it would make the exam.

Topics Not Encountered and Unexpected

Wait, what?

The Test in General

Overall, the test was actually quite well rounded. While not every buzzword and definition appeared as a choice, most of my materials either framed a question, fuzzed the question, or appeared as an answer. I get the feeling CompTIA fuzzed these questions quite a lot to both create confusion in those who spent a bit less time preparing and also just to try to get everything in the exam. I think the average question was 4-6 sentences with only one or two sentences of useful information.

Process of elimination would have also been hit or miss. Many potential answers were similarly worded, the correct acronym was often mixed into alphabetically alike groups, or there would be two or three very correct answers. With wordplay, I tend to do best going with my gut. On the other hand, when more than one answer is correct, often a small clue stood out on the fourth read through or the correct answers would all make up items in the more correct group. Some questions were very subjective, but I tried to imagine what the best practice would be if I was the IEEE and this critical production system could wait 10 years for RFCs to address the issue. I’m not joking. I tried to think “what would a room full of more experienced engineers likely do if no one was yelling at them.”

Other than what I mentioned above, the test and questions were well structured. I got the impression that the test become less difficult as I went on. It honestly seems to follow objectives 1-6 in order, but that’s probably all in my head. The questions managed to both camouflage the details while also somehow being very succinct and reasonable to comprehend. Challenging, but not hard as long as you understand the material. I am more than satisfied with my score, but I was very unsure when I ended the test. I feel like a test capable of vouching for skills should shake up the test-taker even if you score a perfect 900. That’s the hallmark of a test capable of conveying your skills to an employer.

That’s all I remember right now. As with A+ and CCENT, I used many study tools. The ones I recommend are at the bottom of this post, though I will go ahead and say to try finding the most recent references possible, assuming a reputable source, as I imagine my cloud deficiency has something to do with my 2 year old books. I cannot stress the importance of exposing yourself to security chatter, especially if you’re a more junior engineer, like myself, with a limited exposure to the material. There are a ton of Sec news sites, relays, and blogs like Krebs on Security, Daily Dave, CSO Online, etc., but my favorite way to stay current is by listening to podcasts. Details also below. I will likely annotate this post after looking back through some materials, so give yourself a reminder to check back in a couple weeks or you can always subscribe to my blog. I would be quite humbled, and I could use a good humbling.

*Don’t use mines. Bad form.

My Favorite Study Aids

I’m subjectively scoring them on how well they prepare you for the test including material, costs, and how closely the medium addresses/simulates the exam.

  • (7/10) Web – CompTIA Certmaster for Security+ SYO-401
  • (8/10) Web – Examcompass.com Security+ Practice Quizes
  • (9/10) Android App – CompTIA Security+ SYO-401 Prep by Darril Gibson and Konnect L.L.C.
  • (8/10) CompTIA Security+ Certification Guide SYO-401, 2nd Edition by Glen E. Clarke
  • (6/10) Mike Meyers’ CompTIA Security+ Certification Guide Newer, but put me to sleep. Better cloud coverage and slightly more real-world relevance, but more detail than tested.
  • (infinite/10) 3 Podcasts: Risky Business, TWIT’s SecurityNow, and Defensive SecurityA great way to turn your commute into a general background and goings-on of IT Sec.
Advertisements

Supporting my Path

My desk bookshelf looks awesome. A+, Sec+, Network+, Linux+, CWTS, CEH, command line guides for Cisco and HP, python and html guides, a stack of LinuxUser magazines, MCSA 2012, O’Reilly, Cisco Press, ExamCram, Odom, Lammle, Tracy, a few printed comical RFCs, and that’s without getting into the mess that is my Safari Books Online queue. Am I going to get certified is each topic? No, likely not, but I really hope to use something from each.

I have my CCENT, next week I test for Security+, then after I will finish the second half of CCNA R&S. I have optimistic plans of getting both CCIE R&S and Sec as well as CASP in the next 8 years. I am very interested in ISP or Big Data network security right now, though I reserve the right to change my interest. Specifically I like learning about the configuration of those, distinctly different, networks and their threats. So, what’s with the rest of the alphabet soup plaguing my shelves?

The majority of my book collection is non-networking and non-security. My last full-time job was as a network/sysadmin, with a large portion of my time on the support and systems side. So why am I, as a driven and focused IT dude, wasting so much time on everything else? Simply: Understanding.

When I first moved into the Cisco world, I optimistically planned to have a CCNA in under 3 months. I was set-back a bit by medical issues in my family, but the biggest barrier has been my lack of knowledge around supporting systems. There’s no point in having a network without packets to move. With that in mind, each book focuses on a personally novel skill-set in my overall understanding of how the layer 1-4 network provides services to the layer 4-7 computing infrastructure. For example, My A+ books taught me far more about how all computer, from switches all the way to mainframes, actually work. Server+ and MCSA helped me with domain administration in my last job, which opened me up to light up a FreeRadius server in my home lab, expanding my understanding of AAA, on an Ubuntu 14.04 server I learned how to use from Linux+ books. That job also allowed me to build skills desktop virtualization, including VMware Player and Oracle Virtualbox; skills I would need to troubleshoot images in GNS3.

