Tag Archives: Adaptive Security Appliances

August 15, 2012

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSAToday’s Internet is a dangerous place. Imagine a small village with law and order surrounded by a wall keeping out miles of ungoverned ruthless territory. Most known websites surfed daily by your users make up a small percentage of the total Internet. The remaining 80% or more of uncategorized websites are contaminated with Botnets, malware and short-lived websites targeting your users. Many of these malicious websites are embedded in trusted sites such as social networks by hiding in advertisements or silly links posted by your friends. The best protection for this threat vector is limiting Internet usage to trusted websites and monitoring those websites for malicious applications.

The most common method to protect users while surfing the Internet is leveraging a web security solution. I wrote a post about this HERE. Cisco has two web security flavors, which are a dedicated proxy and application firewall add-on. The dedicated proxy, known as the Web Security Appliance (WSA) came from the acquisition of IronPort. Cisco replaced its content filter module for their ASA firewalls based on McAfee technology with an application aware addition known as CX Context-Aware. There are many overlapping features between the two approaches however there is a clear distinction when to choose one over the other.

Both CX and WSA provide features expected from a web security solution. Both CX and WSA offer the ability to monitor and control what type of websites are available for users based on categories (examples Adult, Hate, Gambling, etc.). Both CX and WSA include reputation controls meaning ability to blacklist known malicious websites (more on reputation HERE). Both CX and WSA can limit or deny traffic types based on user groups such as denying Skype, throttle download speeds and target specific applications (example permitting Facebook while denying Farmsville for employees 9am-5pm). Both solutions can scale beyond the internal network using VPNs to route traffic from remote users.

CX DASHBOARD (click to see larger)

Screen Shot 2012 08 01 at 7.50.08 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSAScreen Shot 2012 08 01 at 7.50.19 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

CX Web Categories

Screen Shot 2012 08 01 at 7.51.52 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

IronPort WSA Categories

Screen Shot 2012 08 01 at 9.58.33 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

WSA Reputation Score Settings

Screen Shot 2012 08 01 at 10.03.40 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Features offered by IronPort not included with CX are focused on what happens after traffic passes reputation and content policies. WSA offers anti-malware scanning licenses for McAfee, Sophos and Webroot for any traffic tagged as “grey” meaning traffic that passes the reputation blacklist but not considered completely trusted or “white-listed”. These signature-based verdict engines are licensed separately and can be stacked to provide a wide range of scanning capability. WSA also offers a dedicated layer 4 Botnet scanner targeting phone home communication from infected machines. These additional features provide more layers of defense beyond common application firewall technologies including Cisco CX.

Some other differences are based on the design and implantation of WSA and CX. The WSA is a dedicated proxy, which can be deployed using host inline proxy settings or directing network traffic to the WSA using WCCP. The CX uses policy maps routing traffic seen by an ASA through the CX addition. WSA includes caching to improve network performance. WSA can direct traffic through a DLP solution adding network based DLP scanning (A possible roadmap is including DLP in the appliance as a add-on license similar to the IronPort Email Security Appliance). Cisco roadmaps show IronPort offerings will include a virtualized option in the near future. Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. CX is also not available on some ASA 5500X models such as 5585-40s and 5585-60s. Expanding CX to other ASA models and dual IPS CX support are roadmap items at this time.

Screen Shot 2012 08 14 at 10.37.48 AM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSATo summarize, its best to consider Cisco CX for essential web security meaning content filtering and reputation based protection. The CX is also a viable option if you don’t require IPS from your ASA 5500X. WSA is suited for Comprehensive web security meaning content filtering, reputation protection, malware scanning and layer 4 botnet awareness. WSA is also a dedicated proxy providing performance benefits as well as design options such as including Data Loss Prevention. If you desire your ASA to include IPS functionality, today you will need to consider a WSA to handle web security. Hopefully this post helps with distinguishing when to choose CX or IronPort WSA.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

2 Comments

Filed under Internet Defense

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology.  Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Screen Shot 2012 05 21 at 5.35.16 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Screen Shot 2012 05 21 at 5.37.02 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Once launched, the management interface of Lancope looks like this.

