Tag Archives: Home

June 17, 2013

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Controlling who and what access your network is a critical element to keep your resources safe from malicious threats. Network Admission Control (NAC) solutions like the Cisco Identity Services Engine (ISE) can police who and what is permitted network access as well as enforce policy for those devices. Examples would be permitting an administrator with a government furnished Windows 7 laptop access to VLAN 10, which holds internal servers, while provisioning a marketing professional’s iPad with VLAN 20 access, which is limited to Internet and email through the use of ACLs.

But what happens once a device is granted network access? Access control solutions are pretty much out of the picture, aside from limited profile monitoring for identifying changes in device types. (Examples of this limited functionality include figuring out that an “Apple Device” is really an “iPad” based on DHCP and other traffic seen while the user is browsing the network, or blocking a user who attempts to spoof a printer’s MAC address to gain network access.)

Example ISE policy for profiled Apple iPad or iPhone and User “Joey” to get Apple_Mobile Access

Beyond this is where the handoff to an internal monitoring solution such as Lancope’s StealthWatch System should come into play. An internal monitoring solution can handle security where the access control solution leaves off. These solutions monitor all devices on the network for performance and suspicious behavior, regardless of whether or not they were approved by NAC. Examples of devices that NAC solutions may miss are virtual systems inside the data center, network sharing such as turning an iPhone into a wireless hub, Linksys routers using NATing to hide unauthorized access, or devices accessing a part of the network without access control.

An important function of a post access control solution is identifying devices compromised while on the network, since most access control solutions only verify policy for patch updates and other installed security applications (e.g. antivirus). Being compromised while on the network can happen when users surf the Internet, plug in a USB drive hosting malware, open an infected email, etc. In most cases, the threats that compromise internal users are not common viruses, meaning there isn’t a known signature that can be used by antivirus or firewall technologies to flag the attack. A post access control technology that leverages behavior as the means to identify threats can catch not only insider threats posed by authorized users, but also stealthy, externally-launched threats that bypass the security measures typically enforced by a NAC policy.

The integration of Cisco ISE for access control and Lancope’s StealthWatch for internal network monitoring saves customers money by leveraging NetFlow data already inherent in routers, switches and other network infrastructure devices to essentially turn the entire network into a giant sensor grid for detecting anomalous activity. Both Cisco and Lancope use industry standards leveraged by most vendor equipment (Cisco ISE using 802.1x and Lancope using NetFlow). Both companies also offer physical and virtual versions of all solution components, and both can be architected in a centralized or distributed design.

Here are the beneficial actions that can be taken by combining access control and internal monitoring:

Enforce policy on devices accessing the network.
Identify unauthorized devices not seen by NAC.
Monitor devices for threats and performance during their entire lifecycle on network.
Know who and what is on the network as well as what they are doing.
Automatically provision network access for trusted users and guests.
Identify threats on the internal network including malware, botnets and data loss.
Limit access for remediation of an identified threat.
Document a threat’s entire presence on the network for information assurance.

And here are the steps for setting up Cisco ISE and StealthWatch within a network:

Configuring On-Boarding via BYOD in ISE HERE
Setting up a Lancope StealthWatch small lab HERE

Click here for more information on how Cisco and Lancope work together to defend governments and enterprises against advanced threats.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as Access Control, advanced persistent threat, ATP, botnets, Cisco, Cisco NAC, cisco security, Clean Access, Compliance, Enforce Network Policy, Home, Identity Services Engine, insider threat, iPad, iPhone, ISE, ISE Integration, ISE Lancope, ISE1.0, ISE1.1, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Lancope Integration, malware, Muniz, NAC, NAC appliance, NAC Integration, NAC Lancope, netflow, network access control, network security, Post Access Control, Security, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, Total Access Control, www.lancope.com

June 1, 2013

Are Mermaids, Aliens and Vampires Real? Researching Bogus Stories

There are documentaries popping up that showcase outrageous claims such as the government hiding captured mermaids or encounters with aliens. I’ve heard friends and coworkers talk about such things around the water cooler believing the stories are real based on fake videos and actors posing as specialists. Movies like The Blair Witch Project and The Forth Kind present fictional stories as documentaries, however most people figured out they are not real based on being available at major movie theaters. Some documentaries have been seen on TV networks displaying “A Speculative Documentary”, which doesn’t clearly translate to fictional footage.

A recent example of a fake documentary is MERMAIDS: THE NEW EVIDENCE claiming Mermaids are real. The documentary has been seen on the Discovery Channel and Animal Planet side by side with real documentaries making it seem creditable. The documentary includes camera footage of a Mermaid found on a beach as well as research by various specialists. The film claims mermaids are hiding in deep ocean waters to avoid military sonar that causes brain hemorrhaging in some aquatic life. At first glance, the concept seems plausible to some people.

