There is a lot of liability for pentesting positions which is why it usually requires tons of experience not only on the pentesting side, but also excellent knowledge in several of these areas:  systems, networks, databases, web apps/services, secure programming, security hardware, and forensics.  So in order to get the experience with the above criteria, you have to start somewhere, so I recommend with going with what you know & have experience with:  Linux/Unix!

By doing such, you'll get tons of experience with the above while also learning a valued "trade" that many partners seek.  There are also top-tier linux security certifications like the RHCSS which a Redhat Linux security cert.  It's gonna take lots of time & practice to get there as you'll have to first obtain your RHCE which covers Redhat systems.  This and your clearance will do wonders for you.  NOt only that, you'll learn and get experience with many projects that will give you perspective when doing pentests.  Through there you could implement, enforce, and assess security policies in businesses. 

Some get into security through networks (I did), while other get there through secure programming.  The thing is, you REALLY need either a BS/MS to get your foot in the door or a high-level cert (RHCE/RHCSS, CCIE, CEPT/LPA) if you don't have much direct experience.  The above certs require a hands-on component which  requires the testee to REALLY know the products rather than cheat their way through it using braindumps, so they're highly respected across the board. 

Business want to know exactly what you bring to the table.  Now that you have responsibilities, it's harder to allocate time to getting ramped up, but not impossible.  Federal contractors tend to require a BS degree at a minimum, along with multiple certs and internships for a jr position for candidates without a lot of "direct" experience.  Without a BS or high-level certs, you'll most likely land help-desk jobs which suck.  A high-level cert will begin opening doors because they require tons of hands-on experience, but no guarantee either as you'll more often than not be given a performance interview to show your stuff. 

802.1x provides excellent L/2 security for AAA services.  Depending on which authentication protocol you're using for 802.1x authentication (EAP-FAST, EAP-TLS) and RADIUS on the backend. 

It would be easier to install a keylogger than trying to spoof 802.1X credentials IMO as you would first have to be able to do a MITM attack through either ARP, DNS, DHCP, MAC, IP spoofing which can be blocked at the switch. 

Don't be intimidated dynamik.  Nobody knows everything and all of us had to start somewhere too.  Not only that but we're able to share ideas and techniques here.

Somebody's tail is being reamed bigtime right about now. 

A little here and there but mostly stuff from work since we work lots with Cisco stuff. 

Not to say that wlan pen-testing is a dead subject however the enterprise-class wireless manufacturers have already migrated to 802.11n (draft-n) over G-networks.  For the most part, b-band is rarely seen because of the security implications.

Having said that, more 802.11n enterprise-class APs are integrating security features to provide an incredible amount of security that wasn't seen in the past two years.  You have APs that do:

- onboard Layer 1/2 IPS
- integration with Layer 3-7 network IPS
- AAA backend authentication
- integration with Network Admission Control (NAC) for posture assessment and compliance
- rogue AP detection
- management frame protection (beacon frame integrity)
- AES encryption to the AP (client association)
- and much, much more

Many customers are buying APs solely for their ability to detect (and mitigate) rogue APs either by careless individuals violating the security policy or by malicious attackers.  Now wireless network analysis is a growing field with tons of potential and part of the new CCIE Wireless roadmap. 

How are you guys doing?  I was wondering what kind of tools are used to investigate networks to include routers, switches, firewalls, IPSs, and other advanced security technologies?  Does this mostly consist of reading each line of syslog info?

Just how far ahead or behind are the professional tools out there for this?

Attack:  2 laptops running VM Workstation

Servers:  tower running VM Workstation

Infrastructure:  (2) Cisco 3750 switches, (2) 5510 ASAs, 2811 & 3825 routers, (2) Cisco 802.11n APs, (1) WLAN Controller, (2) MARS Gen-1 boxes, HP server for CSA-MC, Cisco Web Application Firewall, and ACS server (AAA).


Trying to get Network Admission Control (NAC) network modules for wired/wireless integration within the routers, and an IPS module for the ASA firewall which will also integrate with wireless.  Although I could simply run a VM image of the NAC Server & Mgr on the HP server for some cool shit.  LOL

 

Yup.  Ironport works as a wonderful email & web content filtering front end which also collaborates with Cisco's Security Agent (CSA) to reinforce Data Loss Prevention, or info leakage through email.