Screen Shot 2012 05 21 at 5.38.27 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

Screen Shot 2012 05 21 at 5.39.18 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope dashboard shows traffic by hosts and bandwidth usage.

Screen Shot 2012 05 21 at 5.39.39 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

Screen Shot 2012 05 21 at 5.39.47 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope diagram shows a global map of host relationship usage.

Screen Shot 2012 05 21 at 5.39.54 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

Screen Shot 2012 05 23 at 4.24.49 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 31, 2011

Securing Teleworkers: Building A Remote Access Solution For Teleworking

sales working at home office 300x199 Securing Teleworkers: Building A Remote Access Solution For Teleworking
Securing Teleworkers is at the top of the to do list for many organizations. President Obama signed a bill aimed to significantly boost teleworking by federal employees. There are lots of business benefits from teleworking however permitting remote access to internal resources increases risk. Here are some tips to consider when securing your teleworkers.

The most common method for Securing Teleworkers is using a Virtual Private Network (VPN). The concept is establishing an encrypted tunnel between remote endpoints and the internal network so endpoints are serviced like an internal resource. Leading vendors utilize endpoint agents or web-based VPN portals that control what can be accessed. Best practice is to adjust the level of access based on how users authenticate, data being accessed and network they are connecting from. Strong solutions auto establish VPN connections outside the cooperate network and scan endpoints for key loggers prior to permitting access.

A popular enhancement to Securing Teleworkers through a VPN is Network Access Control (NAC) technology. NAC verifies who is accessing the network, captures information about the devices and distributes access based on policy. NAC is like airport security verifying people’s identity and risk level BEFORE permitted access to the plane. Best practice is to increase policy requirements as you increase access rights. For example, permit employees if they are using cooperate laptops with a specific version of antivirus while limit contractors with any version of antivirus. Automating remediation for teleworkers who don’t meet policy is key to reducing NAC trouble tickets.
500x amazing girl quits 282 300x199 Securing Teleworkers: Building A Remote Access Solution For Teleworking
Another recommended solution for securing teleworkers is filtering all VPN traffic through a Content Filter. Content Filters enforce web usage policies such as denying adult websites or tracking hours wasted on social networks. Research shows users involved with popular social media games like Farmville spend hours each day that may take place during business hours if not tracked. Leading Content Filters also offer security features to protect users from malicious websites that aim to breach the internal network through compromised workstations.

UltraLevel vdi 300x225 Securing Teleworkers: Building A Remote Access Solution For Teleworking
A popular alternative to using VPN solutions for Securing Teleworkers is adopting a virtual desktop infrastructure (VDI). Data is kept on the protected network and accessed through a server-client model. The security benefit is clients never directly access the inside network so risk of infection is reduced. A common obstacle for virtual desktop infrastructures is user demands for direct access to data. Permitting direct access could jeopardize VDI benefits unless proper access control and data security transfer methods such as encryption are enforced.

Other options to consider for securing teleworkers are Data Loss Prevention (DLP), host security applications, encryption, and patch management solutions. Best practice recommends DLP for endpoints, email, network and servers that have access to sensitive data. Encrypting sensitive data can add a lot of value as long access rights are enforced. Hardening endpoints with features like disabling wireless when physically connected, limiting USB access to approved devices, forcing sensitive data through encrypted channels and updating endpoints without user intervention is important. The best way to manage security features like these is to limit remote access to corporate issued devices. It’s also a good idea to have all teleworkers sign an agreement specifying your telework policies prior to permitting remote access.

There are many solutions for Securing Teleworkers so it’s important to understand your business operations before selecting a technology. Rushing into a technology could expose your organization to unnecessary risk or an unreliable solution.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,