Wednesday, January 11, 2012

Vulnerabilities

To understand the techniques for securing a computer system, it is important to first understand the various types of "attacks" that can be made against it. These threats can typically be classified into one of these seven categories:

Exploits

An exploit (from the same word in the French language, meaning "achievement", or "accomplishment") is a piece of software, a chunk of data, or sequence of commands that take advantage of a software "bug" or "glitch" in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. Many development methodologies rely on testing to ensure the quality of any code released; this process often fails to discover unusual potential exploits. The term "exploit" generally refers to small programs designed to take advantage of a software flaw that has been discovered, either remote or local. The code from the exploit program is frequently reused in trojan horses and computer viruses. In some cases, a vulnerability can lie in certain programs' processing of a specific file type, such as a non-executable media file. Some security web sites maintain lists of currently known unpatched vulnerabilities found in common programs (see "External links" below).

Eavesdropping

Eavesdropping is the act of surreptitiously listening to a private conversation, typically between hosts on a network. Even machines that operate as a closed system (i.e., with no contact to the outside world) can be eavesdropped upon via monitoring the faint electro-magnetic transmissions generated by the hardware such as TEMPEST. The FBI's proposed Carnivore program was intended to act as a system of eavesdropping protocols built into the systems of internet service providers.

Social engineering and human error

A computer system is no more secure than the human systems responsible for its operation. Malicious individuals have regularly penetrated well-designed, secure computer systems by taking advantage of the carelessness of trusted individuals, or by deliberately deceiving them, for example sending messages that they are the system administrator and asking for passwords. This deception is known as Social engineering.

Denial-of-service attack

Unlike other exploits, denial of service attacks are not used to gain unauthorized access or control of a system. They are instead designed to render it unusable. Attackers can deny service to individual victims, such as by deliberately entering a wrong password 3 consecutive times and thus causing the victim account to be locked, or they may overload the capabilities of a machine or network and block all users at once. These types of attack are, in practice, very hard to prevent, because the behavior of whole networks needs to be analyzed, not only the behaviour of small pieces of code. Distributed denial of service (DDoS) attacks are common, where a large number of compromised hosts (commonly referred to as "zombie computers", used as part of a botnet with, for example; a worm, trojan horse, or backdoor exploit to control them.) are used to flood a target system with network requests, thus attempting to render it unusable through resource exhaustion. Another technique to exhaust victim resources is through the use of an attack amplifier — where the attacker takes advantage of poorly designed protocols on 3rd party machines, such as FTP or DNS, in order to instruct these hosts to launch the flood. There are also commonly found vulnerabilities in applications that cannot be used to take control over a computer, but merely make the target application malfunction or crash. This is known as a denial-of-service exploit.

Indirect attacks

An indirect attack is an attack launched by a third party computer. By using someone else's computer to launch an attack, it becomes far more difficult to track down the actual attacker. There have also been cases where attackers took advantage of public anonymizing systems, such as the tor onion router system.

Backdoors

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device. A specific form of backdoors are rootkits, which replaces system binaries and/or hooks into the function calls of the operating system to hide the presence of other programs, users, services and open ports. It may also fake information about disk and memory usage.

Direct access attacks

Common consumer devices that can be used to transfer data surreptitiously.

Someone who has gained access to a computer can install any type of devices to compromise security, including operating system modifications, software worms, key loggers, and covert listening devices. The attacker can also easily download large quantities of data onto backup media, for instance CD-R/DVD-R, tape; or portable devices such as keydrives, digital cameras or digital audio players. Another common technique is to boot an operating system contained on a CD-ROM or other bootable media and read the data from the harddrive(s) this way. The only way to defeat this is to encrypt the storage media and store the key separate from the system.

Reducing vulnerabilities

Computer code is regarded by some as a form of mathematics. It is theoretically possible to prove the correctness of certain classes of computer programs, though the feasibility of actually achieving this in large-scale practical systems is regarded as small by some with practical experience in the industry — see Bruce Schneier et al.