Their latest acquisition this past summer will really ramp up network security with role-based application enforcement/security.  And like their other security offerings, it will probably work together which will take it to the top IMO.

Has anyone had the chance to attend this course from InfoSec?  Sounds like a great course which focuses on Web app & Web Services security.  THe couse is officially called "Application Security: Web Application Hacking".

Haven't seen too many courses with this much depth out there.  Mile2 used to have one but no more.  Now chasing certs isn't what I'm trying to achieve here although I was also curious as to the legitimacy of the CASS designation.  I've noticed that it's completely different from their Certified Expert Pen-Tester (CEPT) certification.

I've always liked Astaro for the past couple of years, but one drawback to many UTM boxes is that they don't have dedicated hardware accelration for additional services. 

Having this makes a difference because it addresses the throughput issue you're talking about.  However that usually leads to the bigger firewall players out there that the article didn't cover.  It all depends on the size of the network, throughput requirements, and scalability within the UTM.

Well right now, Checkpint (lol) is doing everything to salvage their customer base since Nokia decided to pull out as the CHKP hardware of choice.  That means no more support.

I'm partially biased toward the ASA because of what it can do.
- tremendous F/W throughput
- hardware accelerated, built-in IPSec/SSL VPN concentrator
- phone proxy, mobility proxy (mobile phones), and presence proxy
- IPS module add-on
- VPN integration with Network Admission Control (NAC)
- collaboration with other Cisco security devices (ACS, CSA, MARS, NAC)

I think it matters a lot (personal preference) because Cisco security products have steered away from mostly being point products several years ago.  For the past couple of years, they've focused on collaborating each security controls together to integrate with another & even escalate the security of other Cisco security solutions. 

Security no longer becomes an afterthought or a necessary evil, but a security architecture that's designed to scale to Government & Compliancy requirements (like PCI, HIPPA, SOX) which goes far beyond just a simple firewall. 

Many solid firewalls can be purchased with a IPS module in it which makes tons of sense especially when it can detect SQL injections, buffer overflows, scans, URL parsing, certain Web App attacks, and protocol manipulation.  So to answer your question, there are two places I would place an IPS for basic coverage:  at the firewall (perimeter protection), and at the Distribution/Core switches (scans internal users.

From there, throughput becomes an issue so you'd have to go with a slamming sized IPS in your Data Center because most likely it's going to push 10GE lines. 

Looks like the CEPT from InfoSec Institute is buckling down to create a top-tier Pen-Testing certification by adding a practical portion to the CEPT exam.

http://www.iacertification.org/cept_certified_expert_penetration_tester.html

The exam consists of two parts, a traditional multiple choice, true/false and multiple answer examination and a take-home practical exam.


"Upon completion of the multiple choice exam, candidates are then distributed a take-home practical, in which they will be tested on their ability on three Challenges. Candidates have 60 days from the completion of the multiple choice exam to complete the practical examination. The three challenges are as follows:

Challenge #1: Discover and create a working exploit for Microsoft Windows Vulnerability.
Challenge #2: Discover and create a working exploit for a Unix / Linux Vulnerability.
Challenge #3: Reverse engineer a Windows Binary.

Candidates are instructed to submit a working exploit for Challenges #1 and #2. Partial credit is given for non-working exploits, when submitted with detailed documentation.

Challenge #3 requires that the candidate follow specific instructions, as well as optionally answer up to three questions about the binary and/or submit a binary with modified function as specified. Partial credit is also available for Challenge #3 with supporting documentation.

The practical is then submitted to an exam proctor, who will grade the exam. A 70% is considered a passing grade. Generally, candidates that submit working exploits as well as a properly reversed binary will pass the exam."


Needless to say, I'm sure the CEPT will continue to shine and hopefully grow in popularity.  Jack Koziol is an excellent instructor who really knows his stuff and takes pen-testing beyond using automated tools and scripts.  Good mojo.