I decided to show research used to qualify documentaries such as this. Here are some steps to prove Mermaids: The New Evidence is fake.

Step 1: General Research

Google is your friend. In many cases, you will find general conversations about a subject that may lead to evidence of the truth. A Google search on the mermaid film shows a number of people pointing out how the film is not real. WIKI had the passaged above confirming the film is fake. This research exercise pretty much sealed the deal (and took less than a minute) however I continued gathering evidence in the event the general public as well as WIKI is wrong (which sometimes happens).

Step 2: Look At The Website

There is a website associated with the documentary “believeinmermaids.com” that displays The Department of Justice has seized all evidence of mermaids presented in the film. Why would DOJ violate the freedom of speech in this manner is beyond me however lets investigate this website.

The first thing to check is the website history using WayBack Machine found at http://archive.org/web/web.php. WayBack Machines shows the entire lifespan of a website and changes to the website. This website was created in 2012, which happens to be around when documentary was filmed. If you select April 1^st to show the first version of the website, it shows the DOJ warning has been the only things displayed since day 1.

The next question is who owns the website? By looking at the WHOIS information at http://whois.net/, I can see believeinmermaids.com is owned by Discovery Communications, LLC. Ok, so the Discovery Channel created the believeinmermaids footage the week of the filming. Pretty obvious it was created to drive attendance to the film rather than be a real website featuring controversial evidence.

Step 3: Research People

The mermaids documentary featured lots of evidence from a few scientist including Dr. Paul Robinson. Usually a marine biologist seen on TV would have lots of published creditable information however searching “Dr. Paul Robinson marine biologist” drummed up the actors real name Andre Weideman. Searching Andre Weideman confirmed his role in the fake mermaid documentary.

Hopefully this post educates people on how to qualify concepts prior to believing anything told by public networks. Similar research tactics should be used when considering questionable specialists such as physic mediums or historical events that seem to be fishy. Knowing is half the battle.

Rating: 5.0/5 (2 votes cast)

Leave a Comment

Filed under General Security

Tagged as Andre Weideman, Andre Weideman mermaids, Animal Planet, Discovery Channel, discovery channel mermaids, Dr. Paul Robinson, Dr. Paul Robinson fake, fake documentary, fake mermaids documentary, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, MERMAIDS: THE NEW EVIDENCE, Muniz, network security, researching fake documentaries, Security, security research, Speculative Documentary

May 27, 2013

Kali Linux – The next generation for BackTrack

Written by Aamir Lakhani, www.DrChaos.com and Joey Muniz www.thesecurityblogger.com. Article is cross posted.

BackTrack is a digital forensics and penetration testing arsenal used by many security professionals and malicious hackers. The last release of BackTrack was 5r3 and many expected a new release sometime in 2013. The creators of BackTrack decided to start from the ground up building a full-fledged operating system and release a next generation penetration distribution rather than updating the existing live CD release. The creators note “Kali Linux is a more mature, secure and enterprise-ready version of BackTrack Linux”.

Lifeline of BackTrack ending with Kali 1.0

Kali Linux has many advantages over Backtrack. Kali comes with more updated tools. The tools and streamlined with Debian repositories and synchronized four times a day. That means users have the latest package updates and security fixes. The new compliant file systems translate into running most tools from anywhere on the system. Kali has also made customization, unattended installation, and flexible desktop environments and strong feature in Kali Linux.

Kali Linux offers a number of customized tools designed for penetration testing. Tools are categorized in the following groups as seen in dropdown menu shown below.

Main Tool Categories in Kali Linux

Most of the useful tools from BackTrack made it into Kali with updated versions as well as some new stuff. For example, Vega and Proxy Strike are updated, while tools like Grendel-scan were removed. One interesting catalog is the separate Top 10 Security tools listing.

Top 10 Security Tools in Kali Catalog

Kali Linux does have some limitations to its predecessor BackTrack. Some tools do not operate correctly in the new environment or require customization to gain stability. Some of these limitations will probably be fixed in updates. Within a few minutes of using Kali, we realized that darkc0de.lst dictionary file wasn’t loaded with Kali, or get SET needed some reconfiguration for updates to work. Most of these gotchas are well documented and a simple Google search will get you to the right place.

Sticking with the last release of BackTrack 5 RC3 has some advantages such as having more streamlined installation options on various operating systems. One huge limitation for Kali is support in a large VMware ESXI server environment due to VMTools not running on the 64-bit version of Kali. There is a workaround using 32-bit images with VM Tools preinstalled that is downloadable from the Kali website. If you want to install VMware Tools natively on the Kali Linux ISO (including 64-bit versions of the ISO) than check out our HowTo Install VMware Tools On Kali Linux.

BackTrack also has much more content available online as a veteran to Kali’s 1.0 release.