It's also possible to protect messages in transit (i.e., communications) by means of cryptography. One method of encryption — the one-time pad — is unbreakable when correctly used. This method was used by the Soviet Union during the Cold War, though flaws in their implementation allowed some cryptanalysis (See Venona Project). The method uses a matching pair of key-codes, securely distributed, which are used once-and-only-once to encode and decode a single message. For transmitted computer encryption this method is difficult to use properly (securely), and highly inconvenient as well. Other methods of encryption, while breakable in theory, are often virtually impossible to directly break by any means publicly known today. Breaking them requires some non-cryptographic input, such as a stolen key, stolen plaintext (at either end of the transmission), or some other extra cryptanalytic information.

Social engineering and direct computer access (physical) attacks can only be prevented by non-computer means, which can be difficult to enforce, relative to the sensitivity of the information. Even in a highly disciplined environment, such as in military organizations, social engineering attacks can still be difficult to foresee and prevent.

In practice, only a small fraction of computer program code is mathematically proven, or even goes through comprehensive information technology audits or inexpensive but extremely valuable computer security audits, so it's usually possible for a determined hacker to read, copy, alter or destroy data in well secured computers, albeit at the cost of great time and resources. Few attackers would audit applications for vulnerabilities just to attack a single specific system. It is possible to reduce an attacker's chances by keeping systems up to date, using a security scanner or/and hiring competent people responsible for security. The effects of data loss/damage can be reduced by careful backing up and insurance.

Posted by at No comments:

Tuesday, January 10, 2012

Security

Although there are many aspects to take into consideration when designing a computer system, security can prove to be very important. According to Symantec, in 2010 94 percent of organizations polled expect to implement security improvements to their computer systems, with 42 percent claiming cyber security as their top risk.
At the same time many organizations are improving security, many types of cyber criminals are finding ways to continue their activities. Almost every type of cyber attack is on the rise. In 2009 respondents to the CSI Computer Crime and Security Survey admitted that malware infections, denial-of-service attacks, password sniffing, and web site defacements were significantly higher than in the previous two years.

Reasons

There are many similarities (yet many fundamental differences) between computer and physical security. Just like real-world security, the motivations for breaches of computer security vary between attackers, sometimes called hackers or crackers. Some are thrill-seekers or vandals (the kind often responsible for defacing web sites); similarly, some web site defacements are done to make political statements. However, some attackers are highly skilled and motivated with the goal of compromising computers for financial gain or espionage. An example of the latter is Markus Hess (more diligent than skilled), who spied for the KGB and was ultimately caught because of the efforts of Clifford Stoll, who wrote a memoir, The Cuckoo's Egg, about his experiences. For those seeking to prevent security breaches, the first step is usually to attempt to identify what might motivate an attack on the system, how much the continued operation and information security of the system are worth, and who might be motivated to breach it. The precautions required for a home personal computer are very different for those of banks' Internet banking systems, and different again for a classified military network. Other computer security writers suggest that, since an attacker using a network need know nothing about you or what you have on your computer, attacker motivation is inherently impossible to determine beyond guessing. If true, blocking all possible attacks is the only plausible action to take.


Posted by at No comments:

Sunday, June 14, 2009

CCDE Blue prints written exam

CCDE is Cisco Systems registered Exam, ADVDESIGN is the qualifying exam for the Cisco Certified Design Expert CCDE certification. The ADVDESIGN exam will test a candidate's combined knowledge of routing protocols, internetworking theory and design principles .The exam assesses a candidate's understanding of network design in the areas of routing, tunneling, Quality of Service, Management, Cost, Capacity, and Security. This exam combines in-depth technical concepts with Network Design principles and is intended for a Network Professional with at least 5 years of experience in Network Engineering or Advanced Network Design.

120 minutes

The following blueprint provides general guidelines for the content to be included on the ADVDESIGN beta exam.

