Networks Training

Since November 17, 2011, the Cisco Certified Security Professional (CCSP) certification has been retired and will not be offered anymore from Cisco. People who are already certified (like myself) as CCSP professionals, will keep their certification until it expires within the usual 3 year period that Cisco certifications last.

For example, looking at my certification progress here, I have been certified as CCSP since 7/25/03 and I have been renewing my certification since then. It will expire on 2/25/14 and after that I will lose this certification because Cisco decided out of the blue to just retire CCSP. This really sucks. I remember taking 4 exams to earn CCSP at the first place, and then taking 3 more exams over the years to renew it. And now what? In 2014 I will not have a certification anymore?

Cisco states that if you are still interested in a professional level security certification, you must pursue the new CCNP Security certification. Also, those professionals who are already CCSP certified, may be eligible to receive credit towards some of the exams of the new CCNP Security certification. Basically, people who have just recently taken the newest CCSP exams (like 642-617 FIREWALL v1.0 , 642-627 IPS 7.0, 642-637 SECURE v1.0, 642-647 VPN v1.0) they are given credit towards all the CCNP Security exams and thus they don’t need to take other exams . HOWEVER, people who took older exams (like myself) and got certified, we are in BAD LUCK. Basically from all the exams I have taken, only one can be used towards the new CCNP Security and therefore I have to take 3 more exams to become CCNP Security certified. With a full time job, a family and two kids, it will be a real struggle for me. More info about Retired CCSP here.

IETF proposed an updated Internet Key Exchange (IKE) protocol, called IKEv2, which is used to simplify and improve the legacy IKE protocol (IKEv1). Cisco ASA introduced support for IPSEC IKEv2 in software version 8.4(1) and later. In this ASA version, IKEv2 was added to support IPsec IKEv2 connections for AnyConnect and LAN-to-LAN VPN implementations. Of course, legacy IKEv1 is still supported and is widely used in almost all VPN configurations up to now.

In this article I will show the differences between the commands used in ASA versions prior to 8.4(1) with commands used in versions 8.4(1) and later.

ASA version prior to 8.4(1)

Let’s start with a basic IPSEC Lan-to-Lan VPN configuration for ASA versions prior to 8.4(1). Note that the following are just a part of the commands required for successful Lan-to-Lan VPN. The following are the commands which have some differences with the commands used in version 8.4(1) and later.

crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
pre-shared-key *****

ASA version 8.4(1) and later

Now let’s see how the IPSEC Lan-to-Lan VPN commands are changed in ASA version 8.4(1) and later. In red color you see the commands which are changed:

crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key *****

The Table below shows a site by site comparison of commands for even older ASA versions. The leftmost column shows commands for ASA versions lower than 7.2(1). The middle column shows the commands in versions higher than 7.2(1) and lower than 8.4(1). The right column shows the commands from 8.4(1) and higher.

Table with Cisco ASA versions and command differences regarding Site-to-Site IPSEC VPN commands:

Of the three most popular CompTIA exams (A+, Network+ and Security+) SY0-301 is in my mind the most difficult of the three.

While I have heard the opinion some people feel that that is an unfair position for CompTIA to take, I look at it this way. As a security professional, you have to be right all the time. The bad guys only have to be right, once.

CompTIA does not hide, this exam is on a higher bar than the other two. “Recommended experience CompTIA Network+ certification and two years of technical networking experience, with an emphasis on security.”

Certainly, you will need a good training provider before you try to attempt this exam. Also, a solid experience in network and information security is a must. In this particular course, even if you are experienced, I would pay particular attention to the cryptology and PKI topics. Questions around these topics in SY0-301 can really make your head hurt.

For some, these chapters really behold the best examples of video training. Let’s face it, PKI stuff can really twist a novice’s head. This way, you get to play it over and over until you get it.

While the courseware in trainsignal is pretty much 12 hours in length, plan on spending more than that in your studies. As I said, it’s a difficult exam. However with the excellent video work from Lisa Szpnuar in conjunction with getting a Transcender exam practice simulator, and some solid study time from you, your golden.

Exam Details:

Length of test    90 minutes
Passing score   750
(on a scale of 100-900)
Languages        English, Korean
Coming soon: German, Japanese

Of all of CompTIA certifications, Project+ on the surface looks like the odd duck. That is because most of the CompTIA certifications deal with bits and bytes, speeds and feeds in one way or another around computers.

CTT+ (Certified Technical Trainer) and Project+ don’t seem to fit this mold. At least at first glance. And they do. The two certifications are in fact technical in nature.

And they come with acronyms (jargon) that is completely alien to a computer geek. Terms such as (WBS) Work Breakdown Structure, Gantt chart, and Stakeholder leave the geek wondering what planet they landed on.

A lot of this terminology comes from the Professional Management Inst. (PMI). PMI certification is quite expensive and takes years to accomplish. This makes CompTIA Project+ a good entry-level certification for those wishing to show their moxie in project management.

While I have not personally met trainsignal.com video host Bill Kulterman, I can say he has done a great job in laying out Project Management, even for those who are not necessarily going to take the CompTIA Project+ certification.

Perhaps it is due to all the relatively alien jargon, and generally speaking, the assessment is Project+ is a difficult exam. Fortunately, trainsignal.com includes a Transcender exam simulation so you will not find any surprises when you go spend your hard earned dollars to prove you have some clue about project management.

Video time: (10 Hours, 35 Minutes, 30 Seconds) of CompTIA Project+ Training Videos Jam Packed on 2 DVDs!

Number of questions      100
Length of test    90 minutes
Passing score   710
(on a scale of 100-900)
Languages        English, Japanese, Korean
Recommended experience         One year of managing, directing or participating in small- to medium-scale projects

Exam codes      PK0-003