So far I like the new platform and have been using it for multiple projects. I haven’t had issues running Kali on a MacBook Pro as a VMware fusion server as well as MACMINI hosting ESXI 5.1 (note the MACMINI operates like a desktop therefor avoiding issues found with ESXI server farms.). I recommend checking out the new release at http://www.kali.org/.

Aamir Lakhani (www.DrChaos.Com) and Joey Muniz (www.thesecurityblogger.com) are co-writing a new book on Kali for Web Penetration Testing. Stay tuned for details!

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, backtrack, backtrack 5r3, backtrack 6, Compliance, Debian repositories, digital forensics, drchaos, Home, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, LanCope, Muniz, network security, new backtrack, next generation Backtrack, penetration testing arsenal, Security, StealthWatch, VMTools, World Wide Technology, world wide technology inc., wwt

May 26, 2013

Installing VMware Tools on Kali Linux

Great find and post by Aamir Lakhani. Check out the original HERE

If you are using Kali Linux and trying to use it in a VM environment as a guest operating system on VMware, you may run into some issues. It is recommended that you install VM Tools for VMware on Kali Linux.

This guide will help you install VM Tools on any installation of Kali Linux (including 64-bit ISOs). It will also allow you to use Kali Linux in VMware ESXi environments.

The first thing you need to do on Kali Linux is prep the system for VM Tools. You do so by issuing the following commands:

Note: all commands are typed as one line in the terminal

echo cups enabled >> /usr/sbin/update-rc.d
echo vmware-tools enabled >> /usr/sbin/update-rc.d
apt-get install gcc make linux-headers-$(uname -r)

Note: This is typed as one line

ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/

Now you are ready to mount the VM Tools CD. Simply go to the menu in VMWare and install VM Tools.

Now go back to Kali Linux and use the following commands:

mkdir /mnt/vmware
mount /dev/cdrom /mnt/vmware/
cp -rf /mnt/vmware/VMwareTools* /tmp/

Next, you will change to the /tmp directory and run the VM Tools installation script.

cd /tmp/
tar zxpf VMwareTools-*.tar.gz
cd vmware-tools-distrib/

Lastly type: “ ./vmware-tools-install.pl” to run the VM Tools installation script. Follow the onscreen instructions when you run the script.

What is Kali Linux and how is it different from Backrack? Check out our Kali Linux introduction on www.DrChaos.com

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, backtrack, backtrack 5r3, drchaos, Home, Installing VMware with Kali, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, Kali using VMware, LanCope, Muniz, network security, next generation Backtrack, Security, VMware tools

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

In Player, select File > Open a Virtual Machine.
Browse to the .ovf or .ova file and click Open.
Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts. The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux). The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

Python >= 2.5 (apt-get install python)
The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
IPChains / IPtables
Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

Note: It is not mandatory that you utilize a GUI desktop. But for the purposes of this lab it is recommended. Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces. We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

When see a terminal window open on the desktop you are ready to continue.

Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth”

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

If we do indeed have more then one interface enabled issue the command ifdown with the interface name to disable it. If there is an interface named eth1 like shown above issue the command:

Ifdown eth1

The output should be like what is shown below.

Continue reading →

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, Arpspoof, backtrack, breaking https, breaking secure websites, cracking https, cracking secure websites, Ettercap, hacking, hacking secure websites, Home, IPChains, Joey, Joey Muniz, joseph, joseph muniz, kali, LanCope, Muniz, Netstat, SSL Strip, SSL Strip lab, sslstrip, sslstrip lab, Stealth Watch, vmware, World Wide Technology, world wide technology inc., wwt

May 12, 2013

How Hackers Crack Weak Passwords

People use weak password practices to secure critical information. Weak password practices include using the same password for multiple systems regardless of the value of the asset, dictionary words, short phases and keeping the same passwords for extended periods of time. For example, it’s common to find a password on a non-critical asset such as a PlayStation 3 be the same as a person’s bank account login.

The more information an attack knows about your password profile, the more likely they will crack your password. For example, a policy of “6-10 characters with one upper case letter and special character” actually helps an attacker reduce the target space meaning passwords are weaker with the policy. If an hacker captures a password for another system and notices a formula such as ‘<dictionary word>’ followed by ‘<3 numbers>’, it helps the attacker prepare a dictionary attack (utilities such as Crunch makes this easy). Any password shorter than 10 characters is an easy target to brute force attack based on today’s system process power.

Here are some tools that hackers can use to crack your passwords.

John the Ripper is an old school yet powerful password cracking utility. It has several types of engines that can crack different types of passwords including encryption and hashes. John can detect most hash types (about 90% accurate) and generate matching hash outputs to map back to auto generated passphrases Attackers like John the Ripper because it’s very customizable

John the Ripper cracked 3 passwords from a Linux shadow file.