Topic

  1. IP Routing

    1. Explain route aggregation concepts and techniques.
      1. Purpose of route aggregation
      2. Scalability and fault isolation
      3. How to Aggregate
    2. Explain the theory and application of network topology abstraction and layering.
      1. Layers and their purpose
      2. Core, aggregation, distribution, access
      3. Purpose of Link State Topology Summarization
      4. What is the purpose of LS topology summarization (not how it works)
      5. Use of Link State Topology Summarization
      6. Where and how to build a flooding domain border
    3. Explain the impact of fault isolation and resiliency on network design.
      1. What is the impact of fault isolation on network reliability
      2. Separating rapid and/or massive changes from the remainder of the network, how to create fault isolation
      3. What is fate sharing, and what is it's impact
      4. What is the impact of redundancy on convergence times
    4. Explain metric based traffic flow and modification.
      1. How to engineer metrics to modify traffic flow
      2. "MPLS vs. IGP Traffic Engineering
        1. Modifying IGP Metrics to Engineer Traffic Flow"
          1. Understanding Traffic Flow & Metrics
          2. Third Party Next Hop
          3. Impact on redistribution design
    5. Explain fast convergence techniques and mechanisms.
      1. Layer 2 Down Detection
      2. For all media types
      3. Fast hello timers
      4. OSPF, EIGRP, IS-IS, BGP
      5. Fast SPF Timers
      6. OSPF, IS-IS
      7. Recursion and Convergence
      8. Impact of Third Party Next Hop & BGP recursion
    6. Explain routing protocol operation.
      1. Neighbor Relationships
      2. OSPF, EIGRP, IS-IS, BGP
      3. Determining Loop Free Paths
      4. OSPF, EIGRP, IS-IS, BGP, MPLS Constrained SPF
      5. General Operation
      6. OSPF, EIGRP, IS-IS, BGP; How each protocol operates
      7. Flooding Domains and Stubs
      8. OSPF/IS-IS flooding domains, EIGRP stubs
      9. iBGP Mesh
      10. Next hop mechanisms in BGP, RR's, etc.
    7. Select lower operational costs and complexity.
      1. Route Filters
      2. Simple vs. complex
      3. General
      4. Redistribution
      5. Simple designs, tags, route filters, etc.
    8. Explain transport mechanisms and interaction with routing protocols.
      1. Link Characteristics
      2. Point-to-point, point-to-multipoint, broadcast, etc.
      3. RP Implementation on Various Links
      4. OSPF on each link type
      5. IS-IS on each link type
      6. EIGRP considerations for point-to-multipoint
      7. Topology Characteristics
      8. Full mesh, partial mesh, ring, etc.
      9. RP Implementation on Various Topologies
      10. OSPF/IS-IS flood blocking, etc.
    9. Explain generic routing and addressing concepts.
      1. Policy Based Routing
      2. IPv6 Basics
    10. Explain multicast routing concepts.
      1. General Multicast concepts

  2. Tunneling

    1. Explain how tunneling affects end service applications.
      1. Identify and select tunneling technologies appropriate to meet network design objectives.
      2. Identify where and when tunneling parameters must be tuned to optimize the operation of end user applications.
      3. Knowledge of issues related to Layer 2 tunneling: i.e. packet ordering, MTU, etc.
      4. What technologies support Layer 2 and Layer 3 tunneling: L2TPv3, GRE, ATOM, IPsec, etc.
      5. How to implement tunneling given a specific situation: i.e. tunneling Novel IPX over a Layer 3 service provider core, etc.
      6. Understanding of issues related to tunneling L3(IP) in L2(ATM, MPLS)
    2. Explain, recognize, and select tunneling techniques appropriate to the size and scale of the network requirements.
      1. What is the impact of different tunneling technologies on scalability (Selection of a tunneling technology with scalability as a criteria)
      2. How scalability is affected based on type of tunnels (point-to-point, point-to-multipoint)
    3. Explain how L3 routing is affected by tunneling technologies and select L3 routing protocols appropriate to implement tunneling and as passenger traffic in tunnels
      1. How L3 routing is overlaid on a given tunneling technologies
      2. What L3 Routing Protocol would suit a given tunneling technology, topology and scalability
    4. Explain, recognize, and select logical and physical topologies required to meet network design requirements.
      1. What are the best points/nodes in network to initiate and terminate tunnels
      2. Which model would fulfill the requirements (full mesh, partial mesh, hierarchical)
    5. Explain, recognize, and select methods for interconnecting tunneling environments across one or more service provider networks.
      1. Describe different inter-provider tunneling models (i.e. 2547, GRE, IPsec, etc.
    6. Explain, recognize, and select methods for steering traffic with tunnels and into tunnels.
      1. Class Based Tunnel Selection
      2. Traffic Engineering
    7. Explain, recognize, and select methods for providing network failover and redundancy to meet network availability requirements.
      1. Restoration vs. Protection (IGP Fast Convergence, FRR)
      2. Non-stop Forwarding vs. Restoration (at the IP routing layer)
    8. Explain, recognize, and select methods for interconnecting different types of attachment media on tunnel endpoints. Recognize and explain the differences in mapping different L2 technologies onto an L3 tunneling environment.
      1. Interworking
      2. Mapping Layer 2 service onto Layer 3 at the edge
    9. Explain, recognize, and select methods to manage the size and scale of broadcast domains in tunneled L2VPN environments.
      1. VPLS scaling issues
      2. Spanning Tree issues
      3. Broadcast issues across various topologies

