As these days my focus is more into Network security and my current job demands more of the security. Being a CCIE I thought rather than investing my time, energy and money on one more CCIE, I thought of staring the journey of JNCI-SEC . I was totally banking on assumptions and expectations , those who comes from Cisco back ground they know, technically there are no prerequisites to be a CCIE or CCDE. My assumptions were wrong and baseless, in reality one has to start from the scratch, especially if some one is planning to his/her start Juniper Certification track.
I was little disappointed but this never stopped me from planning certifications in the Network Security tracks, I changed my vision and realigned my plans and started focusing on Palo Alto, F5 and Cisco CCDE Certifications. I am currently focusing on CCDE as I did passed the Palo Alto PCNSE 7 exam and it was a great experience. Though we have some of the Juniper Firewalls in our setup yet I am not motivated to jump into the journey of JNCI-SEC because of the prerequisites.
Now coming back to Juniper Networks, I strongly believe they need to realign their vision and approach towards their expert level certifications, as at time those who hold expert level certifications from other vendors do get demotivated to start their journey from entry level certificate and then to professional and finally the expert level certifications. I am pretty sure if Juniper removes the prerequisites for their expert level certifications lot of experts would jump in to challenge themselves with Juniper Expert Level Certifications like JNCIE.
When it comes to Palo Alto Networks Firewall it supports wide range of deployment options and interface types as well. One can easily mix and match the interface types in real world deployments.
Most of the Palo Alto Networks Firewall support following interface types
- Ethernet – These are physical interfaces and can be configured as the following types
- Virtual Wire
- Layer 2
- Layer 3
It’s a know fact that one can use tap mode, virtual wire mode , layer 3 mode , layer 2 mode etc in a single Palo Alto Firewall. This is the beauty of Palo Alto Networks Firewall.
Also Palo Alto Networks Firewall supports following Interface Types
- Decrypt Mirror
I will try to address in detail about all the above mentioned interfaces in the upcoming post.
Recently I was provided with a copy of CISCO CERTIFIED DESIGN EXPERT which Orhan uses to teach his CCDE online classes, upon going through the workbook, I discovered his work book covers all the topics of CCDE blue print. The work book looks simple and easy to understand. The topics are covered in simple format I believe he relies more on his work book as a note and relies more on his online classes.
At the end of the each topic ,there are case studies followed by some questions on those topics , he concludes the topic with reference books for further studies, what videos one should watch online ( Cisco Live, podcast etc.) and also links to the articles one can refer for further information
He also concludes the work book with a complete scenario perhaps like an exam where you are challenged with questions and emails. You are suppose to answer these questions .
Personally I like the MPLS case study, the good thing about these case studies are they are quite short and concise, over all I could see a reflection of Service Provider experience and hard work of Orhan in developing this Work Book.
I would conclude by a recommendation to Orhan to enhance his content by adding more scenarios which are business driven, I am sure by adding this he will take his work book to the next level.
Over all I enjoyed reading CISCO CERTIFIED DESIGN EXPERT work book developed Orhan and I am thankful to him for sharing this valuable work with me. Personally it will certainly help me for my CCDE practical preparations.
Configuring a zone in Palo Alto firewall is quite easier, since most of the configuration tasks can be done at GUI level, it makes life easier of the Network Security Engineer, they can use their standard browser to access the Palo Alto Networks Firewall. In this example lets do the following
- Create a Layer 3 Zone called Trust
- Assign an interface to the newly created zone
Go to Palo A lot Networks firewall WebUI and select Network>Zones and then click Add to create a new zone
Click Add and create a Zone and name it Trust and type should be Layer 3 as shown below
Assign an interface to the newly created zone by clicking Add and then select the interface ( ethernet 1/1) and click ok.
Once you are done and click commit you should see the following final output which states the name of the zone followed by the type of the zone and what interfaces associated with it.
When it comes to zone configuration Palo Alto Network Firewalls are straight forward and easy. One could use the same template to configure any types of zone . In upcoming post lets see what is management profile and how it can be configured.
This week Cisco announced their intention to acquire Alpharetta, GA based network security company called Lancope, Inc for $452.5 million in cash . Lancope provides network behaviour analytics, threat visibility and security intelligence to help protect companies against top cyber security threats.
Well this acquisition now draws some interesting quesitons,
How Cisco will place themselves in security domain for coming days?
Is this going to add any value either to Cisco or their customers?
Is this going make them leaders in the field of security?
Only time can say.
“As enterprises digitize, security challenges rapidly evolve. Real time visibility and understanding of the behavior of every machine or device on the network becomes critical in adapting the ability of enterprises to identify and respond to the next wave of cyber threats,” said Rob Salvagno, vice president, Cisco Corporate Development. “Cisco is committed to helping organizations defend their networks and devices. Together with Lancope, our combined solutions can help turn a customer’s entire network into a security sensor.”
Interesting comments from Rob Salvagno, this shows how serious Cisco is when it comes to Security, Cisco wants Lancope to be part of Cisco Security Business Group organization led by David Goeckeler, senior vice president and general manager.Cisco are aiming to close this deal by the second quarter of fiscal year 2016.
When it comes to simulating networking scenarios using Cisco Routers, Firewalls , Switches we have a great tool called VIRL. Since its introduction, VIRL has gone viral people started using to extensively for CCNA, CCNP and even CCIE preparations. People tend to rely more on VIRL these days to master the networking concepts, testing their customer topologies, trying new features, planning the migrations etc.
