The Democratic National Convention is in my home state this year. Many of my downtown Denver customers and friends have worked diligently over the past couple months to setup a remote access teleworker solution for their businesses. Projects and timetables were linked to the coming of the DNC, surprise, surprise. Downtown Denver businesses are worried that their employees might not be able to commute in for work everyday. Things like increase in traffic, closings of streets due to motorcades, and the possibility of a perimeter lockdown of the City due to security incidents or threats are all top of mind. This has caused many businesses to look to teleworker solutions as a way to have employees work from home during the DNC and beyond.
Read more
Blackhat '08 disclosed several SSLVPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-in-the-Middle attack on SSLVPN tunnels. I'll walk you through how using certificates, instead of OTP tokens, for second factor authentication can increase the security of your SSLVPN solution against these new types of attacks. I wrote an article a while ago about using certificates as a second factor for authentication to an SSL or IPSEC VPN. The model is based on a feature that came out in the Cisco ASA 8.x release which allows an SSL VPN to be configured to require a certificate plus AAA authentication.
Read more
Let me start by saying that Vegas Rules!!! And, I am currently up about $10,000. And I have this nice piece of land to sell you. Anyway, the first day of Black Hat was superb, as usual. It retains its title of the best security conference available, if you have to pick just one a year this should be it.
I plan on writing at least two more articles on the topics covered but wanted to get out quick summary today for you all. Here was my agenda for today
Read more
Apple came up with a slick way to allow you to distribute various iPhone setting to your users via email or the web, it is called profiles. Profiles are basically xml config files that act like plug-ins for the iPhone. They can configure things like Wi-FI, network, passcode, email and VPN settings on each iPhone. They can even be used to install certificates. Profiles like this are helpful if you have a large number of devices to manage or if you just have a large number of settings you want enforced on each users iPhone. Additionally, for certain settings, like some VPN and Wi-FI settings, you have to use profiles.
Read more
Cisco just released updated router IOS code,12.4(20)T, with several very interesting new security features and a packet capture feature you might be interested in. You can even use the new warm upgrade and Auto-upgrade Manager features that released with 12.4(15)T IOS code to streamline the upgrade process and minimize your downtime. Let’s dive into the new security features and the new upgrade tools that Cisco is offering.
Cisco packed in some pretty hefty security features in this release, 24 new ones to be exact. Here are the highlights:
Read more
This story was revitalized by my friend Jeff Wells, I thought it was a kick and like he says it is still true today.
The original story is from “HP Professional” magazine, sometime in the early ‘90s, the “And Another Thing” last page column by Gordon McLachlan. I retyped it in its entirety, since it doesn’t at this point appear to be stored anywhere on the ‘Net in text form. Old timers will recognize that the problems we faced then aren’t much improved today. . J. Wells, 07/2008
If I Ran the LAN
Editor’s Note: This month Gordon McLachlan gives us chapter and verse on the difficulties of managing corporate LANs. Our apologies to the late Dr. Seuss.
My name is McHooter, and I had a plan,
Read more
Are you thinking of changing careers to security sales engineering? Need some advice on what skills are most needed? Well, here are my top 5.
Read more
With the soon to be released 2.0 software update all sort of applications will be ported to the iPhone platform. Security tools should be no exception. Here are some of the security tools that I’d like to see on the new iPhone 3G:
Read more
I am a member of a field advisor board for security products at Cisco. One of the charters of this role is to provide the various security business units(BUs) with customer feedback on the feature and product requests they most desire. This process, among several others, helps ensure that the security product BUs at Cisco are developing features that customers are asking for. This input is used by the BU’s to help prioritize which features will be developed first. Otherwise known as the product feature roadmap.
Read more
Wouldn’t it be nice to be able to control and audit access to your VPN tunnels using usernames and per-user security policies? Putting the typical tunnel Access-list protection in place is great 'an all but per user control is really where it’s at! To that end, Cisco has a nice feature that allows you to authenticate, authorize, and account any user who tries to access a site-site vpn tunnel. Most site-site VPNs rely on an access-list that determines what IPs and Ports can be used across a tunnel. But this feature, Authentication proxy, allows you to limit and audit the VPN tunnel access using usernames and passwords as well. Even OTP devices are supported. And yes, you can make authentication exceptions for non-authenticating devices like printers, servers, etc.