Now, I know what you’re thinking: “You can Google much of how to do this.” That’s true, very true, but on listening to Ethan, Greg, and Drew of the Packet Pushers Podcast, as well as Steve Gibson of TWIT’s Security Now, I’ve decided to try my best to be a well-rounded “Full-Stack” engineer. Yes, I’m tooting my own horn a bit, but I also think this is a requirement for the IT pros of the future, especially for small and medium sized companies. Will a company want to consult an expensive net engineer for each Vmotion? No, they will want their virtualization team to have the skills needed to complete the job. Do you as the IPS pro want to break something each time you tweak a rule? Of course not, so you have an understanding of the application traffic on your network and how that application interacts with supporting services both on your network and in the cloud. Best of all, what beautiful world would we live in if most Java or (god-forbid) Flash devs had an in-depth understanding of application attacks, defensive code, and security in depth? Imagine a corporate application designed to cooperate with NIPS, HIPS, host firewall/AV, the expensive black box, and everything in between. Told you it’s a beautiful image!

I want to be the network engineer who can sit at the table with the dev folks, systems guys, database team, and management and work together with an understanding of how my piece of the puzzle best fits together with not just the adjacent pieces, but the overarching picture. I’m young and naive, but I think my assortment of books supports that goal and it’s who I’m striving to be.

Charter acquires Time Warner Cable: The Modern David and Goliath

 

You really can’t keep track of everything in the tech world, there’s just too much to possibly see, hear, and read it all. This, however, how did I miss this?

I was helping a friend shut down a local office and he asked if I would mind calling Charter on his behalf. So I call them up, go through the security questionnaire, place the cancellation order, and then Charter rep does the normal  scripted “Please don’t leave! Why are you leaving? I can be better! Are you moving this office to another location to which we can move the service?” “No, the office was combined with another office and they already have a Time Warner contract at that location.” “Oh, well that’s good to hear Since we recently acquired Time Warner.” Suddenly my heart’s skipping beats, I break out in a cold sweat, and I can’t catch my breath as I utter “oh, ok…” and try to get off the phone quickly.

I used to work in ISP tech support, so I know the acquisition rumor-wheel well enough; I cling to the hope that it’s all a sick joke. Nope. Reuters, LA Times, Business Weekly, etc. They all say the same thing. Charter has acquired Time Warner Cable, and many smaller ISPs as well. Oh yeah, and this all happened in the last two months while I was blissfully ignorant.

I’m shocked and scared. Charter has disappointed me with fragile infrastructure, terribly inconsistent line tech and premises tech resolutions for the same issue (5 different guys, 5 different problems?), and the fact that after I punch in an account number on their IVR the support person still asks me for the number again. It’s like five hundred digits long! Yes, this is anecdotal, I know.

Time Warner, on the other hand, oh my dear sweet Time Warner. Okay, so I’ve actually only worked with them 3 times, so grain-of-salt warning. Two were run-of-the-mill: one IP address issue and one truck roll with the line tech arriving within a half hour of my call (yeah, I know he was probably just around the corner). Now, what really impressed, I had a business issue that required collaboration with Time Warner engineering, and an engineer called me within five minutes of placing the request, spent half on hour on the line without every sounding frustrated or annoyed, and seriously had the knowledge-base of like a CCNP/CCIE.

But Charter has gobbled them up, positioning themselves as the second largest digital cable/data provider, for subscriber count. What does this even mean? My personal experiences aside, let’s break this down.

In this corner, the heavyweight champion, Comcast Xfinity!

Comcast is huge and expensive, even more-so than Donald Trump’s hands. Comcast pioneered the aggressive tactics that allowed it to eat up so many cute little small/medium sized ISPs. This put them in the position to collaborate with AT&T to form a lobbying Goliath who could stomp out any attempt to form WISPs or municipal ISPs. The strategy of legislatively emaciating competition while buying up the little guys has lent Comcast the opportunity to slowly deprecate their lower-bandwidth packages without lowering prices. AT&T picks up the scraps with their data packages typically below 12Mbps (the limit of unbonded DSL) and Comcast gets to keep raising the cost.

But, you’re paying for more bits, so you should pay more, right? Sort-of. We are conditioned to think that getting more of something means paying more for it, but the issue is more complex than that. ISP level networking infrastructure seems comparable in price for the last 15 years. The big boxes process more bandwidth with less latency, but their overall cost is typically about the same just because that’s how computing evolves over time: more data processed with less power, materials, and expenses. So over time, the actual cost to move a bit of data (ha) drops like a rock, courtesy of Moore’s Law and the wave of “efficiency” that is Software-Defined Networking, while Comcast raises package prices. The other ISPs see the ridiculous profit margin and follow suit.  Comcast has set atop the golden throne that is high bandwidth for too long. Enter David.

And the Contender, Charter Spectrum!

I don’t like Charter, but as a man of science, I reserve the right to change my mind based on breaking or better quality information. Charter is putting itself in a position to do just that.

Worst case scenario first. Should Charter team up with the lobbying supergiants, we end up with a situation in which Goliath pummels congress and consumer with right fist Comcast and left fist AT&T, all the while Charter, our David, slings lobbyist after lobbyist into the mayhem from atop Goliath’s shoulders. Should things go that way, it’s gonna get ugly.