  3. 3) QoS

    1. Measure and interpret different QoS performance metrics.
      1. Correlate performance metrics to application performance.
      2. Knowledge of the different QoS performance metrics: one-way delay, round-trip delay, jitter, etc.
      3. How to measure and interpret QoS performance metrics
      4. How QoS performance metrics relate to user applications: i.e. impact of QoS metrics on application performance, etc.
    2. Determine why, where and how to implement traffic classification, traffic conditioning and PHB.
      1. Explain how DiffServ QoS tools work.
      2. What DiffServ Terminology means (DS codepoint, Meter, DS ingress/egress node, Remark, DS domain, etc.)
      3. Where to do Traffic Classification (edge and core of DS Domain)
      4. What is Traffic Conditioning and where is it applied? (metering, marking, shaping and policing)
      5. What are traffic profiles and meaning of in/out of profile (Token bucket)
      6. What is the difference between micro-flow and DS behavior aggregate (PHB)
      7. What is the impact on non-DS-compliant nodes within a DS domain on SLAs
      8. What is the issue with MF Classifier and Fragmentation
      9. What is the issue with re-marking and OoO packets
      10. What is the purpose of shapers and droppers
      11. What are different PHB models (e.g. x% minimal resources and proportional remaining link capacity)
      12. What are issues with Different number/type of PHBs in different part of the network
      13. What are the benefits of MF classification on edge and DS classification in the core
      14. Understanding Classification/conditioning/PHB on a per customer basis or few number of templates
      15. What are ways of DS Field Mapping to PHB: 1->1 or N->1 or both
      16. What are tools for PHB Queue management and bounding delay, jitter, packet loss (e.g. TS, WRED, WFQ,etc.)
      17. Understanding QoS provide differentiated services only when there is contention for resources
    3. Explain operations of RSVP.
      1. How RSVP Application does CAC and resource reservation
    4. Explain generic QoS requirements for common application (VoIP, Video, TCP, UDP, control plane traffic).
      1. Explain QoS requirements for control plane traffic.
      2. What are generic VoIP Requirements
      3. What are generic Video Requirements
      4. What are generic TCP Requirements
      5. What are generic UDP Requirements
      6. Understanding of differentiation of control traffic vs data traffic
      7. Where and how to define marking/conditioning of Control Traffic
    5. Explain the techniques to avoid Class starvation when multiple classes are used (EF and non-EF).
      1. How EF with a policer and MDRR/Priority Queue solves the problem
      2. How minimum BW assignment per class or proportional BW assignment among all classes solves the problem
      3. What is the impact of applications' traffic within a given queue with same DS or different DS codepoint
      4. What is the impact of applications' traffic riding on the same node/link in case of failure
    6. Explain the interaction of IP DSCP with other marking schemes (IP Prec, .1P, MPLS EXP, ATM, Frame Relay).
      1. Interaction b/w DSCP and other technologies (understanding/issues/concerns)
        1. Ethernet
        2. ATM
        3. Frame Relay
        4. MPLS
        5. RPR
        6. IP Prec
          1. In case of tunneling layers of marking : Differentiation between tunnel marking and data packet marking
    7. Explain QoS based routing (PBR).
      1. Situations where one has to pick one or two of the following to solve a problem (and understanding of the following)
        1. BGP QoS Propagation
        2. MTR
        3. OER
        4. PBR
        5. CBTS