As of today VIRL offers maximum 15 nodes which at times can be a limiting factors to simulate some complex labs, the community of VIRL users were not satisfied fully and the community raised this to Cisco, as a good listener Cisco listened them and announced that , starting November 2015 the node limit will be increased to 20 for free, that’s a great move and I would congratulate the VIRL team for making this possible.
One more enhancement Cisco is offering 30 nodes VIRL package, one can easily upgrade their existing node limit form15 to 30 by paying the upgrade fee which is unknown. I suggest to lookout for VIRL updates and take advantage of these new announcements.
Cisco is doing some major revamps when it comes to Cisco Design certifications , Cisco announced new version for their CCDA Certification from DESGN version 2.1 to 3.0. It’s a welcome move from Cisco especially when technology is evolving so fast.
In the newly designed 300-320 ARCH exam Cisco has removed following topics
- Design for infrastructure services
- Identify network management capabilities in Cisco IOS Software
- Create summary-able and structured addressing designs
- Describe IPv6 for campus design considerations
- Describe the components and technologies of a SAN network
- Create an effective e-commerce design
- Create remote access VPN designs for the teleworker
Following topics are added to ARCH exam
- Create stable, secure, and scalable routing designs for IS-IS
- Determine IPv6 migration strategies
- Design data center interconnectivity
- Design data center and network integration
- Select appropriate QoS strategies to meet customer requirements
- Design end to end QoS policies
- Design a network to support Network Programmability (SDN)
- Describe network virtualization technologies for the data center
The interesting addition is the SDN part, this is a great move from Cisco. I hope soon Cisco will release Cisco Press Study guides.
When it comes to the foundation of Network design its well known that Cisco Certified Design Associate is the great certification to start with. Recently Cisco announced the some major revamps in their current CCDA Design version 2.1. According to Cisco December 14 ,2015 will be last day take “Designing for Cisco Internetwork Solutions (DESGN) v2.1.
Currently Cisco is offering following versions of CCDA exams
|640-864 DESGNLast day to test: December 14, 2015||Designing for Cisco Internetwork Solutions (DESGN) v2.1|
|200-310 DESGN||Designing for Cisco Internetwork Solutions (DESGN) v3.0|
Cisco removed following topics from the new CCDA 200-310 DESGN exam, these topics are still part of the current exam 640-864 DESGN exam.
Topics Removed from the DESGN Exam:
- Describe developing business trends
- Describe network management protocols and features
- Describe network architecture for the enterprise
- Identify Cisco technologies to mitigate security vulnerabilities
However Cisco added following topics to the new CCDA 200-310 DESGN exam:
- Describe the Cisco Design lifecycle – PBM (Plan, Build, Manage)
- Describe the importance and application of Scalability in a network
- Describe the importance and application of Resiliency in a network
- Describe the importance and application of concept of Fault Domains in a network
- Design a basic branch network
- Describe the concepts of virtualization within a network design
- Identify network elements that can be virtualized
- Describe Data Center components
- Describe the concepts of Network Programmability within a network design
A good move from Cisco to include Data Center topics in the new CCDA 200-310 DESGN exam. I am pretty sure Cisco Press will come out with a new Cisco Press title to address this exam.
In Palo Alto Networks Firewalls zones plays a very vital role. Unlike other firewalls Palo Alto Networks Firewall security policies are configured based on zones. One of the first step one must consider while configuring the Palo Alto Networks firewall is to create appropriate zones and name them, specify the types of zone and assign an interface to that zone.
One must give up most attention while naming the zones as they are case sensitive, for example “trust” and “TRUST” are not the same zone. They are different zones and the security policy creates for “TRUST” zone doesn’t work with “trust” zone.
Palo Alto Networks Firewall comes out with four main zone types namely
- Virtual Wire
- Layer 2
- Layer 3
One cannot have an interface part of two zones at same time, it can be part of only one zone. The zone based firewall are quite handy in managing security policies and it makes life easier of firewall administrator.
Palo Alto Networks Firewalls can be administrated by multiple Administrators using WebUI access, it becomes quite challenging to see who is controlling the firewall and making either config changes or committing the changes done in Palo Alto Networks Firewalls.
To provide more flexibility and accounting Palo Alto Networks offers two types of locks
- Config Lock
- Commit Lock
Using these two features a Palo Alto Network Firewall administrator can prevent configuration changes or commit operations by another administrator. Until the lock is removed another administrator cannot do any changes.
Config Lock – Basically blocks other administrators from making changes to the configuration of the Palo Alto Firewall. One should set Config Lock at the global level. Only the administrator who set this lock or a superadmin can remove Config Lock.
Commit Lock – Basically block other administrators from committing any changes until all the locks have been released. By using this lock one can prevent any collisions occur when two administrators try to make changes to the Palo Alto Firewall at the same time. This lock releases automatically the moment the commit operation is completed by the administrator who started the commit activity first, or this can be release manually as well.
Any one can see, who is hold Commit Lock from the WebUI and can ask the concerned administrator to release the commit lock. Only the administrator who set this lock or a superadmin can remove the Commit Lock
From the below example its quite evident that the commit lock is held by the user admin and yasir is the user who has logged into the Palo Alto Firewall. Yasir cannot do any changes until admin completes his task. The only way to overcome this is either release the commit lock by admin or by the superadmin.
This little feature is quite handy and ensures who have control over the Palo Alto Firewall and I recommend one should enable this feature to ensure no changes are done accidently by the other administrator.