The Mind Share Game FULL version covers 15 topics including:  

• Binary number
• IOS fundamentals
• IP Addressing
• Ip routing
• NAT and PAT
• The osi model
• Subnetting
• Swith operation and behavior
• Wireless

Achieving a high score in the game requires a keen understanding of the technology, quick recall and recognition, and shrewd gaming strategy. The Cisco Mind Share Game is a great way to improve your speed and accuracy on Cisco certification exams and have fun at the same time! Be one of the first to own this entertaining learning tool from Cisco…you’ll see immediately why thousands of networking professionals use learning games as the killer app in their exam preparation arsenal.

Download and play the Demo Version for a preview of the Mind Share Game.
The Demo version features 5 of the FULL version’s 15 exciting sections, each playable at 3 levels of difficulty. It will leave you wanting more and now more is available in the FULL version.

Ref:

https://cisco.hosted.jivesoftware.com/docs/DOC-3820

Questions are organized by exam objective, allowing you to focus your study on selected topics. You can choose to view cards in order or at random, and you can create custom sets from the entire bank of cards. The engine provides you with the ability to mark each question correct or incorrect and provides a detailed score report by category at the end of the exam. You can even write notes on each question and then get a printable PDF of all your notes aligned to the relevant questions.

These robust features make this a truly unique learning tool:

     .    Test your knowledge by entering your own answers

     .    Grade your answers against the correct answer

     .    Create custom question sets

     .    View detailed score reports

     .    Enter and print notes for each question

     .    Use on any device that has a web browser and Internet connection

CCNA Security 640-553 Cert Flash Cards Online is an online, internet-based service, available in both desktop and mobile device formats, allowing you to test yourself at home, at work, or on the go.

System Requirements:

Web browser and Internet connection

US: $24.99 / CAN: $29.99

Table of Contents

1. Describe the security threats facing modern network infrastructures

2. Secure Cisco[r] routers

3. Implement AAA on Cisco routers using local router database and external ACS

4. Mitigate threats to Cisco routers and networks using ACLs

5. Implement secure network management and reporting

6. Mitigate common Layer 2 attacks

7. Implement the Cisco IOS[r] IPS feature set using SDM

8. Implement site-to-site VPNs on Cisco Routers using SDM

source: http://www.ciscopress.com/bookstore/product.asp?isbn=1587058588

You can use the Loki Network utility to change your IP address and do some testing :

"Loki Network Project is free VPN service and SSL based free VPN server. It is an opportunity to protect your private data (IP address, e-mail/FTP/HTTP passwords, web-sites visited, uploaded/downloaded files and etc…) and bypass certain Internet access limitations you may have at your location.

An example, free Public Loki VPN Service allows you:

- Protect your data from being intercepted by various network sniffers in your LAN segment
- Safely bypass traffic interception and analyses on corporate, ISP or even country level firewall

Bypass any limitations in visiting web-sites or any other Internet services (if access to Loki VPN Servers is not blocked directly).
Loki Network Project can suggest two scenarios to protect your private data:

To use our Public VPN Service that includes set of Loki VPN Servers located in different countries. Guest access to our public service is free to use.

To create your custom service based on your own copy of VPN Server installed on your dedicated or home server. Community version of Loki VPN Server Desktop Edition is free for download and use.

According to all scenarios you have to download and install our free VPN Client software used to help you to create your own security schema.

Download it here : Version 1.2.0.9  Size 4 MB

Other useful link : http://www.freeproxy.ru/en/free_proxy/cgi-proxy.htm

 Click for full sized image !

“Cisco recommends multiple and overlapping solutions. These overlapping solutions target different aspects of security, such as securing against insider attacks and securing against technical attacks. These solutions should also be subjected to routine testing and evaluation. Security solutions should also overlap in a way that eliminates any single point of failure.

Defense in Depth is a design philosophy that achieves this layered security approach. The layers of security present in a Defense in Depth deployment should provide redundancy for one another while offering a variety of defense strategies for protecting multiple aspects of a network. Any single points of failure in a security solution should be eliminated, and weak links in the security solution should be strengthened.”

But if you consider attacks targeting the different aspect of security : Confidentiality, Integrity, and Availability, (CIA) things are not such simpler.

Read this article on “Observations on the effects of defense in depth on adversary behavior in cyber warfare”. They have built different networks with different number of security layers. Then a team tried to catch flags that correspond to the realization of an attack on the different CIA security aspects for each network.

The goal is to see the factor between the number of security layer in each network and the corresponding time for the attacker to successfully launch all the three attack ( Confidentiality, Integrity, Availability)

The result is that to launch a read or modify attack the workload that take two hours at configuration level one and two, take 26 hours at level 3. The big change is in the time to develop the attack instead of launching it.

You can see that in the following graph :

But what happens to availability attacks ?

More you have systems, more you have possibility to exploit a vulnerability from the chain of systems and to denial service to it.

Look at the following graph :

Less time to launch a denial of services attack with more layer of security.

Therefore, what to do ? Plans carefully your different layer and the overlaps between them , think about not only the number, but the scope covered by the layer think about “Defense-in-Depth” with “Defense-in-breadth”.

The following graph from the US Transport Security Agency is an example of the “Defense-in-Depth” with “Defense-in-breadth” security approach, you have multiple layer that’s overlaps with each other to form a large area of defense.

Source : http://www.tsa.gov/what_we_do/layers/index.shtm

In conclusion, adding security layers to a system does not necessarily guarantee increased assurance. Introducing new layers of security has the potential to introduce new vulnerabilities, or control surfaces, for sophisticated adversaries to exploit. Defensive layers must be analyzed to gain a thorough understanding of how they work together before they are integrated into an operational system.

Sample output from this tool:

You can download this tool here : ipsec_worksheet

Ressources :
http://www.sansecurity.com/san-security-articles.shtml

Here is the FAQ :

What is LUN masking?

LUN (Logical Unit Number) Masking is an authorization process that makes a LUN available to some hosts and unavailable to other hosts.

LUN Masking is implemented primarily at the HBA (Host Bus Adapater) level. LUN Masking implemented at this level is vulnerable to any attack that compromises the HBA.

Some storage controllers also support LUN Masking.

LUN Masking is important because Windows based servers attempt to write volume labels to all available LUN’s. This can render the LUN’s unusable by other operating systems and can result in data loss.

What is SAN zoning?

SAN zoning is a method of arranging Fibre Channel devices into logical groups over the physical configuration of the fabric.

SAN zoning may be utilized to implement compartmentalization of data for security purposes.

Each device in a SAN may be placed into multiple zones.

What are hard and soft zoning?

Hard zoning is zoning which is implemented in hardware. Soft zoning is zoning which is implemented in software.

Hard zoning physically blocks access to a zone from any device outside of the zone.

Soft zoning uses filtering implemented in fibre channel switches to prevent ports from being seen from outside of their assigned zones. The security vulnerability in soft zoning is that the ports are still accessible if the user in another zone correctly guesses the fibre channel address.

What is port zoning?

Port zoning utilizes physical ports to define security zones. A users access to data is determined by what physical port he or she is connected to.

With port zoning, zone information must be updated every time a user changes switch ports. In addition, port zoning does not allow zones to overlap.

Port zoning is normally implemented using hard zoning, but could also be implemented using soft zoning.

What is WWN zoning?

WWN zoning uses name servers in the switches to either allow or block access to particular World Wide Names (WWNs) in the fabric.

A major advantage of WWN zoning is the ability to recable the fabric without having to redo the zone information.

WWN zoning is susceptible to unauthorized access, as the zone can be bypassed if an attacker is able to spoof the World Wide Name of an authorized HBA.

What is a World Wide Name (WWN)?

A World Wide Name, or WWN, is a 64-bit address used in fibre channel networks to uniquely identify each element in a Fibre Channel network.

Soft Zoning utilizes World Wide Names to assign security permissions.

The use of World Wide Names for security purposes is inherently insecure, because the World Wide Name of a device is a user-configurable parameter.

For example, to change the World Wide Name (WWN) of an Emulex HBA, the users simply needs to run the `elxcfg` command.

What are the classes of attacks against SANs?

• Snooping: Mallory reads data Alice sent to Bob in private
  Allows access to data
• Spoofing: Mallory fools Alice into thinking that he is Bob
  Allows access to or destruction of data
• Denial of Service: Mallory crashes or floods Bob or Alice
  Reduces availability

What are some attacks against FCP?

• Node Name / Port Name spoofing at Port Login time
• Source Port ID spoofing on dataless FCP commands
• Snooping and spoofing on FC-AL
• Snooping and Spoofing after Fabric reconfiguration
• Denial of Service attacks can be made in User mode

What is FCAP (Fibre Channel Authentication Protocol)?

FCAP is an optional authentication mechanism employed between any two devices or entities on a Fibre Channel network using certificates or optional keys.

What is FCPAP (Fibre Channel Password Authentication Protocol)?

FCPAP (Fibre Channel Password Authentication Protocol) is an optional password based authentication and key exchange protocol which is utilized in Fibre Channel networks.

FCPAP is used to mutually authenticate Fibre Channel ports to each other. This includes E_Port’s, N_Port’s, and Domain Controllers.

What is SLAP (Switch Link Authentication Protocol)?

SLAP is an authentication method for Fibre Channel switches which utilizes digital certificates to authenticate switch ports.

SLAP was designed to prevent the unauthorized addition of switches into a Fibre Channel network.

What is FC-SP (Fibre Channel – Security Protocol)?

Fibre Channel – Security Protocol (FC-SP) is a security protocol for Fibre Channel Protocol (FCP) and fiber connectivity (Ficon).

FC-SP is a project of Technical Committee T11 of the InterNational Committee for Information Technology Standards (INCITS).

FC-SP is a security framework which includes protocols to enhance Fibre Channel security in several areas, including authentication of Fibre Channel devices, cryptographically secure key exchange, and cryptographically secure communication between Fibre Channel devices.

FC-SP is focused on protecting data in transit throughout the Fibre Channel network. FC-SP does not address the security of data which is stored on the Fibre Channel network.

What is ESP over Fibre Channel?

ESP (Encapsulating Security Payload) is an Internet standard for the authentication and encryption of IP packets.

ESP is defined in RFC 2406: IP Encapsulating Security Payload (ESP).

ESP is widely deployed in IP networks and has been adapted for use in Fibre Channel networks. The IETF iSCSI proposal specifies ESP link authentication and optional encryption.

ESP over Fibre Channel is focused on protecting data in transit throughout the Fibre Channel network. ESP over Fibre Channel does not address the security of data which is stored on the Fibre Channel network.

What is DH-CHAP?

DH-CHAP (Diffie Hellman – Challenge Handshake Authentication Protocol) is a forthcoming Internet Standard for the authentication of devices connecting to a Fibre Channel switch.

DH-CHAP is a secure key-exchange authentication protocol that supports both switch-to-switch and host-to-switch authentication.

DH-CHAP supports MD-5 and SHA-1 algorithm-based authentication.

How are iSCSI, iFCP and FCIP secured over IP networks?

The IETF IP Storage (ips) Working Group is responsible for the definition of standards for the encapsulation and transport of Fibre Channel and SCSI protocols over IP networks.

The IPS Working Group’s charter includes responsibility for data security:

Security including authentication, keyed cryptographic data integrity and confidentiality, sufficient to defend against threats up to and including those that can be expected on a public network. Implementation of basic security functionality will be required, although usage may be optional.

The IPS Working Group has created RFC 3723: Securing Block Storage Protocols over IP.

RFC 3723 defines the use of the existing IPsec and IKE (Internet Key Exchange) protocols to secure block storage protocols over IP.