Sunday, October 30, 2016

First SENSS Attempt - Part II

 on  with No comments 
In , ,  
So I went down to the testing center yesterday and made my first attempt at the SENSS exam.  And I failed miserably, scoring nearly 200 points below the passing mark.  I have been studying for this exam off and on now for about 2 years.  More off than on with work, school, family, and everything else constantly taking my focus away, but during that time I did get a lot of quality study time in.  The disappointing part is not as much the questions that I wasn't sure of the answer to, its the questions asking about things where I was like wow, I don't recall reading about this at all.  Quite a humbling experience as this is the first Cisco exam that I've failed.

I don't think this was a case of the exam objectives being extremely vague as most certification objectives are.  These objectives were quite fair, in my opinion.  Instead this time its more a case of there being no study guide.  If you look at the list of suggested study materials, you'll find no fewer than 10 Cisco Press titles in addition to a laundry list of .pdfs ranging from short configuration guides to the SAFE Reference Guide.  That's a ton to take in.  Do I need everything in 7896 pages of books?

Well, I have to get this done before November 12, the day that my other Cisco certifications expire, so back to it!  As always, save your questions about what questions I saw, how many questions I got, what the passing score was, etc.  I'm not going to violate the NDA, even in my deflated mood.
Share:

Wednesday, October 26, 2016

First SENSS Attempt

 on  with No comments 
In , ,  
This week there will be no regularly scheduled Wednesday post because I am putting the final touches on my first (and hopefully only) attempt at the SENSS exam.  My exam is scheduled for 12:00pm on Saturday.  In nervousness, I've rescheduled it a couple times leading up to this point, but I can't keep doing that as all my other Cisco certifications are due to expire on November 12.  I'm feeling well over 95% confidence in all the topics except for SNMP.  Unfortunately, my confidence level on that topic is not too much higher than it was coming into preparation for this exam.  I have no idea why this one thing just won't sink in.  I'll see it again and again down the road, so I'll get it sooner or later.

Once this exam is over with, I'll be shifting my focus primarily towards the CISSP, which is the capstone for my Masters Degree.  I'm doing the last two classes for this class, so the capstone is all I'll have left after this semester.  My Bachelors and Masters Degree coursework both focused on CISSP material, and I've done a lot of reading on things covered in it outside of the classroom as well, so I'm not starting from zero.   I will be doing the MCSA 2016 upgrade exam in the near future (not sure exactly when yet), but I expect to get back on Cisco and start on the SISAS once the CISSP is in hand.  So a lot of ISE and Active Directory in the future.
Not that anyone really cares, but I'll post back here on how the SENSS went, and if I have any thoughts on the exam that I am willing to share.  Wish me luck!
Share:

Saturday, October 22, 2016

COPAA Compliance Extortion

 on  with No comments 
In ,  
This morning, one of my children brought me their tablet.  It's a Nabi 2s, which we bought 3 of a while back at Toys R Us during a sale.  The tablet was in "Nabi Mode" which is a locked down account for children.  Unfortunately, there is a small selection of games available in Nabi Mode.  The most important app on the tablet, Youtube, is also not available.  So we just leave it in "Mommy Mode," a separate user account without any of the child lock-down, because I'm not dealing with managing an allowed applications list on 3 different tablets, if such a feature is even available.

So the problem today is Nabi's strange enforcement of COPAA Compliance.  For those who don't know, COPAA, or The Children's Online Privacy Protection Act, is a 2008 regulation to protect children online.  The act requires proof of parental concent for a child to use any service online.   According to the verbage of a 2012 amendment, verifiable parental consent can be, but not limited to: "electronic scans of signed parental consent forms; video-conferencing; use of government-issued identification; and alternative payment systems, such as debit cards and electronic payment systems, provided they meet certain criteria."

When I attempted to put the tablet back into "Mommy Mode" today, I was greeted by this scare tactic.  Still half asleep, it was a bit concerning.  If this doesn't look like ransomware, I don't know what does.



In order to get out of Nabi Mode, I have to engage in their choice of a verifiable parental consent, immediately.  50 cents isn't a lot, even across all three tablets we have, but what are they doing with the money?  Microsoft donates it to National Center for Missing and Exploited Children.  Nabi doesn't have the information easily available.  I don't care to spend any more time looking, so I don't know.  And why today?