But, I don’t think it will. Charter has already agreed to place nice with consumers and content providers alike in exchange for antitrust approval from the DOJ. “Charter would not be permitted to charge usage-based prices or impose data caps and would be prohibited from charging interconnection fees, including to online video providers…” Upon further research, it turns capping seems not to carry much weight in Charter’s strategy. This agreement, however, addresses a Time Warner strategy reminiscent of cellular data plans. Further clarification from Artechnica “…Charter doesn’t impose data caps and overage fees on its Internet customers, TWC offers optional plans with limits of 5GB or 30GB a month. The plans ostensibly provide discounts of $5 to $8 a month, but customers who go over the limits can be charged another $25 per month. Charter said it would get rid of these overage fees, pledging that the merged Charter/TWC would not impose any data caps.

Charter plays ball with the Dept of Justice and becomes a giant of it’s own.

What does this mean for us?

Bandwidth is stupid expensive. Comcast is setting the bar for rates, and they have no real competition. Had. Charter doesn’t even need to slash prices. I think they should just hold off on price hikes for a few years. Now that Charter and Comcast share many large cities, they are going to have to duke it out. I imagine Comcast will attempt to use legislation and community investment to throw the heavy right hook while Charter pummels the giant with a storm of low prices. Who will win in the end? Hopefully us. I would be perfectly happy with one dollar per Mbps and that’s still like a 50% profit margin. Businesses and consumers alike would be able to redirect those savings into, well, stuff. Buying stuff is good for the economy. Therefore, Charter’s acquisition of Time Warner is good for the economy*.

*I’m not an economist and yes I am aware of the composition logical fallacy. I’m trying to be an optimist. Don’t take this from me.

Why I DON’T support Fiber in the Data-Center

Sales Reps, plug your ears.

It’s Fast!

It’s Long Range!

But, It’s Expensive!

That’s why I don’t recommend fiber in small to medium sized data centers. Sorry for the title shock, but we are excluding big data, where I wouldn’t use an ounce of copper.

GBICs have come WAY down in price. You can get a Cisco compatible SFP+ for almost under $60, which is awesome, but fiber is so expensive! Two meter patch cables in SMF/MMF run anywhere from $25 to $120 depending on the environment and connector. That’s ridiculous. A gigabit quality two meter CAT5e costs…nothing. Admit it, you have this lying around just about everywhere; there’s plenty to cannibalize.

But but…my Cisco rep says blah blah fiber ten gig. A two meter CAT6a cable is a whopping four bucks.

But vMotion and DDOS and containers and other buzzwords! CAT7a and CAT8a may not be floating around your IT closet yet, but they are rapidly picking up use, they’re cheaper, and have been tested all the way up to 40Gbps.

But Steve, if that’s true, my sales rep lied to me.

No they didn’t they just dint tell you everything. Cisco, Juniper, HPE, etc., they all need to make a buck if we want them to stay in business…and we do. Unfortunately, IT Depts all over the world are seen as the disgusting back office in which money flows the wrong way. This is even more apparent at small scale. Our parts are expensive and that hurts the small-medium business owners.

So, what can you do to save business owner tears? Help them filter the sales rep noise. Just because you have 500 employees and you know who Oracle is doesn’t mean you need a fiber switch or SMF between each piece of metal. Get some bubble gum, a metal coat hangar, an RJ-45 clip (preferably one with the clip still attached), and make your own gigabit ethernet cable.

^Dont actually do that, you’ll need 4-8 hangers for a successful pinout.

Here’s what inspired this mini-rant. http://www.cablinginstall.com/articles/2016/05/ethernet-alliance-base-t-applications.html

 

Way to go Time Warner!

Semi-pleasant surprise today. We had a modem connected up for client and strange things started happening. Applications were failing, a few users were complaining, and the internet was downright wonky.

So I remote in to one of the client’s computers and start poking around. Everything is normal till I run an ipconfig. Are those IPv6 addresses on the Ethernet interface? It’s not a MAC address…It’s not fe80 link local…

Okay, open google, whatsmyip.com

Your IPv6 Address Is: redacted
Your IP Details:
ISP: Time Warner Cable
Services: None Detected
City: redacted
Region: redacted
Country: United States

Holy frickin crap the modem pulled IPv6

The PCs pulled IPv6

THIS IS AWESOME

Well sort of. We still have services to migrate to v6. The client isn’t v6 ready, which caused all the wonkiness in the network. So unfortunately we had to request switching to IPv4 only service at this site, but I’m still ridiculously excited.

I may be overdoing it a bit, but I don’t get to see this often. I primarily deal with Charter-Spectrum and Comcast. Both companies do their job well; however, I have yet to see a native IPv6 pull from either one. Both claim to have a large v6 footprint. I’ve talked to both companies too many times in reference to public facing modem IPs when helping people set up web servers or remote services, and it’s always public v4 or a private 10 dot for ISP/Carrier-grade NAT. So, all three companies say they have rolled out v6, but, in my experience, I’ve only seen v6 from Time Warner.

We need this. We’re out, straight up out, of IPv6 under ARIN. Business is not propelling v6 migration, but we know why. Everyone has said it and I’m going to say it again: There’s no Return-On-Investment for IPv6. Developers don’t want v6, it’s extra work. Standards aren’t doing it; instead, the IETF has spent all their time trying to fix old problems instead of pushing innovation. Someone has to drive this.