  4. Management

    1. Analyze network conditions and behavior to determine potential degradation or failure conditions.
      1. Recognize conditions from SHOW output for data plane, control plane, hardware, etc.
      2. Recognize conditions from DEBUG output for data plane, control plane, hardware, etc.
      3. Recognize conditions from network behaviors for data plane, control plane, hardware, etc.
      4. Recognize conditions from external monitoring and reporting systems.
    2. Explain the operation and advantages of different management access mechanisms.
      1. How to implement out of band access to all devices in a network
      2. What should be considered when defining secure access to routers
      3. Recognize when and where a design will result in failure.
    3. Explain the operation and use of network management protocols.
      1. Differences between the versions of SNMP.
      2. Knowledge of puts, gets, operations (read, write)
      3. Use of SNMP in SLA management
      4. Identify when use of CMIP is appropriate
      5. Identify when use of TMN is appropriate
    4. Identify network management tools and their uses.
      1. Recognize tools used for SLA management
      2. Identify use of Generic On-Line Diagnostics (GOLD)
      3. Identify and Classify tools for Event Management
      4. State rules for use of Syslog
      5. Knowledge of where to place Netflow Collectors
      6. Identify Services required for flow collection
      7. Recognize Port number for Netflow
      8. Identify services required for event correlation
    5. Identify auditable factors in a network.
      1. Identify auditable factors in a network
    6. Explain traffic management concepts and actions based on traffic statistics.
      1. What is a traffic matrix
      2. When to upgrade a link or re-route traffic
      3. Interpretation of historical data to predict future growth and needs
    7. Recognize configuration management tools and best practices.
      1. Recognize uses of templating tools
      2. Identify best practices for configuration management (i.e. logging config changes, auditing "as running" vs "as configured," consistent feature application, etc.)
      3. Describe role-based configuration access.

  5. Security

    1. Explain the impact of security availability design in the characteristics of a network.
      1. OOB Access
      2. Decoupling
      3. Paul Baran Model
      4. Compartmentalization
    2. Use available tools in a network security design to address identity, monitoring and correlation aspects.
      1. SNMP
      2. Netflow
      3. Syslog
      4. RMON
      5. DNS
      6. Radius/AAA
      7. Full Packet Classifiers
    3. Explain the impact of control plane design decisions on the security of a network; implement security mechanisms to protect the control plane.
      1. Use and impact of addressing.
      2. Use and impact of area (flooding domain/summary points) placement.
      3. Route/Topology/Link Hiding
      4. Adjacency Protection (MD5, GTSM, etc.)
      5. Route Validation
      6. Route Filtering
      7. Routing Plan
      8. Other routing techniques.
    4. Explain the impact of data plane design decisions on the security of a network; implement security mechanisms to protect the data plane.
      1. Infrastructure Protection
      2. Policy Enforcement (QoS, BCP38)
    5. Prepare and explain security incident preparation and response strategies in a network.
      1. Reaction Tools (Identification and Classification)
      2. Traceback Tools
      3. Remotely-Triggered Black Holes (RTBH) (destination, source, rate limit, etc.)
      4. Sink Holes
      5. Reactive ACLs
Posted by at No comments:

CCIE R & S Blue prints LAB exam

Exam Sections and Sub-task Objectives
1.00Implement Layer 2 Technologies
1.10Implement Spanning Tree Protocol (STP)