The quick solution for today was to just reboot the tablet, and it came back up in "Mommy Mode."   I get why they're doing it, but the way they chose to do this, on a completely random Sunday morning months after I bought the tablet left a really bad taste in my mouth.  So I'm choosing to not participate.  If Nabi's insistence becomes a problem, I'll just root the tablet.
Share:

Wednesday, October 19, 2016

Network Time Protocol (NTP)

 on  with No comments 
In , ,  
A very important but sometimes overlooked technology in networking is NTP.  NTP is used for clock synchronization between hosts on a packet switched network such as the Internet. It was first designed by Dr. David L Mills of the University of Delaware in 1985.  The current protocol is NTPv4, which is described in RFC 5905.  Version 4 is backwards compatible with version 3, described in RFC 1305.  I've written about NTP before, in a post on setting up an NTP server on the NetBSD operating system.

Based on Marzullo's Algorithm, NTP is able to synchronize time to within tens of milliseconds across the Internet and to within 1 millisecond under ideal LAN conditions. The protocol typically utilizes UDP Port 123 to send and receive timestamps, however the specification also allows for broadcast and multicast communication between hosts.  The protocol calls for a warning of any impending leap second adjustments, but does not take into account any local time zone or daylight savings time information.

In addition to the standard NTP Protocol, there is a smaller and less complex protocol, SNTP that drops the storage of state over extended periods of time.  This is useful in smaller or embedded devices where highly accurate time is not required, but it is still desirable to have a reasonably accurate time.


NTP utilizes a hierarchical configuration of NTP Servers.  Each layer is called a stratum and assigned a number starting with zero. Stratum 0 hosts are highly precise devices such as atomic clocks or GPS Satellites.  Stratum zero devices are also referred to as reference clocks.  Devices that are synchronized to Stratum 0 devices are called Stratum 1, or primary time servers.  Note that the connection between Stratum 0 and Stratum 1 devices is typically a dedicated link and therefore NTP is not actually used in those synchronizations.  Devices that are synchronized to Stratum 1 devices are called Stratum 2 devices and so on. The specification of NTP has an upper limit of Stratum 15, with Stratum 16 indicating that the device's clock is unsynchronized.  The plural of stratum is strata.

The Official Reference Implementation of NTP is available at ntp.org, where is has been since its inception.  The current release is ntp-4.2.8p8 and was released on June 2, 2016.  The well being of ntp.org has been written about recently as it appears a single developer is/was primarily holding down the fort.  Is there any update to this story?

In addition to the Official Reference Implementation, ntp.org also hosts the NTP Pool Project, where publicly available NTP Servers are listed for use.  Official information about this project is at www.pool.ntp.org.  To use this pool, you simply point your devices at region specific FQDNs for pools of NTP servers. Changes to the list of available servers happens in the background, so you're never more than a DNS time out away from getting a valid IP address for an NTP server.  For example, in the US, you can use one or more of the following 4 FQDNs as your NTP Servers.

  •  0.us.pool.ntp.org
  •  1.us.pool.ntp.org
  •  2.us.pool.ntp.org
  •  3.us.pool.ntp.org

Another implementation of NTP is the OpenNTPD project, which is developed by the OpenBSD team. As with all projects under the OpenBSD umbrella, OpenNTPD is designed to be secure, easy to configure, and accurate.  The stated intent is to "[r]each a reasonable accuracy" without sacrificing "secure design for getting that last nanosecond or obscure edge case."[ It is portable, and able to be used in systems that are not OpenBSD based as well.  It does not maintain the level of accuracy of the Reference Implementation, but not clock needs to be accurate to that level.

One more common NTP implementation is the Windows Time Service, specifically that on Active Directory domain controllers.  The W32Time service was originally implemented for the purpose of keeping time accurate in the interest of Kerberos authentication, hence it's short comings.  Windows XP and earlier only implement SNTP, while Server 2003 and later (which I would assume includes XP 64-bit as it is based on the same kernel revision as Server 2003) use a fully compliant NTP protocol. However, even with Server 2003 and up, w32time cannot keep time better than a 1 to 2 second accuracy. If you require better, Microsoft says to use a different NTP implementation.

So why is accurate time so important on networks?  There are a few notable reasons.  I have 3 right now and I'm sure you can come up with a few more if you give it some thought.

1. Log synchronization across multiple devices. Consolidated syslog servers collect log messages from multiple devices. If a security professional is tracking the progression of an event on the network, it will be completely impossible to gain the complete picture if the clocks of all involved devices are not accurate. Whatever that security professional discovers may also not be admissible in court if inaccurate time raises enough doubt as to the validity of their clams.  This applies to all the devices whose logs are being sent to the central syslog server, not just "most devices are accurate."  If you care about the device enough to keep it's logs, you should care enough to have accurate timestamps so those logs are usable.