I want the ISPs to be the bigger people and force it.

I’m not saying do it overnight. I want to see ISPs quietly phase in dual-stack then set reasonable end-of-service dates for IPv4. I know that puts a financial burden on the  ISP, but it’s the ISPs who seem set to profit the most from the resale of IPv6 blocks anyways. I didn’t see ISPs doing that at the moment, but tripping over a native public v6 address today has restored my hope.

Time Warner, thank you for giving me an awesome Friday and inspiring me to continue to be an IPv6 Evangelist.

Untangle NG Firewall

Jeez, I’ve been teasing this post for a long time.

I think this is the coolest solution since sliced bread, but that’s only because it’s true. Per untangle.com “Untangle’s NG Firewall enables you to quickly and easily create the network policies that deliver the perfect balance between security and productivity.”

We have all heard it before for super-object-x-v127.6, right? Hey, it may be true, but the price-tag is in the millions or you’re going to have to hire an overpaid consultant to run the thing or at best it’s terribly unstable.

Well, this isn’t the case for the Untangle Firewall.

That’s because it’s not just a Firewall. Untangle is a beautifully written software-suite which capitalizes on taking a whole mess of security functions and putting them in one place. Seriously, this thing is a *deep breath* Firewall, IPS, Phish Blocker, Virus Blocker, Ad Blocker, Application Controller, Web Filter, SSL Inspector, Bandwidth Controller, Load Balancer, Fail-over Controller, Web Cache, Captive Portal Controller, and IPsec and Open VPN node. <== Do you see that? It’s ridiculous. Best of all, I turned every single feature on in an economy hardware build, and the tower just yawns at the challenge. That’s right, Untangle Firewall can do all that stuff without breaking a sweat.

And it even it looks nice! All the applications are lined up in a graphical rack. Yep, a rack, a server rack. You move apps in and out of the rack based on the features you want. A power button turns the feature on and off and each app has a myriad of different settings and tweaks.

But does it work?

The firewall was easiest to test. Now, keep in mind, if you are NATing at the Untangle device, the firewall shouldn’t need a whole lot of tuning; NAT should stop most sad attempts to hop through onto your LAN. So I put mine in bridge mode, retuned my network, and gave the firewall real rules. It did its job fine. Now, this isn’t a hard job. My 20 year old PIX can do that part. My pix was also thousands of dollars when Cisco pushed it onto the market. Untangle is FREE. Well, FREEMIUM.

Web Filter is solid. Pick the categories you want to include, white list or black list any exceptions and go have a beer. You deserve it. What’s really nice is the low rate of false positives. I’ve fixed 2 false positives. Both times it thought it found porn and both times I imagine interesting cookies were involved. I don’t blame the Untangle in either case.

Virus Filter is awesome. I don’t have any viruses laying around, but I pulled a few defanged baddies through, compiled them, and tried to push them around. It caught all the (old) viruses, but it did let through the anti-virus test files I’ve collected. I don’t know if that’s cause for alarm on the AV vendors part or for the Untangle box. Probably the AV vendors…as I believe Symantec and McAfee are 99% unicorn tears anyways. I can tell you that the UT boxes I monitor in major deployments have a steadily ticking viruses blocked counter, occasionally corroborated by the users who complain they can’t get into their poker tournament site.

Email security is harder to test. I’m a huge proponent of keeping email on the web and in a browser, so I really don’t have a good way to test these.

IPS is pretty standard. I haven’t set it up yet, and likely wont until I finish building my packet capture box (I smell a future post). There are a crap ton of rules in there. The default comes with your standard -stuff people shouldn’t be doing- turned on, but there are an awesome number or nerd-knobs to tweak in this app.

OpenVPN and IPsec VPN just work. IPsec takes a bit more config, but it takes literally like 5 clicks to stand up a VPN tunnel. Best of all, I’ve never seen one drop since they revised their VPN app in version 9.

Functions/use-case

This is an incredibly versatile box. I work with 8 different Untangle Firewalls ranging from version 9 to (finally) 12. Each deployment has a different use case. Some are WAN links, others provide server security to a range of different servers, yet others are doing basic routing tasks and every single one of them is also carrying the Firewall, IPS, Spam/Phish, and Web Filter.

This device fits excellently on school network or in small-medium sized business, with need for a reliable, and cheap WAN solution. I’ve played with both the IPsecVPN and the OpenVPN. With over 6 years collective run time, I haven’t seen a single VPN link drop or decrypt the streams. And if you need a public face for management or whatever tickles your fancy, the Dynamic DNS has it’s own configuration page in the admin console.

I even have this thing doing sec in my own home. I’m quite comfortable with it. In bridge mode, it’s super easy to use. I even have it doing ad hoc parental controls.

But, Untangle Firewall has it’s limits.

This device isn’t a router. If you spend $100 on a half decent Wi-Fi router there’s a very good chance you will get support for RIP, but not here; this isn’t a router. While the Untangle device can do basic static routing, that feature is designed to help the firewall better fit into a network. The firewall also seems quite vulnerable to DOS attacks. If you turn on all those features, you start to see a few extra milliseconds or two of latency past 150Mbps on an interface. All my builds are gigabit, so I imagine this is where we pay the price for doing on software what is done on ASICs in the big brands. I don’t have the hardware to DDOS it myself, but I imagine VoIP quality will begin to suffer around 500Mbps.