(a) 802.1d

(b) 802.1w

(c) 801.1s

(d) Loop guard

(e) Root guard

(f) Bridge protocol data unit (BPDU) guard

(g) Storm control

(h) Unicast flooding

(i) Port roles, failure propagation, and loop guard operation
1.20Implement VLAN and VLAN Trunking Protocol (VTP)
1.30Implement trunk and trunk protocols, EtherChannel, and load-balance
1.40Implement Ethernet technologies

(a) Speed and duplex

(b) Ethernet, Fast Ethernet, and Gigabit Ethernet

(c) PPP over Ethernet (PPPoE)
1.50Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control
1.60Implement Frame Relay

(a) Local Management Interface (LMI)

(b) Traffic shaping

(c) Full mesh

(d) Hub and spoke

(e) Discard eligible (DE)
1.70Implement High-Level Data Link Control (HDLC) and PPP
2.00Implement IPv4
2.10Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)
2.20Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)
2.30Implement IPv4 RIP version 2 (RIPv2)
2.40Implement IPv4 Open Shortest Path First (OSPF)

(a) Standard OSPF areas

(b) Stub area

(c) Totally stubby area

(d) Not-so-stubby-area (NSSA)

(e) Totally NSSA

(f) Link-state advertisement (LSA) types

(g) Adjacency on a point-to-point and on a multi-access network

(h) OSPF graceful restart
2.50Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)

(a) Best path

(b) Loop-free paths

(c) EIGRP operations when alternate loop-free paths are available, and when they are not available

(d) EIGRP queries

(e) Manual summarization and autosummarization

(f) EIGRP stubs
2.60Implement IPv4 Border Gateway Protocol (BGP)

(a) Next hop

(b) Peering

(c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP)
2.70Implement policy routing
2.80Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)
2.90Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features
3.00Implement IPv6
3.10Implement IP version 6 (IPv6) addressing and different addressing types
3.20Implement IPv6 neighbor discovery
3.30Implement basic IPv6 functionality protocols
3.40Implement tunneling techniques
3.50Implement OSPF version 3 (OSPFv3)
3.60Implement EIGRP version 6 (EIGRPv6)
3.70Implement filtering and route redistribution
4.00Implement MPLS Layer 3 VPNs
4.10Implement Multiprotocol Label Switching (MPLS)
4.20Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers
4.30Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)
5.00Implement IP Multicast
5.10Implement Protocol Independent Multicast (PIM) sparse mode
5.20Implement Multicast Source Discovery Protocol (MSDP)
5.30Implement interdomain multicast routing
5.40Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)
5.50Implement multicast tools, features, and source-specific multicast
5.60Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)
6.00Implement Network Security
6.01Implement access lists
6.02Implement Zone Based Firewall
6.03Implement Unicast Reverse Path Forwarding (uRPF)
6.04Implement IP Source Guard
6.05Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not required, only the client-side (IOS) is configured)
6.06Implement Control Plane Policing (CoPP)
6.07Implement Cisco IOS Firewall
6.08Implement Cisco IOS Intrusion Prevention System (IPS)
6.09Implement Secure Shell (SSH)
6.10Implement 802.1x
6.11Implement NAT
6.12Implement routing protocol authentication
6.13Implement device access control
6.14Implement security features
7.00Implement Network Services
7.10Implement Hot Standby Router Protocol (HSRP)
7.20Implement Gateway Load Balancing Protocol (GLBP)
7.30Implement Virtual Router Redundancy Protocol (VRRP)
7.40Implement Network Time Protocol (NTP)
7.50Implement DHCP
7.60Implement Web Cache Communication Protocol (WCCP)
8.00Implement Quality of Service (QoS)
8.10Implement Modular QoS CLI (MQC)

(a) Network-Based Application Recognition (NBAR)

(b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency queuing (LLQ)

(c) Classification

(d) Policing

(e) Shaping

(f) Marking

(g) Weighted random early detection (WRED) and random early detection (RED)

