My buddy Aamir wrote a summary of the open source announcement by Cisco at RSA last week (original post can be found HERE). Cisco also announced integrating FireAMP with Cisco email, web and cloud security products. FireAMP gives Cisco products the ability to detect infected files by searching for known hashes, sandboxing unknown files and other detection means. More on the FireAMP capabilities can be found HERE. Another source for these announcements is on the Network World blog found HERE. Continue reading
I wrote a post comparing Cisco’s Next Generation Firewall known as ASA CX vs. Cisco’s Web Security Appliance / Proxy known as WSA HERE. Here is a update to that post as requested by some readers.
In summary, the WSA is a security appliance that can act as a proxy focusing on network bound traffic such as port 80, 443 and 21. The ASA CX is an all ports and protocol firewall with reputation and IPS security (IPS being added in October 2013). Both solutions can provide reputation based security meaning stopping the attacker (more on this concept can be found HERE), Integrate with authentication systems such as Active Directory, can view HTTPS via decryption, application visibly with policy enforcement (IE identify and block Farmsville within Facebook) and detection of threats however detection methods are slightly different (one uses a combination of AV / malware engines while the other uses IPS). Continue reading
The future of security must reach beyond the capability of an appliance. There are too many attack vectors that are continuously changing to detect with a silo solution. It basically comes down to this …. there are only so many signatures that can be checked against as well as behavior algorithms that can be put in place before you must let traffic pass. Odds are, a malicious attacker will eventually bypass detection based on the fact that there are hackers out there with a rack of all the latest vendor IPS, Firewalls, etc. in a lab designed to test how effective a piece of malware is against any enterprise security solution. So in a nutshell, you will only be able to stop the majority of attacks launched against your network. Something will eventually get through. This means detecting and preventing can’t be your only security strategy. Continue reading
Management of security devices is a critical function for maintaining the best performance and being aware of security related events. Cisco has released their second generation of ASA, which includes new management options. This post will cover the new management interface and compare it to the previous options. Continue reading
Pickpocketing is an old yet popular crime. Reason for this is the return can be as high as a robbing a store without the risk of using weapons or be identified by victims. Pickpockets can operate as a team or individually and typically involve a form of deception to conceal the crime. Most victims won’t realize they have been robbed until the pickpocket is long gone and if caught, the criminals face minimal jail time since lethal threats are not involved. Here is a review of the most common tactics used by pickpockets and methods to avoid becoming a victim. Continue reading
I recently stood up a Cisco 4345 Intrusion Detection / Prevention (IDS / IPS) appliance and documented the configuration process. Here is a simple guide to setup a next generation Cisco 4345 IPS appliance.
Cisco offers various forms of threat detection options that range from modules in firewalls to dedicated appliances such as the 4345 IPS. Regardless of platform, the underlying technology is similar using a mix of threat reputation described as identifying attackers and various forms of scanning for stopping attacks. An example of stopping an attacker is blocking websites with “bad credit scores” based on how long they have been up on the Internet, the content of the site, traffic seen from the site and so on. So a website claiming to be a American bank may get flagged based on being seen from a foreign country, recently registered as a new site and flagged for SPAM. The majority of attacks on your organization can be prevented by dropping obvious malicious traffic using this method. This leaves a security solution’s resource intensive detection processes the ability to focus on the remaining 5-10% of attacks that make it through credit scoring based detection rather than scanning everything. Continue reading
Cisco acquired Meraki, the leader in cloud controlled WiFI, routing and security late 2012. For those that haven’t heard of Meraki, the concept behind the technology is pretty cool. All device configuration and management is handled using a cloud / web accessible GUI. You can configure everything and ship equipment to where it needs to provide network access prior to first powering things on. Once you are ready, all you do is plug in the equipment and it works (IE all configuration is sent to the device via encrypted tunnel from the cloud) . It really is that simple.
A few weeks ago Aamir Lakhani put up a blog post on how to install and configure Snort on Security Onion with Snorby. Since the release of the article He has received numerous requests on how to disable some of the rules. Here is a post on tuning by Aamir. The original post can be found HERE.
If you followed the article, The Ultimate Guide to Installing Security Onion with Snort and Snorby, you are no doubt seeing quite a few events on your Snorby dashboard.
Before you begin, make sure you have root privileges. Type in sudo –i to get root privileges. Continue reading