Read more
Need to get up-to-date on what’s happening in security. The Cisco IntelliShield Security Alert service offers free podcasts of it’s weekly Cyber Risk Reports. According to IntelliShield’s site, “The weekly Cyber Risk Reports provide strategic intelligence about current security activity in seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical.” Each report has a highlight/focus area that is listed, but the report also covers a broad range of security topics. I find them to be a quick way to get up to speed on security events from around the globe. These updates include political and legal updates that I don’t usually find on my typical security info sites.
Read more
90+% of Cisco Router administrators are CLI jockeys, myself included. However, there are several GUI tools that can help you manage and secure your Cisco routers very quickly. The one I want to focus on today is Cisco’s free Security Device Manager (SDM). Like most of Cisco’s device managers it allows you to manage one router at a time. Given some of the recent security news regarding Cisco routers I thought this topic might be timely in helping you lock down your Cisco routers. To quote from the Cisco SDM site, “Cisco Router and Security Device Manager (SDM) is an intuitive, Web-based device management tool supported on Cisco 830 series through Cisco 7301 routers.
Read more
Cisco released the IPS 6.1 minor release upgrade early last week. It sports a newly minted GUI manager/monitor and has a couple new features worth noting. The new GUI manager/monitor called IPS Manager Express (IME) is leaps above the previous GUI.
Read more
This Month Cisco added some blockbuster features to its GUI security software, Cisco Security Manager (CSM). In fact, a recent Network World test rated a previous version of Cisco Security Manager higher than Checkpoint for UTM management (a 4.0 vs. a 3.75 score). That's right Cisco security management beat out Checkpoints security management in an independant review. Now that’s a first! If you haven’t heard of CSM yet or had played with an early release of CSM it might be a good time to take a look at it.
Read more
The Cisco Catalyst 6500 supervisor engine 32-PISA is the fastest and most feature rich access layer sup engine Cisco has ever produced. The PISA is the result of years of R&D research and testing. For the first time ever, Cisco has added a special Network processing unit (NPU) daughter card to the sup32 engine. It is called the programmable IP Services Accelerator or PISA for short. The PISA NPU consists of 16 micro engines and a hardware crypto card. The big advantage of the PISA architecture is that, unlike asic technology, you can re-program the PISA micro engines whenever the need arises. This means the shelf life and flexibility of the PISA will be longer than an equivalent asic based solution. Not even Cisco’s sup720 has this kind of technology.
Read more
I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. You can get a copy of Legal Exposures to the Maxx here. It is a must read for any company considering a privacy breach insurance policy.
Read more
Yesterday’s announcement by the retailer Hannaford looks to be the second largest credit card security breach in history. It is reported that some 4.2 million credit card numbers and expiration dates have been stolen. With unfortunate regularity companies are disclosing they are the latest victims of massive credit card or Personally Identifiable Information (PII) theft. This has gotten the attention of a few Insurance companies who, in response, have created a new insurance product called Privacy Breach Insurance. Companies like Chubb, AIG, and Executive Risk are betting that as the information theft problem continues to escalate, companies will increasingly turn to privacy insurance as a way to stave off the risk and reduce the financial impact of a privacy breach.
Read more
It seems that everyone and their brother are now saying that the U.S. is in the midst of a recession. The market analysts are predicting that the U.S. GDP will actually go negative this year. It must be official now that even the White House has acknowledged it. This got me to thinking about the effect a recession might have on my industry (IT security). My first thought was that if the profits of companies start dwindling then their IT budgets will predictably follow suit. If IT budgets dwindle then my experience tells me that the security budgets will take an even larger percentage hit than IT overall. When fighting for IT dollars in many cases security gets lost, put on hold, and brushed under the carpet.
Read more
Today Apple announced the details of the iPhone 2.0 software beta. Many new features are coming to the coolest gadget on the planet. Of particular interest to me is the integration of Cisco’s VPN client software into the iPhone. This will be a full blown IPSEC client that will even support the use of certificates or password based multi-factor authentication. Very nice! The iPhone VPN client will be able to connect to Cisco VPN gateway devices, like the Cisco ASA and older Cisco PIX.
Apple also announced support for WPA enterprise with 802.1x authentication coming in the 2.0 code. This will enable more enterprises to allow the iPhone to connect securely to their wireless infrastructure.