(h) Compression
8.20Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies
8.30Implement link fragmentation and interleaving (LFI) for Frame Relay
8.40Implement generic traffic shaping
8.50Implement Resource Reservation Protocol (RSVP)
8.60Implement Cisco AutoQoS
9.00Troubleshoot a Network
9.10Troubleshoot complex Layer 2 network issues
9.20Troubleshoot complex Layer 3 network issues
9.30Troubleshoot a network in response to application problems
9.40Troubleshoot network services
9.50Troubleshoot network security
10.00Optimize the Network
10.01Implement syslog and local logging
10.02Implement IP Service Level Agreement SLA
10.03Implement NetFlow
10.04Implement SPAN, RSPAN, and router IP traffic export (RITE)
10.05Implement Simple Network Management Protocol (SNMP)
10.06Implement Cisco IOS Embedded Event Manager (EEM)
10.07Implement Remote Monitoring (RMON)
10.08Implement FTP
10.09Implement TFTP
10.10Implement TFTP server on router
10.11Implement Switch-module Configuration Protocol (SCP)
10.12Implement HTTP and HTTPS
10.13Implement Telnet

Posted by at No comments:

CCIE R & S Blue prints written exam

This CCIE R&S version 4 blue prints now start working on this one:

Exam Sections and Sub-task Objectives
1.00Implement Layer 2 Technologies
1.10Implement Spanning Tree Protocol (STP)

(a) 802.1d

(b) 802.1w

(c) 801.1s

(d) Loop guard

(e) Root guard

(f) Bridge protocol data unit (BPDU) guard

(g) Storm control

(h) Unicast flooding

(i) Port roles, failure propagation, and loop guard operation
1.20Implement VLAN and VLAN Trunking Protocol (VTP)
1.30Implement trunk and trunk protocols, EtherChannel, and load-balance
1.40Implement Ethernet technologies

(a) Speed and duplex

(b) Ethernet, Fast Ethernet, and Gigabit Ethernet

(c) PPP over Ethernet (PPPoE)
1.50Implement Switched Port Analyzer (SPAN), Remote Switched Port Analyzer (RSPAN), and flow control
1.60Implement Frame Relay

(a) Local Management Interface (LMI)

(b) Traffic shaping

(c) Full mesh

(d) Hub and spoke

(e) Discard eligible (DE)
1.70Implement High-Level Data Link Control (HDLC) and PPP
2.00Implement IPv4
2.10Implement IP version 4 (IPv4) addressing, subnetting, and variable-length subnet masking (VLSM)
2.20Implement IPv4 tunneling and Generic Routing Encapsulation (GRE)
2.30Implement IPv4 RIP version 2 (RIPv2)
2.40Implement IPv4 Open Shortest Path First (OSPF)

(a) Standard OSPF areas

(b) Stub area

(c) Totally stubby area

(d) Not-so-stubby-area (NSSA)

(e) Totally NSSA

(f) Link-state advertisement (LSA) types

(g) Adjacency on a point-to-point and on a multi-access network

(h) OSPF graceful restart
2.50Implement IPv4 Enhanced Interior Gateway Routing Protocol (EIGRP)

(a) Best path

(b) Loop-free paths

(c) EIGRP operations when alternate loop-free paths are available, and when they are not available

(d) EIGRP queries

(e) Manual summarization and autosummarization

(f) EIGRP stubs
2.60Implement IPv4 Border Gateway Protocol (BGP)