Oh Wait, I forgot about the QOS. The QOS engine in this thing is rock solid too. I remember training for tech support “the VoIP is the least tolerant of loss and jitter” but if you tell Untangle to do VoIP QOS, you will notice internet issues way before your phone problems. It’s a good box.

Now it is a single point of failure; we’re used to that, though. Security has been the aggregation of all streams for quite some time. While there are solutions to this vulnerability, your going to drop serious dough on them. I’m okay with a single point on the untangle. I put the hardware together, I configured it, I ran the backup. I know this thing in and out. If it dies, I’ll unplug the ethernet from one Untangle and plug it in to an identically prepared twin. Worse case, I slid a Gbit NIC in a PC collecting dust and slap together the install in a hour. Load in the backup, and Voila! Even the VPN tunnels stand back up on their own.

The other issue I have with Untangle is the lack of a sync function. I manage quite a few of these bad boys; it would be awesome if they sync’d app changes between themselves. Untangle told me they are not ruling it out, but it’s not in the works right now. Dear Untangle, add this feature and prepare to rake in the dough!

Let’s talk Dollars

Nine-tenths of the features I listed earlier are free, or have a very strong lite version. Untangle doesn’t play with their lite apps. I have just as much trouble cracking through the lite versions as I do the full version. The full versions, however, have way more tuning knobs to get it just right.

Even with the cost of the full featured apps, the Untangle is really cheap to run. The starting full package is $50 a month for up to 25 hosts, $300 for 250, $750 for 1000, $1,200 for Unlimited, and plenty of packages in between. You also have the option of purchasing only the features you want. But you don’t have to spend a Cent! You can cobble together a PC with two GigE ports for about $200 and install the Untangle Firewall. All the best features and updates come free! I dare you to go to Cisco and try to get a firewall for $200. Even if they sold you a dying ASA, which they won’t, you would need a special administrator to run it.

Untangle also sells a variety of hardware solutions for those who don’t want to chance having issues with a build-your-own scenario. Details, here! http://www.untangle.com/untangle-ng-firewall/appliances/

 

Untangle 12 OS

That was the easiest version upgrade ever. Clicked upgrade and a while later I had a new, but familiar, interface. On previous releases it was an entire OS rewrite. Untangle released new version, you burn the image to a disk, pop it in the tray and walk through a familiar debain style install. Further, there were some issues with openVPN changes which slightly raised the difficulty in migrating for UT v9 to UT v10. Upgrading from v11 to v12 was nothing like the other. We pre-prepped a twin with a backup UT box by exporting a backup and restoring the twin from the file. Next we pressed the upgrade button on the twin to initiate the upgrade to v12. An hour later, it was ready. Took about an hour to make sure no settings were lost and swapped it out. Didn’t use change management, didn’t give advance notice, just “Hey were going to take down the network at 6, looks like about half an hour.” Bull. We were down for 3 minutes. Three frickin minutes. Users told me it was the shortest maintenance we’ve ever had. Okay, onto the big new v12 feature.

Holy Awesome Batman, this Dashboard is sweet! I would include lots of pretty images, but I don’t feel like scrubbing all my IPs off the pictures, so you can find them here. This is so intuitive. I can now choose which reports I want graphed data on and over what period and it just compiles it into beautiful graphs. It’s not quite the depth of information you get from SNMP or net-flow, but that’s not the niche I tend to find UT boxes in. It is, however, highly configurable. Go into the reports tab, which they have conveniently moved from the rack to the sidebar, and build a report for whatever info you want to crunch. Want to watch in real time as Facebook traffic goes up? Build a report for it, collect your data, and take that info to management. What just happened? You, champ, just found Return on Investment in a Firewall!

I hate to end on a cliff, but I have no way to end this post without doing Untangle an injustice. Go, Go now! Get one! Or Fifteen!

https://www.untangle.com/

Download NG Firewall https://www.untangle.com/get-untangle/

How well do you really know the controls?

Okay, okay! I’m sorry! I know I’ve been teasing an untangle deep dive for weeks, but this isn’t it. I hope to publish that soon, but I wanted to include the recently released Untangle 12 OS. The good, hell Great, news is we pushed our test box to UT12 OS and I will get to move traffic through it tomorrow! Hopefully I’ll be able to include a chunk of UT12 details in the deep dive. Moving on then!

My Windows mojo got kicked in the teeth recently. Now, I’m not specifically a Windows admin, more of a power-user than anything else. So, this week we had an issue with a Cradlepoint’s recently acquired VPN service, Pertino. We’ve had Pertino for a while, but the merger is pretty new. Cradlepoint, like every other company acquiring a software suite, decided to push out an annoying lot of updates. We haven’t had a single issue with Pertino before Cradlepoint; it’s been a solid P2P VPN service. Basically, after a massive number of unsolicited Pertino updates collided vetted Windows server updates, the P2P VPN tunnels broke. We go through the list of all the networking 101 troubleshooting, and….it couldn’t have looked more perfect. The only weird bit was we kept getting bad DNS queries from our applications. So after double and triple checks, we called Cradlepoint tech support. Okay, okay, here’s the fun part: Did you know there are more adapter settings hidden in the Windows “Network Connections” hiding under your [alt] key? Look for yourself!

