South African Networker

Finally back and blogging! Things have been a little busy lately and I haven’t had much time to post. Since my last post I have totally changed my approach to studying for the CCIE written exam. Instead of spending hours upon hours working on my study notes and covering topics I know well, I’ve decided that I will first work through the OECG quickly, and complete it by the end of August. I will then start working through each chapter in more detail.

The logic behind this is to have a better feel for the overall exam and how far I still have to go. That way I know which technologies I need to really focus on and which I am comfortable with. So far I have read up to the end of Chapter 12, as well as the BGP chapters in OECG 2nd Edition. This weekend I will start with congestion management and avoidance.

Im looking forward to the rest of QoS, as its one of my favorite topics and I racked up lots of lab time earlier this year when attempting the QoS exam. Glad I forced myself to get through some of the more tricky configurations such as FRTS back then, hopefully I’ll be able to get through the last two QoS chapters fairly quickly. Once I’ve completed them, I really have Multicast and IPv6 left… Security, MPLS and Frame-relay are topics that I am fairly comfortable with. Additionally while working through the IGP chapters I brushed up on my Frame-Relay knowledge and watched the CBT Nuggets CCIE Frame-Relay videos. Don’t you guys just love Frame-Relay networks?

I have not updated my schedule yet, once I have completed the book at the end of August I will set a new schedule. I truly believe that I will get my written exam completed, long before the end of this year. I can really see how studying for my CCNP and CCIP certifications and becoming comfortable with those topics, has made my CCIE preparation so much easier. I would really advise that anyone wanting to get their CCIE (R&S) first does their CCIP. The topics covered, mainly BGP, QoS and MPLS are large topics on the CCIE written and lab exams and the more experience you can get with them the better.

Im definitely left feeling more optimistic than ever about my CCIE. I’ve worked through the first half of the OECG and there’s been no real surprises. Im hoping that Multicast isn’t insanely complex and that my CCNP level knowledge would have at least covered the basics.

A bit random, but I thought that some of you in the SP environment might be interested in a feature I came across earlier this week, hidden deep within the depths of the ES20 Configuration Guide, you will find the rather interesting technology of EVC.

Just to give you a hint of what is possible with EVC, take a look at the example below, straight from the ES20 configuration guide…

Double Tag VLAN Connect

In this example, an incoming frame with an outer dot1q tag of 10 and inner tag of 20 enters
TenGigabitEthernet1/0/1. It is index directed to TenGigabitEthernet1/0/2 and exits with an outer dot1q tag of 11 and inner tag 21. No MAC learning is involved.

! DSLAM facing port
Router(config)# interface TenGigabitEthernet1/0/1
Router(config-if)# service instance 100 ethernet
Router(config-if-srv)# encapsulation dot1q second-dot1q 20
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
! L2 facing port
Router(config)# interface TenGigabitEthernet1/0/2
Router(config-if)# service instance 101 ethernet
Router(config-if-srv)# encapsulation dot1q 11 second-dot1q 21
Router(config-if-srv)# rewrite ingress tag pop 2 symmetric
! connect service
Router# connect EVC1 TenGigabitEthernet1/0/1 100 TenGigabitEthernet1/0/2 101

To learn more please visit http://www.cisco.com/univercd/cc/td/doc/product/core/cis7600/es20lc/baldcfg.htm

A sprint within a marathon…

This weekend I decided to stop taking notes in my summary guide and just read ahead a bit in the OECG. I wanted to get a feel for the rest of the book, so I read up till the end of Chapter 9 (OSPF). If anything this just highlighted how important my summary guide will be, there are lots of little details and nuances, some of which are not even covered. Thus for the routing portion of the book (Chapters 6-11) I will be using my BSCI books and cisco BSCI & BGP course ware, along with the OECG. Of all the routing protocols covered, I believe OSPF will be the most challenging. EIGRP is fiarly straightforward even in NBMA networks and I wrote my BGP exam earlier this year, so it shouldn’t be hard to cover that quite quickly.

Tonight I’ll be working on my Chapter 5 (IP Services) notes,  covering topics such as HSRP, GLBP, VRRP, DHCP, NTP and more. So far Im way ahead of my CCIE written schedule, but Im sure this will soon change as I spend more lab time on the switching topics, not to mention all of the routing topics that I could lab up.

