I found it so worthwhile I’ve decided to give it a review. So let’s start from the start and I’ll give you as much detail as I think I am legally allowed.

Getting Access

First of all the sign up process is not quite what I have experienced with other certifications. I psyched myself up, sat down with my bosses’ credit card and was all ready to spend some of his money… but no… The guys at offensive-security don’t want your money straight off. Instead they email you with an openVPN configuration attachment with the purpose confirming that you can actually connect to their labs before taking your (or your bosses ) hard earned money.

Now a point of note for those located behind an Ironport Mail Gateway: I waited days for the response email and heard nothing. I was actually starting to get a rather cranky at their (lack of) service. I mean, I had employer dollars to spend. I managed to get in contact with them and deduced that Ironport* have given the Offensive-Security mail server IP a reputation of -3 which is well under our drop by reputation thresholds. After rearranging with them to send all correspondence to my Gmail account we were away.

The Course

So with email working and the VPN confirmed operational we arranged payment for the course (which again was a problem due to the credit card not being in my name… but we won’t go into that) and I got my material and 60 days lab time. What you actually get for your $700USD is quite impressive.

• One PDF containing the course lessons.
• One set of SWF video files where Muts walks you through all but the last few of the course modules.
• 24/7 access to the Labs for 60 days via VPN which is full of vulnerable devices to attack; and,
• Hours of guaranteed pain, suffering, joy, frustration and exhilaration.

The combination of these materials creates a very comprehensive learning environment. Overall there are 16 modules of delightfully wicked goodness. The PDF covers each of them in fair detail but the videos are the real meat of the course. Each module covers a specific aspect of penetration testing. These range from the information gathering stage, all the way to keeping access and rootkits.

Muts, through the videos, keeps you company as you make your way through the course material. He pushes you to learn more and he provides links to more information in case you would like to expand your knowledge in any of the areas that can’t be covered in depth through a 5 minute presentation. I found him to be very articulate and the videos are of quite high quality.

The videos only cover from chapters 1 – 13 and then you are left with the PDF to guide you through the rest. This turns out ok however as the last 3 modules are more of a brief and require more external reading through the provided links rather than the total immersion that is the previous modules.

Most modules allow for hands on practice through the labs. This was of the most benefit to me as this is how I learn best. Often I find you can read something that sounds simple and easy but when it comes to actually putting it into practice things just don’t go according to plan. Hours were spent by me working through the exercises and trying to smooth out the lumps and bumps and believe me… there were plenty of lumps and bumps

Lastly once you have finished the modules you are free to (and actively encouraged to) attack the rest of the lab network with the exception of the other student machines. A list of final challenges is set upon you and the goal is simply to get root or admin access to each device. This is quite a lot of fun, and far from easy.

The Exam

The first thing I have to say about this exam is that it’s a really tough exam. You are given 24 hours to gain root or admin access on 5 devices. From what I have seen in the field, these devices are as close to the real deal as you can get.

It was a lot of fun when I wasn’t stressing to the hilt. The different ways to break into these devices was very good and bound to stretch your mind.

What else can I say about this exam… well not much. I’m not allowed to… sorry

After you successfully pass the exam you are given access to a forum just for OSCP’s where you are free to discuss all aspects of the exam and course. I found it interesting that students worked out multiple different ways to get into the same devices. This brings on my only real point of angst about this course. I was unable to crack one device, so as soon as I got access to the forums I jumped in to find out how to crack this nut. It turns out everyone before me (that posted) had done it using a particular exploit that works on a particular port (could I be any more obscure ). So moving back to my pain point… That port was not even open on that device during my exam!!! So, I still have no idea how to get into this device.

Conclusion

This is a brilliant course!

I have done many courses both from vendors and course providers such as SANS and the Offensive-Security. While a lot of the other courses have been great, the Pentesting with Backtrack (OSCP) has easily provided me with the most value. I walk away from this course actually feeling like I have achieved something solid. This is both due to the time it takes to work through the course at your own pace and the quality of the content.

This course is by no means for beginners into IT. It works through some very complex topics and concepts. It is recommended that you have at least some coding experience as well as an operational knowledge of Windows and Linux.

For $700USD I think it’s a must for anyone in the IT security industry to work towards and I expect to see the certification gain serious traction and the respect it deserves in the near future. I know I’d be looking for an OSCP if I was hiring.

So, basically there are three broad levels of remote access that the Juniper SSL/VPN offers. They are:

• Web Based
• Secure Application Manager (SAM)
• Network Connect (NC)

The levels of functionality increase as you move down the list.

Web Based
This is the simplest access level. A user can connect to the Juniper SSL/VPN using a standard web browser and from the browser interface get access to a broad range of resources within the corporate network. The administrator must provide explicit access to these resources in order for users to connect to them. Shortcut links can be placed on the portal webpage to make life easy for the end user.

Potential available resources include:

• Web Access (internal or external Websites)
• File access (Access to file shares)
• Telnet/SSH
• Terminal Services

Secure Application Manager (SAM)
SAM instructs any traffic coming from a particular application (outlook.exe for example) to be pushed down the tunnel rather than onto the resident network. I usually don’t use this feature myself as you can usually get the same functionality and more from NC. However it does have its uses.

Network Connect (NC)
NC requires administrative privileges to be installed. Once installed NC acts much like your traditional IPSec VPN’s. In fact NC will actually attempt to setup an IPSec tunnel before failing back to tunnelling over SSL if unsuccessful. Port 4500 UDP and protocol 50 are required to be opened between the host and the SSL/VPN device in order for IPSec to work. SSL tunnelling only requires TCP port 443. Once connected, the host will actually be granted an IP address on the internal network. This is perfect for applications that require server based traffic initialisation.

The options above provide a higher level of granularity and flexibility than any IPSec VPN solution… but it doesn’t stop there

For each of the options above you have the ability to restrict or allow based on a number of different factors.
These include but are not limited to

• Protocols
• Port Number, and
• Destinations IP

The way these restrictions are implemented is quite easy too. You have the ability to use a wildcard character (*) and its as simple as this.

• To allow traffic to your intranet URL and everything under it: http://myintranet/*
• This can be extended to allow sub-domains as well but doing: http://*myintranet/*
• To allow Remote Desktop traffic to a range of computers you can do it like this : tcp://10.10.10.10-25:3389, or to all computers tcp://*:3389
• You can even allow all traffic to all destinations like this: *:* (although this is not recommended )

The real fun begins when you start looking into the ‘Host Checker’ functionality. Host Checker allows you to check the connecting computer for certain items before allowing them to have connection onto the corporate network. A lot of companies like to ensure that the connecting computer has the latest (within a week or two) AV definitions installed before allowing them access. That is only the half of the Host Checker functionality. Based on the Host Checker results, you can actually change the level of access the user receives into the network. My personal favourite and one that I suggest to all our clients is to hide a registry key somewhere in the registry of all corporate laptops. Obviously you should trust your laptops a little more than an internet kiosk right? So when the users logs in from our ‘trusted’ laptop we can give them their full access. However, if the registry key is not located we can assume they are on an un-trusted computer and we can restrict their access and only issue them with OWA access for example.

That’s a very basic rundown of the vast amount of functionality that the Juniper SSL/VPNs have. I must admint I really don’t like recommending products that I don’t believe in… That being said, I think that the Juniper Secure Access devices are awesome!!!