(a) Next hop

(b) Peering

(c) Internal Border Gateway Protocol (IBGP) and External Border Gateway Protocol (EBGP)
2.70Implement policy routing
2.80Implement Performance Routing (PfR) and Cisco Optimized Edge Routing (OER)
2.90Implement filtering, route redistribution, summarization, synchronization, attributes, and other advanced features
3.00Implement IPv6
3.10Implement IP version 6 (IPv6) addressing and different addressing types
3.20Implement IPv6 neighbor discovery
3.30Implement basic IPv6 functionality protocols
3.40Implement tunneling techniques
3.50Implement OSPF version 3 (OSPFv3)
3.60Implement EIGRP version 6 (EIGRPv6)
3.70Implement filtering and route redistribution
4.00Implement MPLS Layer 3 VPNs
4.10Implement Multiprotocol Label Switching (MPLS)
4.20Implement Layer 3 virtual private networks (VPNs) on provider edge (PE), provider (P), and customer edge (CE) routers
4.30Implement virtual routing and forwarding (VRF) and Multi-VRF Customer Edge (VRF-Lite)
5.00Implement IP Multicast
5.10Implement Protocol Independent Multicast (PIM) sparse mode
5.20Implement Multicast Source Discovery Protocol (MSDP)
5.30Implement interdomain multicast routing
5.40Implement PIM Auto-Rendezvous Point (Auto-RP), unicast rendezvous point (RP), and bootstrap router (BSR)
5.50Implement multicast tools, features, and source-specific multicast
5.60Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)
6.00Implement Network Security
6.01Implement access lists
6.02Implement Zone Based Firewall
6.03Implement Unicast Reverse Path Forwarding (uRPF)
6.04Implement IP Source Guard
6.05Implement authentication, authorization, and accounting (AAA) (configuring the AAA server is not required, only the client-side (IOS) is configured)
6.06Implement Control Plane Policing (CoPP)
6.07Implement Cisco IOS Firewall
6.08Implement Cisco IOS Intrusion Prevention System (IPS)
6.09Implement Secure Shell (SSH)
6.10Implement 802.1x
6.11Implement NAT
6.12Implement routing protocol authentication
6.13Implement device access control
6.14Implement security features
7.00Implement Network Services
7.10Implement Hot Standby Router Protocol (HSRP)
7.20Implement Gateway Load Balancing Protocol (GLBP)
7.30Implement Virtual Router Redundancy Protocol (VRRP)
7.40Implement Network Time Protocol (NTP)
7.50Implement DHCP
7.60Implement Web Cache Communication Protocol (WCCP)
8.00Implement Quality of Service (QoS)
8.10Implement Modular QoS CLI (MQC)

(a) Network-Based Application Recognition (NBAR)

(b) Class-based weighted fair queuing (CBWFQ), modified deficit round robin (MDRR), and low latency queuing (LLQ)

(c) Classification

(d) Policing

(e) Shaping

(f) Marking

(g) Weighted random early detection (WRED) and random early detection (RED)

(h) Compression
8.20Implement Layer 2 QoS: weighted round robin (WRR), shaped round robin (SRR), and policies
8.30Implement link fragmentation and interleaving (LFI) for Frame Relay
8.40Implement generic traffic shaping
8.50Implement Resource Reservation Protocol (RSVP)
8.60Implement Cisco AutoQoS
9.00Troubleshoot a Network
9.10Troubleshoot complex Layer 2 network issues
9.20Troubleshoot complex Layer 3 network issues
9.30Troubleshoot a network in response to application problems
9.40Troubleshoot network services
9.50Troubleshoot network security
10.00Optimize the Network
10.01Implement syslog and local logging
10.02Implement IP Service Level Agreement SLA
10.03Implement NetFlow
10.04Implement SPAN, RSPAN, and router IP traffic export (RITE)
10.05Implement Simple Network Management Protocol (SNMP)
10.06Implement Cisco IOS Embedded Event Manager (EEM)
10.07Implement Remote Monitoring (RMON)
10.08Implement FTP
10.09Implement TFTP
10.10Implement TFTP server on router
10.11Implement Switch-module Configuration Protocol (SCP)
10.12Implement HTTP and HTTPS
10.13Implement Telnet
11.00Evaluate proposed changes to a Network
11.01Evaluate interoperability of proposed technologies against deployed technologies

(a) Changes to routing protocol parameters

(b) Migrate parts of a network to IPv6

(c) Routing Protocol migration

(d) Adding multicast support

(e) Migrate spanning tree protocol

(f) Evaluate impact of new traffic on existing QoS design
11.02Determine operational impact of proposed changes to an existing network

(a) Downtime of network or portions of network

(b) Performance degradation

(c) Introducing security breaches
11.03Suggest Alternative solutions when incompatible changes are proposed to an existing network

(a) Hardware/Software upgrades

(b) Topology shifts

(c) Reconfigurations
Posted by at No comments:
Subscribe to: Posts (Atom)