Read more
Yesterday, Cisco officially announced its next generation, frontline, cyber superiority Battlestar, known as the Cisco ASR 1000 series routers. This new edge router series offers a 10 fold+ increase in routing, IPSEC, and Firewall performance versus previous midrange aggregation routers with these services enabled. Much has already been reported on it, but I wanted to focus on security. Is the new Cisco ASR 1000 Series unmatched in the raw combat power it is capable of unleashing on its enemies in cyberspace? Let’s dig into the performance characteristics and combat power of this next-gen edge router to see. And keeping in mind that raw combat power per se cannot guarantee cyber combat success, we’ll also look into the technological advances that it offers.
Read more
Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend.
Read more
Following closely on the heals of the release of the 4Gbps IPS appliance, Cisco released the ASA5580 Firewall. It comes in two models, a 5Gbps (ASA5580-20) and a 10 Gbps model (ASA5580-40).
Now those aren't backplane speeds or pie in the sky, UDP 1500 byte packet throughput numbers with protection turned off either. Vendors marketing teams love to quote us numbers that are meaningless in the real world. The performance numbers Cisco is quoting are real world performance numbers based on a mix of various rich media traffic samples with recommended firewall protection features turned on.
More performance numbers:
Read more
Cisco recently released version 4.1(3) of their NAC Appliance product line. 4.1(3) has a slew of new features in it that I thought you might be interested in. The most noteworthy, to me anyway, is the addition of a web agent client delivered via java or activeX. This web agent client does not require admin privileges to run, unlike the traditional clean access agent.
Read more
It is widely accepted that one of the best things you can do to secure your sslvpn infrastructure is implementing a two-factor authentication scheme. Typically, this has been accomplished using a one-time password token technology. But what about using digital certificates that are tied to usernames instead of an OTP token approach? The idea being that the certificate is the something you have and the username/pwd is the something you know. This is a newly supported feature on the Cisco ASA, but not new to the industry, so I thought it might be interesting to examine it.
Read more
It can be frustrating at times when trying to find what you’re looking for on Cisco’s cisco.com website. It’s on the website they say. Sure but where!!!
To help you become more efficient in navigating the juggernaut of Cisco.com I’ve compiled some of my favorite tips and pages. Some of these are hidden gems, others are time tested favorites. If you have some of your own to recommend please share.
Read more
So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.
Read more
WoW 2007 is almost over! It seems like it has flown by. Cisco security has made some great strides over the year. Let’s take a look back at some of the most interesting, useful, and/or innovative security related features & products that Cisco released in 2007. I’d also like to hear from you what ones you’ve been most impressed with this year.
Read more
Cisco has finally entering the high speed IPS market segment! Cisco’s is shipping the IPS 4270 IPS Appliance which can deliver up to 4Gbps of real-world media-rich traffic inspection. Cisco is proud of the fact that this benchmark number was achieved with the Cisco recommended IPS protection settings enabled on the 4270. They used real-world, stateful traffic flows in their testing. Cisco has not released the best case, pie in the sky, UDP performance numbers of the 4270 yet. But it has released expected real-world performance numbers if you deploy the 4270 in a highly transactional environment like e-commerce or IP Voice. This type of environment will drop performance down to 2Gbps of IPS inspection.
Read more
If your company stores, processes, or transmits the primary account number on a credit card then you are required to meet, or exceed, the data security standards set forth in the PCI security standards. These security requirements apply to all network components that forward or have access to card holder data. This would include switches, routers, firewalls, IPS, Servers, workstations, wireless, storage, etc. So basically, if the device is IP (Internet Protocol) reachable to cardholder data then it is in scope for the PCI requirements.
Read more
Christmas ’07 is fast approaching and my kids already have their Christmas lists done. So, I thought I’d do a Christmas list of my own, with a twist. If I could get Santa’s elves to build me a shiny new piece of network security hardware what would I want? We’ll I’d ask for a reputation based firewall that’s what!
I’ve seen the ultimate power that reputation databases, like IronPort’s SenderBase, can add to email anti-spam products and URL Web Security products. So I made the not so giant leap that adding reputation to firewalls makes sense. So how would my new reputation based firewall work you ask, well check this out:
Read more
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