2. Single Sign on Authentication.  Active Directory users should know that the clock on your host workstation must be within 5 minutes of the clock on the domain controller that the workstation is utilizing for authentication.  This is because accurate time is one of the security checks done by the Kerberos Protocol which is at the heart of Active Directory Authentication.  Kerberos is an open protocol, and used for authentication in a number of other systems.

3. Certificate validation.  A certificate is considered valid only if the current time falls within the range specified within the certificate. A while back a coworker sent me a text showing how every website he attempted to reach gave an invalid certificate error.  The first thing I thought of was the system clock, and that ended up being the problem.  While annoying, this is still manageable on a PC where you can tell the browser to accept the seemingly invalid certificate.  But automated processes on network devices do not have such luxury and those processes will simply fail.

Configuring NTP on Cisco IOS devices

Configuring NTP on an IOS device is a straightforward operation, consisting of three steps.  First, configure the time zone.  Next, configure the NTP server.  And finally, configure optional NTP authentication.  In this example, we’ll configure NTP to synchronize to a local NTP Server.

!
! Set the time zone, and optionally the daylight savings time settings
!
clock timezone EST -5
clock summer-time  EDT recurring
!
!  Specify the ntp server(s) to use, and which one is preferred
!
ntp server 192.168.10.254 prefer
ntp server 192.168.10.253
!
! configure authentication settings
! note that multiple keys may be used as necessary
!
ntp authenticate
ntp authentication-key 1 md5 cisco123
ntp authentication-key 2 md5 cisco456
ntp server 192.168.10.254 key 1
ntp server 192.168.10.253 key 2


Configuring NTP on Cisco ASA devices


Like many features, the configuration of NTP on Cisco ASA devices is very similar to that of Cisco IOS devices. But like many features, there are a few slight differences.
!
! Set the time zone, and optionally the daylight savings time settings
!
clock timezone EST -5
clock summer-time  EDT recurring
!
! Specify the ntp server(s) to use and authentication details
!
ntp server 192.168.10.254 key 1 source inside prefer
ntp authenticate
ntp authentication-key 1 md5 cisco123
ntp trusted-key 1

Verifying NTP on Cisco IOS and ASA devices

Now we'll use a couple simple commands to verify the operation of NTP
show ntp associations [detail]
And finally, for the few of you that require greater accuracy than NTP can provide, there is the Precision Time Protocol (PTP).  PTP offers accuracy in the sub-microsecond range, which makes it suitable for measurement and control systems. It was originally described in IEEE 1588-2002 and updated to verison 2 in IEE 1588-2008. According to the specs, "IEEE 1588 is designed to fill a niche not well served by either of the two dominant protocols, NTP and GPS. IEEE 1588 is designed for local systems requiring accuracies beyond those attainable using NTP. It is also designed for applications that cannot bear the cost of a GPS receiver at each node, or for which GPS signals are inaccessible."  PTP is available in higher end Nexus switches and ASR routers, but not in the more common ISR and ISR2 series routers. Other PTP implementations can be found here.
Share:

Saturday, October 15, 2016

CCNA Exam Objectives Breakdown

 on  with No comments 
In , ,  
A recent post in the CCNA Facebook Group was a quiz hosted at TechTarget titled "Cisco CCNA Exam: Are You Ready?"  The quiz was written by Chris Partsenidis, the founder and senior editor of the great Firewall.cx website.  I took the quiz and did well, as I expected to and was actually surprised by the quality of the questions, although I shouldn't have been considering the author.  Articles like this usually ask simple things like "1. What port does DNS operate on?"
Share:

Saturday, October 8, 2016

CCNA Question of the Week 4

 on  with No comments 
In , ,  
This week, we had an open ended question that covers a lot of areas.  This is a take on a question that was asked during the phone screening for my first I.T. job.  As with all questions in this series, do not make assumptions, and do not answer a question that was not asked. Just answer the question as completely as your knowledge allows.

Your computer was just started and you just logged in and then loaded your favorite web browser.  No other actions have been taken on this computer and no other programs have been launched.  You type www.yahoo.com into the URL bar of the browser and press Enter.  Between now and when the page finishes loading, describe everything that happens in order for that page to load.

Share:

Saturday, October 1, 2016

Filtered DNS

 on  with No comments 
In , ,  
I've talked about DNS Security in the past.  This is becoming a bigger deal as time goes on as more and more malware finds new and creative ways of exploiting DNS to deliver or execute it's payload.  Whether it's DNS hijacking to force your browser to visit pages you really don't want to visit, or embedding command and control messages within what appear to be legitimate DNS packets, we need to pay close attention to DNS within our networks.
Share: