When configuring the security for a network, it is important to take advantage of the security features of all deployed devices. One of the security features available with Cisco switches (among other vendors) is switchport security. While the name of this feature is a bit vague, it makes it possible to limit the number and type of devices that are allowed on the individual switchports. This article takes a look at the concepts behind the switchport security feature.

Switchport Violations

Before getting into the mechanics of how switchport security operates; it is important to review what happens should a violation occur. On Cisco equipment there are three different main violation types: shutdown, protect, and restrict. These are described in more detail below:

• Shutdown – When a violation occurs in this mode, the switchport will be taken out of service and placed in the err-disabled state. The switchport will remain in this state until manually removed; this is the default switchport security violation mode.

• Protect – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. When using this mode, no notification message is sent when this violation occurs.

• Restrict – When a violation occurs in this mode, the switchport will permit traffic from known MAC addresses to continue sending traffic while dropping traffic from unknown MAC addresses. However, unlike the protect violation type, a message is also sent indicating that a violation has occurred.

Switchport Security MAC Addresses

When using the switchport security feature, source MAC addresses are separated into three different categories, these include:

• Static – Static secure MAC addresses are statically configured on each switchport and stored in the address table. The configuration for a static secure MAC address is stored in the running configuration by default and can be made permanent by saving them to the startup configuration.

• Dynamic – Dynamic secure MAC addresses are learned from the device (or devices) connected to the switchport. These addresses are stored in the address table only and will be lost when the switchport state goes down or when the switch reboots.

• Sticky – Sticky secure MAC addresses are a hybrid. They are learned dynamically from the devices connected to the switchport, are put into the address table AND are entered into the running configuration as a static secure MAC address (sometimes referred to as a static sticky MAC address). Like a static secure MAC address, these MAC addresses will be lost unless saved to the startup configuration.

The type of secure MAC addresses that an organization uses depends on the specific network environment.

What causes a Switchport Violation?

The next question to ask is what causes a switchport violation; there are two situations that can cause a violation, these two situations include:

• When the maximum number of secure MAC addresses has been added to a switchport’s address table and traffic from another MAC address is received on the switchport.

• When an address that has been seen on a secure switchport has already been seen on another secure switchport in the same VLAN.

By default, each secure switchport is configured with a maximum of one MAC address. What this means is that if more than one MAC address is seen on any given port a violation will occur. By default, dynamic MAC entries in the address table will never time out (dynamic is the default method used for learning secure MAC addresses) as long as the switchport state remains up.

When using dynamic MAC addresses, engineers must physically disconnect the cable or shutdown the switchport to reset the dynamic entries in the address table.  When using sticky MAC addresses either the MAC addresses must be manually removed from the running configuration or the switch must be rebooted to remove the contents from the address table.  If the switchport is configured with a static secure MAC address, they must be manually removed from the running configuration to remove the contents from the address table. Only after the initial address has been removed from the address table can a device with a new MAC address be connected to the switchport (this is by default, as the maximum number of MAC addresses allowed per switchport is 1).

Summary

There are certainly a number of different concepts to learn to make the port security feature work well in an organizational environment, if configured badly it can quickly become more of a hindrance than a help. The purpose of this article is to cover the basic concepts behind the switchport security feature as preparation switchport security configuration. Hopefully, this article is able to be used as a starting point when learning about the switchport security feature and provides enough detail so that the configuration is easier to understand.

Microsoft Networking Fundamentals: Now Available

This course focuses on helping those new to networking and computing technology in general. If you’re a student, recent grad, or just someone trying to expand their career, Microsoft Networking Fundamentals will help turn you from a tech novice, into an aspiring IT pro.

If you’ve ever asked yourself, what is a network or what is a protocol, then this is the technology path for you. Turn a casual interest into a fun career in technology that always has new opportunities and niches on the forefront. A basic understanding of wireless networking, routers & switches, and other networking concepts will show companies and peers your commitment to developing yourself within the IT industry. Roles working with Windows Server 2008, Exchange Server, Active Directory and a plethora of other systems are all options to look forward to as a Microsoft Technology Associate.

No networking experience is necessary for this course, just familiarity with a Windows PC. Emphasis on networking theory precludes explanations of “real world” application of benchmark concepts like TCP/IP and the OSI model. Here are some of the lessons broken down:

• OSI Model
• IP Addressing
• Types of Protocols and the Routing Process
• Network Topologies and Subnetting

Break into the IT industry as a Microsoft Technology Associate and make a casual interest in technology into a promising career with Networking Fundamentals Training.

Here’s a good way to remember them:

1. Layer 1 Network Extension: Hubs
2. Layer 2 Network Extension: Bridges
3. Layer 2 Network Segmentaion: Switches

Jason Nash implores that Cisco UCS will have a significant impact on the future of IT as a truly disruptive product in the server market.

Cisco UCS Training completely covers how to deploy, manage and support UCS B-series, including an overview of Cisco’s datacenter strategy, components, and configuration:

• UCS Architecture, Data Flow and Management
• Day-to-Day Management and UCS Troubleshooting
• Storage & Network Connectivity and Service Profiles

Learn more about how stateless computing architectures and related IaaS (IT as a Service) technologies are changing the data center with Cisco UCS Training.

In this video recording of our live webinar, I’ll provide with practical examples and shortcuts for understanding the OSI model and the TCP/IP protocol suite. After watching this video you’ll be able to:

• Define networking protocols
• Understand how the OSI model works
• Understand the TCP/IP protocol suite

If you’ve been struggling with the OSI model or are new networking, then this video is a perfect opportunity for you to get familiar with these fundamental concepts as you begin your journey in the IT field.

For those reading this article without an understanding of the concepts behind private VLANs, check out the private VLAN concepts article. This article takes a look at what is required to configure private VLANs on Cisco equipment.

Configuration Basics

The first thing that needs to be reviewed is how the concepts of primary, community and isolated VLANs translate to a physical implementation of private VLANs. Switchports that are going to be used by the private VLAN feature are separated into three different categories: Promiscuous, Community, and Isolated. A promiscuous switchport is able to see the traffic from all other promiscuous switchports as well as all secondary switchport types (community and isolated). If the reader has just come from the private VLANs concepts article, the switchports assigned as promiscuous exist within the primary VLAN and map to the secondary VLANs.

First Phase: VLAN Configuration

The first phase in private VLAN configuration is to set up the VLANs that will be used and assign them to a specific type. It is important to note that one caveat to using the private VLAN feature is it is not compatible with the Virtual Trunking Protocol (VTP); due to this the first thing that must be done is to configure the switch into VTP transparent mode.

The next step is to configure the VLANs as specific private VLAN types.

Once all of the VLANs have been configured, the primary and secondary VLANs must be associated together.

Second Phase: Switchport Configuration

The second phase involves the configuration of the physical switchports, what type of private VLAN they are and how they are associated with the VLANs. This article will show the configuration of the switchports assigned to the secondary private VLANs first.

The first thing to do is to configure the switchport as a host (this includes community and isolated switchports).

The next thing to do is associate the switchport with the primary and secondary VLANs that were configured in the previous section.

The configuration of the switchports in the primary VLAN now has to be completed.

This switchport then has to be mapped to all of the associated primary and secondary VLANs.

This completes the layer-2 configuration of private VLANs; if only layer-2 connectivity is required then the next section is not required.

Third Phase: Layer-3 Connectivity

As with a normal VLAN, private VLANs will only allow communications within the configured VLANs (according to the private VLAN rules), but to speak to devices outside this VLAN structure a layer-3 device is required. In many situations, this layer-3 functionality is also provided by the switch (assuming this is a layer-3 capable switch). This section shows the additional configuration that is required to have the switch provide layer-3 functionality to the switchports configured with the private VLAN feature.

This additional configuration is simple and just adds a single configuration command to the primary VLAN interface.

Summary

Once an engineer has a firm understanding of private VLAN concepts it is rather simple to translate this understanding to the configuration portion of private VLANs. There are a number of different applications for the private VLAN feature that an engineer can take advantage of, and hopefully these two articles will make it easier to understand how they can be put to use.

Check them all out here: Techy Valentines Day Cards from TrainSignal.

The cards were created with love by our talented and creative TrainSignal team: Eric Munn, Lisa Szpunar, Chris Colucci and Kevin Pesch, with special thanks to Jeff Hicks who created the PowerShell lovers Valentine.

Cisco CCNA and CCNP Wireless Exams Got an Update

Cisco has recently made announcements of updates to its CCNA Wireless and CCNP Wireless exams. The updates particularly point to changes to relevancy of the written exams, which includes an upgraded version of the current software consisting of WLC, Autonomous and Clients.

The wireless exam refresh also covers an expansion of content in accordance with the new 802.11n support. It has more focus on Voice over WLAN as well as Video over WLAN. The revised written exams are available through authorized Cisco Learning Partners including Pearson VUE.

Additionally, the associated exam numbers are also changing, with the last day to test for the old exams being May 11, 2012 and all of the new exams being available as of February 10, 2012. Here are all of the old and new exam numbers:

CompTIA Network+ Exam Updates Strengthens Network Security Objectives and Extends OSI Coverage

CompTIA has updated its popular Network+ Exam to reinforce Open System Interconnection and security objectives. The updated version of the exam, released December 1st, 2011 under the code N10-005, has revised objectives pertaining to virtual networking and offers greater attention to network security. It also presents a widened coverage of the seven-layer OSI model.

The earlier version, exam code N10-004, will be available through August 31, 2012; the new exam (N10-005) is available now.

The CompTIA Network+ exam is offered for candidate job roles such as network technician, network administrator, help desk technician, network installer and IT cable installer. The certification is vendor neutral and globally recognized. The CompTIA Network+ certification is granted to qualified networking professionals, and serves as a technical prerequisite option for IT technicians. It is recommended by top global tech companies such as Apple, Dell, Ricoh, HP, Xerox and Sharp. It is also recognized by the U.S. Department of Defense, and is accredited by the American National Standards Institute (ANSI) and the International Organization for Standardization (ISO).

New CompTIA Storage+ Exam Certifies Skills of IT Storage Professionals

CompTIA also recently introduced the new CompTIA Storage+ Certification, powered by the Storage Networking Industry Association; the new certification validates IT storage professionals’ skills and knowledge.

The coverage of the new vendor-neutral certification spans across configuration of basic networks, which include tech archive, backup and restoration expertise. The exam also enables the certified professional to better understand application workload, business continuity, storage/system administration, system integration, as well as connectivity and referencing documentation troubleshooting.

CompTIA’s New Cloud Essentials Certification Fortifies Cloud Computing Skills

The CompTIA Cloud Essentials is a specialty program that certifies knowledge of professionals on cloud computing on the business and technical viewpoint. The new certification also reinforces cloud professionals’ knowledge of the fundamentals of moving to cloud and cloud governance.

ITpreneurs, along with the Cloud Credential Council, originally developed the objectives of the CompTIA Cloud Essentials certification exam. The Council, comprised of tech giants Cisco, IBM, HP, EMC and ING, focuses on cloud computing vendor-neutral training.

The new CompTIA Cloud Essentials exam covers the characteristics of cloud services and the business value of cloud computing, successful adoption, risks and the impact and changes that cloud services bring to IT service management.

Learn more about CompTIA Cloud Essentials and other cloud computing certifications.

New Microsoft Exams Unveiled

Microsoft has recently released four new exams, including:

• TS Exam 70-158: Forefront Identity Manager 2010, Configuring (now available in English, Chinese, French, Japanese, German, Portuguese)
• TS Exam MB2-876: Extending Microsoft Dynamics CRM 2011 (now available in English, French, German, Italian, Japanese, Russian, Spanish, Portuguese, Chinese)
• MTA Exam 98-373: Mobile Development Fundamentals (now available in English)
• MTA Exam 98-374: Gaming Development Fundamentals (now available in English, Chinese)

The Forefront Identity Manager 2010, Configuring exam (70-158) is designed for Identity Specialists who specifically work with Forefront Identity Manager (FIM) 2010 in environments with over 5,000 identities and have experience with PowerShell, Directory Services, security policies and procedures and more. This exam leads towards the Microsoft Certified Technology Specialist (MCTS) in Forefront Identity Manager 2010, Configuration Certification. The Extending Microsoft Dynamics CRM 2011 Certification exam (MB2-876) is intended for developers, consultants, technical and support staff as well as business analysts who plan to extend Microsoft Dynamics CRM 2011. The exam focuses on the deployment, performing common and advanced platform operations, creating plugins and custom wrokflow activities as well as implementing and programming application events and web resources. Once passed, you earn the Microsoft Dynamics Certified Technology Specialist Certification.

The two new Microsoft Technology Associate (MTA) certifications are both entry-level certs designed for students that are interested in Microsoft careers. The certifications will help prepare candidates for advanced technology training, providing them with the fundamentals that they need before embarking on Microsoft Certified Technology Specialist (MCTS) Certifications. The MTA certifications are available at Certiport testing centers. The MTA: Mobile Development Fundamentals (exam 98-373) tests the knowledge and skills of fundamental mobile development concepts. It requires candidates to possess solid foundational knowledge and experience on Silverlight, HTML5 and phone operating system tools, and be familiar with relevant technologies, including Windows Phone 7. The MTA: Gaming Development Fundamentals (exam 98-374) tests your understanding of game design, hardware, graphics and animation. Candidates validate their knowledge of core gaming development skills, including hands-on experience with Microsoft Visual Studio.

Microsoft Exams Retiring in 2012

Microsoft has also announced that they are retiring 14 exams within the May-to-September period in 2012, including a five TS and PRO level SharePoint 2007 and Exchange 2007 exams, as well as seven upgrade exams.

There is one exam retiring on May 31, 2012:

• Exam 74-404: Microsoft Office Communications Server 2007 R2 – U.C. Voice Specialization

And one on June 20, 2012:

• Exam 70-625: Connected Home Integrator

On July 31, 2012 seven exams are retiring:

• Upgrade Exam 70-453: Transition Your MCITP SQL Server 2005 DBA to MCITP SQL Server 2008
• Upgrade Exam 70-454: Transition Your MCITP SQL Server 2005 DBD to MCITP SQL Server 2008 DBD
• Upgrade Exam 70-455: Transition Your MCITP SQL Server 2005 BI Developer to MCITP SQL Server 2008 BI Developer
• Upgrade Exam 70-566: Transition your MCPD Windows Developer Skills to MCPD Windows Developer 3.5
• Upgrade Exam 70-567: Transition your MCPD Web Developer Skills to MCPD ASP.NET Developer 3
• Upgrade Exam 70-568: Transition your MCPD Enterprise Application Developer Skills to MCPD Enterprise Application Developer 3.5, Part 1
• Upgrade Exam 70-569: Transition your MCPD Enterprise Application Developer Skills to MCPD Enterprise Application Developer 3.5, Part 2

And on September 30, 2012 there are five exams retiring:

• TS Exam 70-236: Exchange Server 2007, Configuring
• Pro Exam 70-237: Designing Messaging Solutions with Microsoft Exchange Server 2007
• Pro Exam 70-238: Deploying Messaging Solutions with Microsoft Exchange Server 2007
• TS Exam 70-630: Microsoft Office SharePoint Server 2007, Configuring
• TS Exam 70-638: Microsoft Office Communications Server 2007, Configuring

VCP5 Upgrade Path for VCP4s is Ending

VMware is ending the VMware Certified Professional (VCP) on vSphere 5 upgrade path for current VCP4 certified professionals on February 29th, 2012.

Starting March 1st , 2012 to become VCP5 certified, all candidates, including current VCP4s will need to attend a qualifying VMware authorized course, gain hands-on experience with VMware vSphere 5 and pass the VCP5 Exam. Learn more about the VCP4 to VCP5 upgrade path.

Citrix Exams Retiring in 2012

Citrix is discontinuing six certifications throughout 2012, replacing them with updated exams. Below are the retiring exams, dates and the replacement exams.

Also, effective July 31, 2012, Citrix Certified Enterprise Administrator (CCEA) and Citrix Certified Integration Architect (CCIA) certifications for XenApp (Presentation Server 4) will expire. Individuals who hold these certifications can remain current by upgrading to the CCEE for Virtualization by passing either the A15 or A25 exams.

• Exam A18: Basic Administration for Citrix XenApp 6 — retired January 31, 2012
• Replacement Exam A20: Citrix XenApp 6.5 Administration — available now

• Exam CXS-202-2I: Citrix XenServer 5.6 Administration — retiring February 29, 2012
• Replacement Exam CXS-203-1I: Citrix XenServer 6.0 Administration — available now

• Exam CVE-400-2I: Engineering a Citrix Virtualization Solution — retiring March 31, 2012
• Replacement Exam CVE-401-1I: Engineering a Citrix Virtualization Solution — available now

• Exam CVE-400-2W: Engineering a Citrix Virtualization Solution — retiring July 31, 2012
• Replacement Exam CVE-401-1W: Engineering a Citrix Virtualization Solution — available now

• Exam A15: Engineering a Citrix Virtualization Solution — retiring July 31, 2012
• Replacement Exam A25: Engineering a Citrix Virtualization Solution — coming soon

• Exam A24: Citrix XenServer 5.6 Administration — retiring July 31, 2012
• Replacement Exam A26: Citrix XenServer Administration — coming soon

New System Administrator Certification Program by IBM

The IBM Certified System Administrator – AIX 7 Certification will help you validate your skills in the areas of System Availability, Storage Management, System and Network Security, Partition Management, Performance Management and Tuning, Network Management, System Management, AIX Installation and Management, and general administrative tasks.

The IBM AIX 7 Administrator is expected to have established knowledge and skills in device management and networking. He or she is also a leader and a mentor to new operators or administrators. Recommended prerequisite skills include:

• AIX networking configuration and management
• VIO client partition management and configuration
• Device and storage management
• Use of HMC and SDMC for system resources management
• User admin task know-how and performance
• Strong background on system backup or recovery
• AIX installation and maintenance experience
• System security configuration and management
• Use of NIM, WPAR Manager and Systems Director
• Knowledge on PowerVM components

The IBM Certified System Administrator – AIX 7 Certification is calling on candidates with not less than 2 years of experience in AIX administration in many environments, such as small businesses, virtualized systems and enterprise-level data centers. The certification requires one exam.

So how does multiple spanning tree protocol work? The idea is to reduce the number of spanning tree instances operating in a switch network. Joe covers operational principles of MSTP, including the Common Spanning-Tree CST and Per-VLAN Spanning Tree models in this video, as well as the elements of MST regions.

Earn Your CCNP

Our series of CCNP Training courses will prepare you for each exam of the CCNP certification: SWITCH, ROUTE, and coming soon, TSHOOT. Learn all about the CCNP SWITCH exam topics and move one step closer to a bigger salary with Cisco expert & CCIE #14256 Joe Rinehart. In addition to MSTP, RSTP and CSTP, the course covers a wealth of topics:

• VLANs and VTP
• Cisco Express Forwarding
• Layer 3 Switching Solutions
• Everything to pass CCNP SWITCH Exam 642-813

Increase your salary by up to $20k this year with certified instruction and CCNP SWITCH Training.

One of the topics that does not get that much attention, but is available on many different series of switches, is private VLANs. A private VLAN expands on the abilities of a standard VLAN, allowing traffic to be separated at another level allowing the design engineer a number of flexible options. This article provides a short review of what a VLAN is and what it provides. Then, we will review the concepts behind the private VLAN feature and how it can expand on the capabilities of the standard VLAN.

What is a VLAN?

The first thing to review is what VLAN means and what it provides. A Virtual Local Area Network, or VLAN, provides the ability to logically separate a LAN the same way that would be possible with multiple physical switches. For example, if an engineer had four different physical switches, each of the switches could be connected to separate departments within a company. Without an interconnection or a routing device, the devices within each department would not be able to send traffic to each other and would typically be put into different subnets. A VLAN takes this ability to separate devices, but does it logically instead of physically; a separate VLAN can be created for each department and the physical ports that connect these devices can be configured into the correct VLAN. It is important to keep in mind however that the same rules apply to VLANs as physical LANs; that is in order to communicate between them a routing device is required and separate subnets should be assigned to the devices in each VLAN.

Private VLANs: Extending the abilities of a VLAN

The private VLAN feature provides the ability to extend the capabilities of a “standard” VLAN. It does this by introducing some additional concepts: Primary VLAN, Community VLAN and Isolated VLAN. The Primary VLAN should be considered the Master in the master/slave relationship with the other two sub-types. Switch ports assigned within the primary VLAN are able to see traffic from all devices within the primary VLAN and all sub-types (also referred to as secondary VLANs).

Both Community and Isolated VLANs should be considered slaves in the master/slave relationship with the primary VLAN. Switchports assigned to a Community VLAN can see traffic from all other devices in the same Community VLAN and can send traffic back and forth with devices in the primary VLAN. Switchports assigned to an Isolated VLAN can send traffic back and forth with devices in the primary VLAN, but CANNOT see traffic from other devices in the same Isolated VLAN.

It is important to understand that regardless of the VLAN assignment of the switchport, all of the devices will share the same IP subnet; the private VLAN feature just sets up rules as to which devices are able to speak to each other.

A visual representation is shown in Figure 1 below:

Why Use a Private VLAN?

The next question really is why would an engineer want to implement the private VLAN feature? This section goes over a few possibilities.

What if an Internet Service Provider (ISP) had a limited number of subnet space and wanted to maximize it by assigning all of the customers in a geographic area into the same IP subnet. Of course, most customers do not want other people seeing their layer 2 switched traffic, as it opens up potential security issues. Individual customers who only have a single port connected into the service provider can be assigned into an isolated private VLAN; their traffic would then only be sent and received by the ISP devices connected directly to the primary VLAN.

What if a company existed in the same geographic area and had multiple offices with multiple Internet connections? It is possible with community VLANs to connect all of these Internet connections together so that each would be able to talk directly to each other as well as go out and utilize the same Internet connection.

These are some very simple examples but they do show that the functionality of private VLANs can be useful to any design engineer looking for a solution to a specific set of design requirements.

Summary

The private VLAN feature can certainly be a useful tool in the belt of any engineer looking to solve a design problem with a certain set of requirements. It is important to take a look over all of the available options when designing or modifying a network to see if there is a better way of solving a problem that would work better under specific circumstances; the private VLAN feature certainly has some interesting traits that can be very useful to any engineer. Hopefully the content in this article has made the concept of private VLANs easier to understand.

In this tutorial we will go beyond disks & sharing and configure the FTP, TFTP and SSH services. I will assume you have a FreeNAS system installed with at least one volume configured. For more information on installing FreeNAS and setting up volumes see my NAS Setup Guide.

Before activating the FTP or SSH services it is necessary to create a user. The first step is to add a Group to which all users who access the FreeNAS server will be members. To do this, click “Account” in the left menu tree. Click “Group” and then “Add Group.” Enter a “Group Name” (eg. freenasusers) and click “OK.” To add a user, click “Users” and then “Add User.” In the “Add User” dialog enter the “Username” (eg. “gary”), “Full Name” and “Password” (twice). Set the “Primary Group” to “freenasusers”, select “bash” for the “Shell” and enter a “Home Directory.” The home directory needs to be a directory somewhere on your volume. If there is a volume called “store” its path is “/mnt/store” and a good directory for a user would be “/mnt/store/gary” where “gary” is the user created above. Click “OK.”

Add a user

Note: If the home directory doesn’t exist, FreeNAS will automatically create it with the correct file permissions.

FTP

To configure and enable the FTP service, click “Services” on the toolbar below the FreeNAS logo and then click the small wrench icon next to “FTP”. On the “FTP Settings” dialog tick the box next to “Allow Local User Login”. Click “OK.” Now click the “FTP” “Off” switch to make it go from “Off” to “On.”

The FTP service is now running. Connecting to the FreeNAS server from any FTP client (on any OS with an FTP client) will allow the user to login and upload/download files. The working directory will be the home directory specified when the user was created.

Tick "Allow Local User Login"

SSH

Enabling the FTP service is simple. Click “Services” and click the “SSH” “Off” switch to make it go from “Off” to “On.”

The SSH service is now running. Linux and Mac OS X users can connect using the ssh command line tool. Windows users can download a free (and popular) ssh client known as PuTTY.

Enable home directories

It is worth noting that FreeNAS can be configured to provide home directories to all Windows users. To do this click “Services”, click the small wrench icon next to “CIFS”. On the “CIFS Settings” dialog, tick “Enable home directories” and enter the path in the “Home directories” field. The path should be one level up from where you have created the user directories. Above I used “/mnt/store/gary” and so the path should be set to “/mnt/store”. If I had used “/mnt/store/home/gary” as the home directory for the “gary” user, then the “Home directories” path would be “/mnt/store/home”. Click “OK” to set the options.

Enable home directories for Windows users

TFTP

FreeNAS provides a Trivial File Transfer Protocol (TFTP) service which is a simple, unauthenticated file sharing service often used to boot “dumb” devices or thin clients via the Preboot Execution Environment (PXE) found on more advanced network cards.

To configure and enable the TFTP service, click “Services” and then click the small wrench icon next to “TFTP”. On the “TFTP Settings” dialog set the “Directory” to the place where the files to be shared are stored (eg. /mnt/store/tftproot”). Click “OK”. Click “Services” and click the “TFTP” “Off” switch to make it go from “Off” to “On.”

The directory needs to be created if it doesn’t exist and then the files you want to share via TFTP need to be copied into that directory.

Set the TFTP directory

Conclusion

As we have seen, FreeNAS 8 is versatile and can do much more than just share files on a Windows network.

Cisco CCNP SWITCH Training: Now Available

Cisco CCNP SWITCH Training covers all the Cisco switching concepts that you’ll need on the job and for the exam. Taught by Joe Rinehart, IT pro of over 14 years, this course will help you stay current with your skill set, while giving you the chance to make a splash in the networking industry. Here are the key topics routing explored in this course:

• Spanning-Tree (STP), Rapid Spanning-Tree (RSTP) and Multiple Spanning-Tree Protocol (MSTP)
• VLANs, Trunking and Virtual Trunking Protocol (VTP)
• Cisco Express Forwarding
• Layer 3 Switching Solutions
• High Availability Features

Read a letter from Joe Rinehart about the benefits of a career on the CCNP track.

Students will also learn about switch-based security considerations, interface & port configuration, and more. All the lessons are outlined to provide exam coverage for Cisco’s 642-813 CCNP SWITCH Exam.

Certified Instruction

In addition to authoring ROUTE, CCNA Wireless, and CCNA Voice courses, Joe has developed courses for colleges and implemented networking technologies for Fortune 500 companies. He’s also a speaker and published author, so his perspective is always at the forefront of IT.

Earn your CCNP and increase your salary this year with Cisco CCNP SWITCH Training.

The purpose of the Certified Ethical Hacker certification is to validate the credentials, background and intentions of a network security professional. These professionals have the knowledge and ability to breach the security of a target for malicious purposes but instead of using these abilities maliciously they use them to increase the security of a network. This article provides an overview of the Certified Ethical Hacker (C|EH) certification, how it is structured and the steps that need to be followed to obtain it.

C|EH Certification Review

As stated in the overview, the purpose of the C|EH certification is to provide candidates a way of validating their abilities as well as their intentions. By obtaining the C|EH certification, a network professional can show prospective employers or clients that their intention is to use their abilities to increase the security of a system and/or network and not to decrease it. By having a formalized certification that can be offered to companies, the C|EH also establishes that hacker is not a term that is only associated with negative actions.

To obtain the C|EH certification, a candidate must pass the current version of the C|EH exam, as of this writing the current version is v8. The C|EHv8 exams consists of a proctored computer exam which contains 125 multiple choice questions which the candidate has 4 hours to complete and must obtain a score above 62% to pass. However, not just anyone can just go out and study and take the C|EH exam; before a candidate is allowed to schedule the exam they must be deemed eligible.

There are two ways to become eligible to take the C|EH exam:

1. Attend an official C|EH instructor led course, computer based training (CBT), online live training or academic learning

OR

2. Submit an eligibility form and be manually approved to take the exam, to be approved a candidate must:
   1. Have at least two years of information security related experience.
   2. Remit a $100 non-refundable eligibility application fee
   3. Submit a completed exam eligibility form.

C|EH Exam Layout

The C|EH exam is structured into seven different sections; I have listed them in order of weight (shown in %):

1.Tools/Systems/Programs (32%)

• NIDS, HIDS, ACL, DNS
• Programming and scripting languages
• Cryptography techniques
• Port scanning
• Network topologies
• Subnetting
• Routers, modems, switches
• Operating environments and antivirus systems and programs
• Log analysis tools
• Security models
• Exploitation tools

2. Security (25%)

• Network and physical security
• Biometrics
• Firewalls
• Threat modeling
• Systems security controls
• Application/file server
• Cryptography
• Verification procedures
• Social engineering
• Vulnerabilities

3. Procedures/Methodology (20%)

• Cryptography
• PKI, SA
• Security architecture and testing methodology
• N-tier application design

4. Analysis/Assessment (13%)

• Data analysis
• Systems analysis
• Risk assessments
• Technical assessment methods

5. Background (4%)

• Networking, web, systems, mobile, telecommunication technologies
• Malware operations
• Communication protocols
• Backups and archiving

6. Regulation/Policy (4%)

• Security policies and compliance (i.e. PCI)

7. Ethics (2%)

• Professional code of ethics and hacking appropriateness

Although ethics only represents 2% of the exam, the CEH code of ethics are extremely important and any violations are taken very seriously. Penalties for violating the code of ethics include decertification, suspension of certification and even the publication of infractions and litigation.

Summary

Whether the term hacker will ever be used by the larger population with both a positive and negative meaning will be seen over time. The C|EH certification provides a process of allowing these network security individuals to validate their abilities and their intention to use them for the good of a company or client.

When you update your iDevices to iOS 5, iCloud appears as an option and you can set it up directly from the OS. You can learn more about how to set up iCloud on Apple.com. Installing iOS 5 is part of the requirement for iCloud to run on any iDevice. In order to run it on a Mac, you will need to have Mac OS X Lion installed. It also works on any Windows 7 or Vista PC. Apple’s iTunes should also be updated to its latest version for compatibility with iCloud. Apple’s latest cloud service also comes with 5GB of free data available for each owner who for use with document storage and backup. However, there is no storage limit or cost when using iCloud for purchased music, TV shows, apps, books and photos, across devices.

You may ask yourself: is iCloud just another cloud service available on iOS like Dropbox? Is it simply designed to save data through the cloud rather than on a hard drive or a solid-state drive? The answer is yes and no. It does all of this, but it also takes cloud services on Apple hardware to a whole new level. Apple’s iCloud takes iTunes, or Apple’s file sharing and sync service, and puts it in the cloud — rather than as a desktop (PC or Mac) application. Users can sync data across devices including not just documents, but also music, photos, apps, contacts, calendars, and documents. It’s as if all of the user’s iDevices (Mac compatibility is also possible) cooperate with one another and coordinate content to the user.

The other thing to consider if comparing iCloud to other cloud services with regards to editing documents is iCloud automatically saves across devices. You will not have to transfer files back and forth between apps like Dropbox requires. There is no sending files back and forth or relying on e-mailing to store them and open them with different apps. Content updates simultaneously and is stored so no matter which iDevice or Mac you are using, it will look the same as you left it.

File sharing and sync, backup, and storage are just part of what iCloud offers. As we mentioned, it is also the full iTunes service, but now accessed anywhere from the cloud. This means that songs and movies can also be downloaded from any iDevice without the need to sync and connect your iPad or iPhones to an external system, according to the Telegraph. Previous iTunes purchases can automatically be added as well.

Many of the features iCloud brings, like the ability to set up their device without an external PC or Mac, have been requested by users ever since the iPad was released. The iPad can finally be a separate device that isn’t tied to a desktop PC or Mac. Unlike the iPhone and the iPod Touch, the iPad is a tablet and should have the ability to function independently. With iCloud and iOS 5, now it can. Let’s look at what iCloud offers in terms of specific features available to users and how it changes the entire iDevice user experience.

iTunes in the Cloud

We previously mentioned how iCloud essentially turns the iTunes file sharing and syncing service and puts it in the cloud. Music appears automatically across devices and past iTunes downloads are also available to be easily downloaded from any iDevice.

iCloud Photo Stream

The Photo Stream feature allows you to take photos from one device and have them stored in iCloud. This means that the photos you take will sync across all the devices automatically. You can open up the picture you took from your iPhone on your iPad at home and vice versa. The feature also allows you to view your photo stream album on an Apple TV. This means the whole family can enjoy your latest vacation photos on a larger display.

Documents in the Cloud

The Documents in the cloud feature is kind of like Dropbox. It allows you to save documents across devices, but you don’t have to send it to an app like Dropbox. Apple does this automatically with iCloud. All of your documents are saved automatically as you work on them. Basically any file format is supported as long as the developers use Apple’s APIs to integrate iCloud support for their apps. Some apps you can currently use with automatic cloud saving and storage include iWork Pages, Numbers, and Keynote.

iCloud App Store Integration

Unlike other cloud services available for the iDevices, iCloud brings the entire experience cross-device. This means apps and content wirelessly and without any hassle. You can use iCloud to see your entire App Store purchase history, as well as your iBooks e-book library. If you had to remove apps or books due to space constraints and want to remember which ones they were, with iCloud you can. You can download these apps across devices by tapping the iCloud icon.

iTunes Match

iTunes Match is an optional service made possible by iCloud that costs $25 per year. It matches your iTunes library across devices with iCloud. Although syncing songs is also available for free, there are additional reasons for this service for music lovers. It allows you to integrate your exact iTunes home library, according to MacRumors. Even (current) library meta-data can be imported into the cloud from iTunes. If you are constantly changing files and moving songs and play lists around, this is a great feature to have. The meta-data and song lists get updated across devices. Apple’s iTunes Match is also useful if you haven’t purchased the songs, which you want synced through iCloud, directly from iTunes. For instance, you may have added songs from CDs to your iTunes desktop app. The iTunes Match feature will sync those songs to iCloud as well.

iCloud Backup

The iCloud Backup feature automatically and securely backs up user data to iCloud. It does this automatically over a Wi-Fi connection whenever an iDevice is connected to a power source. The iCloud Backup feature backs up all of the data into the cloud that isn’t covered by other iCloud features. This includes photos and videos in the camera roll, device settings, app data, home screen, app organization, messages and ringtones.

Find My Phone and Find My Friends Apps

A number of smaller apps have also been released to work alongside of iCloud and help you find your devices and friends. They can be accessed from any device. These apps are called “Find My iPhone” and “Find My Friends.”

Find My iPhone is designed to help you find your devices if they get lost. You can use it as an app on any iDevice or log into iCloud.com from any PC or Mac. Find My Phone will show you a map where your iDevice is located and even gives you the option of remotely locking or wiping the data clean from the missing device. The Find My Friends app lets you share locations with others. You can also share your location temporarily with friends. This may be useful if you are out of town for a period of time like when going camping. They can easily find your location and reach it.

Conclusion

As an IT person you may wonder why use an iDevice and iCloud at all, especially since Microsoft Office currently isn’t available on the App Store? You may also wonder, why choose the iPhone or an iPad for any productivity work. The fact remains that with iOS 5 and iCloud available, now is a perfect time to pick up an iPad or an iPhone. If you own a previous iOS version, it is also the perfect time to upgrade. The iCloud service doesn’t just make it easier to get things done if you own multiple iDevices. It is also designed to allow iDevice integration with PCs and Macs.

You can start working on a presentation at the office and finish it on a train ride from work while it automatically syncs between the two systems you used to create it. You no longer have to worry in the same way as before about compatibility across devices. The work you’ve done will look exactly the same across various devices that have the same apps installed (although not every app supports iCloud yet and the iDevices still doesn’t have Microsoft Office). As the App Store’s app library grows, don’t be surprised to see more professional-level apps to be integrated into iCloud and be compatible with the iPad for instance. Also, don’t be surprised to see Mac apps start to be indistinguishable across both Macs and the iDevices (in terms of compatibility and features).

1. provide a NFS NAS and iSCSI SAN for my vSphere and Hyper-V virtual machines
2. provide a reliable place to store my files

Now, I have played with some array features (like hosting my iTunes music and movies) but that isn’t my primary need (it’s just “nice to have”).

For more than 2 years I have been using the Iomega IX4-200D and it has served me well. I have about 2.7 TB usable space, I use NFS, iSCSI, and SMB on it. However, recently through Kendrick Coleman (his blog is KendrickColeman.com), I was introduced to Synology. He said that he really liked all that it could do. I wasn’t planning on getting one until a friend had one that he needed to sell. It was an opportunity to buy a slightly used Synology DS211+ for a very reasonable price. I figured, if nothing else, it would make a great place just to copy current storage files to in case there was a small disaster and all my Iomega files were lost.

Introducing the Synology Storage Array Lineup

Synology offers a large variety of disk arrays, all the way from large business NAS solutions down to personal and small office solutions. Sure, you can pick up SMB disk solutions from just about anyone but most of them come from companies that do other things like networking and they start as USB flash keys and go up. Synology just does smart arrays and they do them very well. To me, what makes their units different is actually the software that is inside.

I actually have the DS211+ (the DS212 is shown in the picture and it just has a few internal very minor differences). This is a 2 disk unit and you can insert your own disks (bring your own disks / BYOD). It offers SMB Windows file sharing, Apple File sharing, NFS, iSCSI (and a few others).

I am using RAID 1 with qty 2 x 2TB disks to give me about 1.8TB of usable space. I have enabled Windows file sharing and iSCSI so far. Besides that, I have tried out a number of the really cool apps included with the NAS (discussed more below). Overall, I like the box. It is small, quiet, and it just seems to work. I do wish that my model had an LCD status display, but then I didn’t spend much of anything to buy it so perhaps that is something I would spring for when I upgrade in the future.

Besides the smaller units like mine, Synology offers large NAS/SAN arrays and they offer you free demo access to one of the web-based consoles for those larger arrays on their website at Synology Live Demo. I think that is actually really cool that they do that as anyone can get familiar with their very nice interface before making a buying decision. I have bought way too many products that look “cool” and well-designed on the outside, only to find out that the management interface was junk when I got them home.

As you can see, the Synology “DSM” (aka DiskStation Manager) can be quite beautiful.

I also like how you can make the management interface look like your workstation’s desktop, adding and removing icons to it however you wish. I also think that it is user-friendly, I like how it starts with a “wizard” that will guide you through initial setup, and I LOVE that you can add other applications to the Synology unit (more info on that below).

Here’s what the very user-friendly control panel looks like (this also gives you an idea of all that it can do).

Using My Synology for vSphere and Hyper-V Storage

Being the “VMware guy” for TrainSignal, one of the first things that I wanted to do with my Synology was to connect it to my vSphere (and even my Hyper-V server). I was able to do this with iSCSI (also could have used NFS) without any trouble. I created a couple of iSCSI LUNs (one for vSphere and one for Hyper-V) and then connected to them on their respective OS. Here’s what it looked like:

Amazing Applications Packed into Synology

Being an iPhone user, I really love “my apps” and the Synology DSM allows me to add “apps” to the NAS as well — what a concept. The applications are found in the “package center”. I can make my Synology into an email server, a VPN server, iTunes server, and even crazy things like a WordPress server!

Whoever heard of a storage array where you can do iSCSI, email, VPN, web hosting, FTP, backup and recovery, media services, photo sharing, LDAP directory services, HiDrive cloud backup, and even administer your PHP installs using PHPadmin (installed as a package on the array). Gee, it’s just so darn flexible!

In summary, I get no commission for saying any of this but, having tested a few different options for home labs storage, I think that Synology would make a great SMB storage unit. In my case (and maybe your case too) the Synology product would make a great home lab unit because it can do so many things in one little package. I like that you can install your own disks (so you know they aren’t over charging you for those and so you can select whatever sizes you want). For more information, checkout www.Synology.com.

Interested in hearing about more hardware for training and lab building? Post your comments here!

This video is a recording of my free webinar on the best new features in Exchange 2010 SP2. I hope you enjoy!

If you’d like to downloads the slides, you can do so here: Best New Features in Exchange 2010 SP2 PowerPoint

That’s right folks; rogue access points are still a legitimate concern for businesses. But it’s not just the organizations that need to be concerned; end-users need to understand that these are a legitimate threat to their personal data as well.

What are Rouge Access Points?

Businesses typically classify rogue access points in two categories. The first, and most serious, are the rogue AP’s that are plugged into the business network. Most organizations that are on the ball have a security policy that states no one should be plugging-in unauthorized access points. Hopefully this prevents users from bringing in an access point from home and setting it up in the conference room because of a shortage of data jacks. But there are those incidents, though rare, where someone gains access to the business floor and is able to plug in a rogue device. It could be someplace inconspicuous like the waiting area or even a conference or break room. You need to keep in mind that if you remove an AP from its shell, it’s not very big. They can even be concealed inside the data jack and powered over Ethernet.

Additionally, they’re not going to be broadcasting the SSID on the Rogue device and will limit connectivity during working hours as to not draw attention. If not detected and removed quickly enough, this can provide the hacker unfettered access to the corporate infrastructure. Diligent companies will have their servers locked down and segmented behind a firewall along with other security measures. What about the user workstations on that segment? How secure are they? They can be compromised for the data they hold, both personal and corporate. It’s extremely rare for us not to have some sort of personal data on our work computers. Additionally the computer can be used as a pivot point to gain access to those critical servers. Keep in mind that if someone has taken the risk to get an access point on the corporate network, they’ve probably done a significant amount of reconnaissance already. Part of this could have been to sit in a car or lobby and sniff wireless traffic in effort to gain credentials or other information about your network.

The other more interesting issue involves rogue access points that are not plugged into the network, but are close enough to cause problems. These are the ones that organizations have a vast amount of trouble dealing with because there is really nothing they can do about them. And if the company is in a major city, like New York, it’s a big headache as the entire city is blanketed by 802.11 networks.

As demonstrated by our friends at Wigle.net, just this two-block area of NYC has hundreds of WLANs. If your company is blocking Facebook or any other favorite sites, what’s stopping them from connecting to “FreePublicWiFi”, “Starbucks” or some other SSID that’s open and inviting? Or it might be an incidental connection. Many of these residential access points that you can purchase from Best Buy are set up to work right out of the box or with minimal configuration. Often people don’t think to change the SSID of the device. How many “Linksys” SSIDs do you still see today? Most people have their Wi-Fi settings configured to automatically connect to their home’s SSID whenever in range. So what do you think happens when that wireless card sees the home’s SSID when the user is at work? Now, if the user is plugged into the corporate network and connected to a rogue device at the same time, the computer is dual-homed. It’s essentially acting like an open bridge right into the network. Unknowingly, the user can be passing domain credentials and other nuggets of information that would help the hackers get deeper into the network.

Another bad guy trick that is still somewhat effective in heavily congested areas is to set up an access point (physically) close to the company and use their SSID on this device, but not have any security on it. This is typically the easiest to detect as the signal on this device is usually not as strong as the ones inside the company’s walls, as well as other detection criteria that I’ll discuss down the road.