 

advanced

If you click “Advanced Settings” you get a little prompt that lets you control the order in which adapters apply their configurations. Guess what, the order was out of whack, so all of our P2P hosts were trying to pull DNS which didn’t resolve to our systems. Fixed the order on each remote device and Viola! Solved.

This one made me feel really dumb. I spent years in ISP level tech support, from phone jockey up to a NOC internship. (i thought) I’ve poked around every inch host settings in Windows, Apple, and a few Linux distros. This utterly confounded me. I mean seriously, there’s always an [alt] functions for folders in Explorer, so why did I assume there wasn’t in Network Connections?

Ready For Takeoff

During a recent trip to Sacramento to check on my Grandma I found myself with 12 hours total time in a plane. This is an IT blog, so what did I do with my time to inspire blog-worthiness? I worked on my IT skills. Well, most of the time.

ATL to PHX: 4 Hours 36 Minutes
This is perfect amount of time to get into a lab simulator. A long flight helps learn to focus on that lab the way you would have to for a tough midnight maintenance or for the long labs in higher level certification. Cherry on top: the constant whine of engine noise sounds just like the hum of your server room! I opened up packet tracer, set up 6 routers, 12 switches (3 multi-layer), and a packet tracer server. Now, this wasn’t flying blind (haha…bad pun). I wrote out the bullet points of my topography and setup before leaving Atlanta; no notes, just what I planned to accomplish. Per my “work order” I stood up single-area OSPF, served DHCP and DNS, and all the run-o-the-mill stuff with VLANs, CDP, VTP, etc. For added difficulty, the trip added turbulence, two glasses of wine, and a Jack and Coke. I didn’t get on the WiFi, so I was stuck with a my memory and a the [?] key. I did forget a key to VTP setup that is WAY to embarrassing to mention, but I don’t plan on setting up VTP from anywhere I can’t at least use a rudimentary smoke signal connection. Bits per minutes anyone?

So what is there plan here? Plan, that’s the plan!

  • Write out everything you want to accomplish. If you feel like you need tips and notes, write those in too.
  • Sketch out a rough topo of the network. Sales here, HQ there, productions over there.
  • If this is a greenfield sim, get an idea for where you want you VLANs and how you want to topology to balance them. Draw out your OSPF areas. Decide on your VTP server.
  • In general, make the best of your time in the air by making as few in-flight decisions as possible.

Layover 20 Minutes: Well, 5 minutes…and they already gave me a replacement ticket. Oh well guess I better wait two hours for the next flight…or walk over to the plane I was supposed to get on. What’s to lose? So I run over from the last gate in terminal D to the last gate on the other side of terminal D and…The Plane Is Still Here! I excuse my shortness of breath from running, check in, and head on board. I actually passed the ground crew on the way to lock up the plane. Seriously, only made it by thirty seconds.

PHX to SAC: 1 Hour 30 Minutes
Reading! A short flight is the perfect amount of time to read something technical without ending up so bored that you would rather try out the parachutes than turn another page. I reread a few chapters of “31 Days till CCENT…”. Good use of time. I’ve said it before and I’ll say it again. I highly recommend this book. Bring something that doesn’t weight five pounds and bulk up your carry on. I have 3 “..Days Till..” books, all of which are under inch thick. Dummies has quite a few thin books focusing on hot IT topics as well. Don’t forget about eBooks either. You sacrifice no space using a phone, laptop, or tablet that you would have carried anyways. Open a PDF copy, whitepaper, kindle ebook, or pull something out of your Sarafibooksonline.com queue. Just make sure you have your reading material downloaded before you get on the plane, or you may be paying 6 bucks for half an hour of wifi.

I spent a few days with grandma, who is now moved to Georgia with my parents and doing better, and headed back to SAC. Just for the record, Sacramento has a really nice airport. I only passed through twice, but it was easy to navigate, uncrowded, and I managed to buy a charging cable for under 20 bucks. Flight time!

SAC to PHX: 1 Hour 20 Minutes
This is just enough time to confound me. I’m trying to alter enough lines of another programmer’s JavaScript to make his pseudo ping bounce off my servers, switches, and firewall’s. Bad news is I don’t know script well enough to make it work very well. I was only able to get it to bounce off the server, which I could watch in Wireshark, but it still wouldn’t flip the result I want: a very un-simple if-then trigger on the page to show “SUCCESS.” I have since been pointed to an interesting bit of Angular library, so here’s to hoping!

By the way, if you know some crafty way to do this, Please Tell Me! I’m trying to get a ping-like function out of a webpage while keeping the code as light as possible.

PHX to ATL: too long
I tried to work and study, I really did. But, I didn’t want to. I’m in the air and feeling quite uninspired. I’ve spent each evening of the trip labbing (is that even a word?) to get ready for ICND1; I don’t want to see another command line! Best of all, I’m in the window seat and the middle seat is empty. I cannot resist the urge to relax. So I read. I tore through half of the 2nd book of The Expanse, “Caliban’s War.” Good read. Flights may be  some of the best times to study or work without coworkers and broken watchamacallits distracting you, but everyone needs a little down time.