In a recent eight month test period Cisco has discovered that 1 in every 200 exams monitored was taken by a proxy, and not the actual enrollee…

Yesterday Cisco officially launched a number of new security enhancements to its exams, including:

• Photo on Score Report and Web – On completion of a certification exam at the test center, candidates will receive preliminary score reports imprinted with their photos and unique authentication codes. The authentication code can be used to access a candidate’s official score online at Pearson VUE’s website usually within 72 hours of the examination. The online score report will also display the candidate’s photo. Candidates may share access to their online records with employers or other third parties.

• Forensic Analysis – Exam results and other testing data will be continuously analyzed by forensic software to detect aberrant testing behavior and to flag suspect exams for further investigation. When problems are identified with the validity of a test result, the candidate’s score will be invalidated. Depending on the exact issue with the flagged exam, further consequences may range from having to retake the exam to the imposition of a one-year or lifetime testing ban.

• Forensic Analysis – Exam results and other testing data will be continuously analyzed by forensic software to detect aberrant testing behavior and to flag suspect exams for further investigation. When problems are identified with the validity of a test result, the candidate’s score will be invalidated. Depending on the exact issue with the flagged exam, further consequences may range from having to retake the exam to the imposition of a one-year or lifetime testing ban.

I must say that Im really excited about all of these new enhancements, for a long time now I’ve felt that my certifications were being devalued by the many braindumpers out there. Finally it appears that things are changing and that hard work, experience and integrity will matter again. Personally there are two more enhancement I would like to see though, and that relates to exam content and the style of questioning. I believe that the best way to combat braindumpers, in addition to the new enhancements would be to make the following changes to the current exams:

• Large Pool of questions – Have a pool of several hundred questions, they dont all have to be totally different, but some of the variables need to be changed. (Eg: What would ‘ip access-group FILTER-FTP in’ accomplish in a given scenario, and What would ACL ‘ip access-group FILTER-FTP out’ accomplish, are two very different questions and would help prevent individuals from just memorizing questions and answers.

• More Simulations, testing a candidates knowledge of the related theory is definitely important, but more scenario based questioning (essentially applied theory questions) might prove a better way of testing a candidates knowledge. (Eg: ‘In the above scenario Switch-A has been selected the Root Bridge, even though Switch-B has a lower MAC Address. How did the network engineer accomplish this?’)

If you would like to read more about these new enhancements and the results of Cisco’s recent trials, take a look at this great article from the Boston Globe

http://www.boston.com/business/articles/2008/07/22/study_confirms_widespread_cheating_on_job_exams/

Today I came across a rather interesting post regarding plain text passwords and their presence in Linux memory…

Sherri Davidoff over at www.philosecurity.org speaks of how she was able to recover various passwords from Linux memory, these passwords included the Linux root password, email, IM, SSH and Truecrypt passwords. After reading this I decided to see if I could achieve similar results. Using nothing but pcat (Part Of The Coroners Toolkit), dd and ghex, I was able to recover various passwords including, root, SSH, email, and MSN (using the pidgin MSN client) passwords.

To recover an SSH password, I used the following test procedure…

1) Boot Linux Fedora 9 system

2) SSH into remote system

3) Execute the dd command to dump memory to a file:

[root@plutolin bin]# dd if=/dev/mem of=/home/user1/Desktop/tct/tct-1.18/bin/mem.bin bs=1024

I found that using the exact same technique I was able to recover root passwords that had recently been entered after using the su command. Below is a screenshot of  a recovered root password ‘rootpass’.

What makes this alarming is some research that has recently come out of Princeton’s Center for Information Technology Policy, in which it was discovered that data stored on DRAM could actually be accessed after a system has been powered down and the DRAM removed from the motherboard. This research shows that “data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system”.

In fact, if DRAM chips are cooled to -50°C data can be retained on the chips for tens of minutes if not more. When cooled down to -196°C it was observed that chips retained data for hours, without any appreciable data loss.

To read Sherri’s post please visit http://philosecurity.org/research/cleartext-passwords-linux

For more Information on ‘Cold Boot Attacks’ and how data can be recovered from DRAM after power has been removed visit http://citp.princeton.edu/memory/