What are your ideas for how to build IT skills while you travel. Leave a comment below!

*Edited because I didn’t spell check…like a scrub.

ICND1: Fresh Look at the Test

After an unending series of delays, I finally took ICND1 this last Thursday. I passed. I have my CCENT.

Grain of Salt Warning: Everyone has a different experience. Do not base your preparations on my test experience.*

TLDR: The test was far more expansive, in many ways, than I ascertained from forums. I passed by the skin of my teeth. My test also totally skipped many key topics.

I arrived half an hour early to the local community college Vue site. There were a lot of signatures and even a mug-shot. I received by allotted dry-erase board (which was marker “Pearson VUE” and comfortably large). There was no login or input of any kind on my part, the proctor fully prompted the test. A 15 minutes how-to guide explained the GUI, I skipped through most of it. My test consisted of about 45 numbered questions, with about 5 main questions consisting of 4 sub-questions. So all in all, about 60 total. Of course you’re allotted 90 minutes, I finished in about 35. No gloating, I seriously barely walked out with my CCENT intact..by like 3 questions. I’ve just always been an “I know it or I don’t” test-taker; I fail them just as fast as I pass them.

Test Breakdown:

I would say half of the test was multiple choice, and of those, heavily saturated with multiple answer selection (pick 2/3/all that apply). The worst part of the multiple choice questions was trying to understand what the question was asking. Some of the questions really twisted my brain into “would this really happen this way in this exact scenario?” It’s cliche, but true: an exam testing your ability to take the exam.

The Simlet questions were overall very easy to interact with. Scenarios and Simlets often started in the same user-mode as the answer to the question or the requested configuration changes, which saved time moving around. Some Simlets, however, started completely logged out (no login credentials used in the simlets).

There were a couple matching/drag-to questions. They were more creative than “Match protocols to OSI model” or “match these well-known-ports to the associated protocol.” More like “In _______ scenario, what would you expect ____ to move through while moving through the _____.” Actually, these were fun.

Topics I remember:

  • Inter VLAN solutions
  • HOLY SUBNETTING BATMAN
  • RIPv1 (In all it’s classfulness)
  • OSPF
  • OSI Model, TCP/IP Model, some other networking model I’ve never seen and can’t remember.
  • NAT/PAT
  • Route Summary
  • Topology Interpretation

What I had a hard time with:

  • Frame Relay/DLCI: I really thought it wasn’t on ICND1…it’s not in my ICND1 cert guide and everyone said “it’s not until ICND2!” I’m sure I got those wrong. I had no idea what I was seeing.
  • Class B Subnetting: Based on forums, I only memorized to /24, but in reality the numbers got huge very quickly.
  • Network Device Security: Dunno how I messed that up, but I did. Full disclosure, by far worst section at 63%. Need more lab time.
  • A LOT of legacy equipment: 10Base-2? Really? I wasn’t alive in the Eighties!

What I didn’t see, but expected: (not that you won’t see these)

  • IPv6: I spent the last 3 weeks on hurricane-electric making sure I could rock this, and it didn’t even show.
  • ACLs for security: The only ACLs I saw were related to NAT config. Meh
  • Anything physical: No pinouts, no “if ___ and the light is flashing amber,” no speed/cable-quality/connection-type.
  • Well-Known-Ports: None
  • WAN tech: Sans the above but about FR/DLCI, nothing.
  • Packet analysis
  • Anything about Initial Config

 

I have mixed feelings about this testing experience. I felt challenged by each question, but I also feel like I would have averaged better if the questions were a more general mix of the official cert guide. The topics actually on the test were very deep, but my test version totally skipped many fundamentals. I’m not going to lie; I definitely need to spend more book and lab time with some ICND1 topics before studying ICND2 any more than I already have.

If you feel I missed something, if your experience was different, or if you want to just say “Hi!” (because it’s nice to my self-esteem :-P), please feel free to leave a comment. I check the blog twice-a-day; i’ll be happy to expand or clarify something I wrote.**

By the way, if someone is trolling you about how you shouldn’t have to memorize subnetting charts, try sending that salt-shaker some positive vibes. There was a crap-ton of subnetting. I would have taken much longer if I had to do magic numbers and powers-of-two on every other freakin’ question.

 

  • *Edited for grain of salt disclaimer.
  • **Edited for Feedback Request

 

One Week to Test Day (CCENT)

So the big test is in week. Well, by week I mean -and a few days- and big test I mean ICND1, so a grain of salt is recommended. Before I move into my “Week Out” plan, I wanted to take some time, collect my thoughts, and talk about my preparations and process.

First and foremost, let’s get the timeline out of the way. I did not have a normal start to my CCNA timeline. I originally planned to take CCNA a week before Thanksgiving ’15. In reality, I found myself jobless then working temp jobs from factory to factory early last Fall. I was exhausted after work each day, so I let myself take more time by planning instead to go for CCENT with a Thanksgiving timeline. In late October the sky opened up and handed me interviews, 3 of which lead to offers. A few days into November I started my new and current job…and training to do that job well. In embracing my learning curve, I decided it was time to push back the cert timeline again. Aiming for the week after Christmas, I knew I was gambling against my child’s due date. I gambled wrong, the week of Christmas my newest daughter was born and pushing the date back again took no consideration. I am now approaching my latest deadline and I am determined not to push it back again. I’ve taken that morning off and the date is close enough to my birthday that I can guilt people into helping in whatever may arise. Most importantly, this has become so drawn out, need to get it over with before my expectations get the better of me.

As for expectations, the internet pushed me all over the place. At this point, all I can believe is plenty of subnetting will be involved. Watching everyone boast and argue about the more prominent sections, including all and every section, I’ve taken as “just eat the Odom book.” I started in an ISP/Telecom, so fortunately I do have a few mentors to guide me in the right direction. I also listen to the Packet Pushers podcasts in the car to work each morning and those guys have address the testing process multiple times. I’ve called the school so I know how the actual testing process will go. No worries there. So what channels did I use to get ready for CCENT/CCNA?

Books

The first tool I purchased were the CCNA textbooks “CCENT/CCNA ICND1 and ICND2 CCNA R&S” By Wendell Odom. These have been honestly the best combination of in-depth and ease of reading that I’ve found in a textbook style guide. Since I’m taking ICND1, I haven’t jumped far into the second book, but I use it a work almost daily. It’s a great couple of books. I’m hoping his CCNP stuff is just as good.

http://www.amazon.com/gp/product/1587143852/ref=pd_lpo_sbs_dp_ss_1?pf_rd_p=1944687742&pf_rd_s=lpo-top-stripe-1&pf_rd_t=201&pf_rd_i=1587143879&pf_rd_m=ATVPDKIKX0DER&pf_rd_r=1G045DS4W1D6GYD6WFG8

http://www.amazon.com/Routing-Switching-200-120-Official-Library/dp/1587143879

 

The only other book I purchased was a copy of “31 Days Before Your CCENT Certification Exam:…” by Allan Johnson. This one paired perfectly with Odom’s book. I can pull it out on lunch or before I go to sleep and just refresh for a few minutes. I am following the 31 day guide in the book all the way down to day 0.

http://www.amazon.com/Days-Before-Your-CCENT-Certification/dp/1587204533/ref=sr_1_1?s=books&ie=UTF8&qid=1452500505&sr=1-1&keywords=31+days+ccent

Videos/Audiobooks

I found a few decent lectures on Udemy and I’ll put out links and reviews for those after I take the test. I don’t feel like I can evaluate those yet on this side of the test, so we will revisit those in a few weeks.

 

CBT Nuggets is Awesome! I cannot recommend the collective Nuggets more. These videos are just easy to watch. I can sit down and watch CBT nuggets for five hours straight, and I have a very short attention span. I will go ahead and recommend CBTN, but I’ll once again save specifics for later.

 

Audible.com led me to “Mastering the CCNA Audiobook: Complete Audio Guide” by Christopher Parker. The Information is a tad out of date, but the review of CCNA topics seems pretty good. For under $10, would recommend.

 

Programs/Sims

Packet Tracer was a huge asset. I used http://cisco.edu.mn/Download/ for a lot of labs. I also built a lab for most chapters of the Odom book as well. Packet tracer is a touchy topic, as Cisco is being very stingy with PT right now. In my opinion, the best thing Cisco could do to turn PT into revenue is put out a $13 a month subscription for the full program. My copy is legacy from the free PT days. I don’t want to know how you get yours, but it’s almost a necessity. I don’t need a physical lab because I have PT.

 

I’ve used GNS3 a little bit, but it’s too powerful for CCENT. We will talk more about GNS3 closer to taking ICND2.

 

When I heard the packet pushers talking about Wireshark I knew it was going to be awesome. I use the heck out of this program. I turned on Wireshark while in Mumble to watch UDP packets. At work I can watch different protocols send broadcasts and updates. I’ve even used it to address a cert problem on my personal PC. It’s an awesome tool for creating a sense of what really is going on in a network. Download Wireshark and play around. I promise you will learn something awesome.

 

Pearson’s Cisco Network Simulator ICND1. This dude had a serious price tag, but was absolutely worth it. These labs walk the student not only through the how, but supplement the why as well. Each section culminates in a (semi)unguided “now fix it” to test your new skills. You cannot configure topologies from scratch such as you can in GNS3 or Packet Tracer, but Pearson’s Network Simulator fills a niche neither of the others two can. Worth the $80.

http://www.pearsonitcertification.com/store/ccent-icnd1-100-101-network-simulator-download-version-9780133432770

 

Cisco Mind Share Learning Game. This one is…different. It’s definitely not for everyone, but I liked it. Is it worth almost $45, absolutely not. I got it for ½ off, and I recommend you watch for the same. And you don’t have to just jump in, there’s a free demo.

https://learningnetworkstore.cisco.com/games/cisco-mind-share-learning-game-msg-ccentint-1-0

 

Practice Tests

If you don’t take advantage of the free practice tests at techexams.com, you’re doing it wrong. ‘Nuff said.

I didn’t get any book practice tests, but I did buy Pearson’s CCENT practice test. I can’t find a link to this one, but a free trial comes with Odom’s ICND1 book.

 

All in All

In total, I’ve spent about $500 including my test fee. I don’t feel, at this point, like I’ve wasted any money or time. Each tool is valuable to me. I’m signing off until after the test, so next time I update, it will hopefully be with good news and a plan for ICND2. Wish me luck!