Hashcat is a password cracking utility. Hashcat is multi-thread tool meaning it can handle multiple hashes and password lists during a single attack session. Hashcat offers many attack options such as brute-force, combinator, dictionary, hybrid, mask and rule-based attacks

Hashcat GUI

Ophcrack

Ophcrack is a Windows password cracker based on rainbow tables (Rainbow tables are pre-computed hash tables). Ophcrack can import hashes from a variety of formats including dumping directly from the SAM files of Microsoft Windows.

Ophcrack Cracking Hashes

Findmyhash

Findmyhash is a python script which uses a free online service to crack hashes. Findmyhash will analyze against multiple website Rainbow tables.

Findmyhash running a MD5 hash against multiple websites

Crunch

Crunch is a tool used to generate password lists. This can be extremely helpful if you are able to gather intelligence on how your target creates passwords. For example, if you capture two passwords and notice the target uses a phase followed by random digits, Crunch can be used to quickly generate a list of that phrase followed by all possible random digits. Perfect tool for defeating company password policies!

Creating a password list for the word “pass” followed by any two numbers

Crunch output. List of all combinations of “pass” and two numbers

Chntpw

An alternative to breaking a Windows password is completely bypassing it. Chntpw is a software utility that can reset or remove a Windows passwords. This gives a hacker with access to your Microsoft Windows SAMs file the ability to obtain Administration privileges.

Chntpw options. Option 1 clears the password.

There are many tools available to break weak passwords. Best practices is using a password longer than 10 characters (having a repeated character at the end even helps!), don’t use dictionary words, change your password periodically, don’t use the same passwords for secure and non secure sources and don’t use a computer that accesses sensitive data for personal use (IE same system for Facebook and configuring routers). I suggest using the first letter of each word of a long sentence so you can remember the password yet the output is random. Hope this helps. All tools shown are free and available on BackTrack / Kali.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Penetration / Hacking

Tagged as backtrack, Breaking Passwords, Chntpw, Compliance, cracking passwords, Crunch, Data Loss Prevention, DLP, findmyhash, hackers crack weak passwords, hashcat, Home, how to crack passwords, Joey, Joey Muniz, john the ripper, joseph, joseph muniz, kali, LanCope, Muniz, network security, Ophcrack, password cracking tools, password cracking utilities, password policy, password security, passwords, secure passwords, Security, stealing passwords, Stealth Watch, weak passwords

April 26, 2013

5 Steps to Take Right After Suffering a Cyber Security Breach

Thanks to my guest writer Kyle Olson for this post. Kyle’s bio is below.

Security breaches on your website hosting servers and any other server based online assets are no laughing matter. Suffering one of these breaches can mean anything from the theft of data for fraud related purposes to the total destructive erasure of all your information just for the fun of it (Hackers aren’t exactly known for always being motivated by money)

Whatever the case may be, you as the hard working owner of a site you spent months or years building, can enjoy the fun position of watching everything you built come crashing into zero in less time than it takes you to have lunch. This is not something you want, and especially since it can be avoided through some fairly straightforward security procedures that would have saved you nicely.

Anyhow, what’s done is done, you’ve been hacked, and the only thing left to do is save what you can. Let’s cover how you can do that with 5 essential and effective steps.

1. Don’t Panic, Be Methodical

This is the first and most basic thing you need to do; calm down and proceed methodically. Yes, a hack is a severe thing that needs to be dealt with quickly, but running around like a headless chicken won’t solve anything. If you calmly assess the situation, go through the possibilities and the steps we’re about to cover, you’ll have a much better chance of successfully countering any damaging effects than if you work randomly or just freeze up, waiting for the situation to improve on its own.

2. Check in With Your Hosting Provider

Contact your Hosting provider as soon as you’ve noticed that your site is down, redirecting to suspicious third party sites, or showing unmistakable signs of serious malfunction. Do the same if you can’t access key parts of your back end admin such as servers, cpanel or CMS login. For one thing, your hosting provider has the tools and expertise to help you with resolving your hack or saving your data, and secondly, they can help you uncover vital information about the hack, such as how many people it’s affecting and how it might have occurred.

3. Make a Record of Everything and Save All Suspicious data

As soon as you start to notice something wrong with your servers or site, also start noting things down. Make a record of everything you saw, experienced and the times at which you saw it. Additionally, save copies of any malicious or suspicious code, files and processes. Even if you need to destroy them as part of your damage control, first save all such data on a remote medium such as USB. This saving also includes (when possible) making a mirror copy ISO of your entire drive or server.

Just as if you’re dealing with a police crime scene, creating a record of events and a chain of evidence will help you more clearly understand and possibly resolve your hack source.

4. Shut Your Site and FTP off then Start Backing Up Your Data

Back up everything in your servers and all associated files to a remote storage medium. Don’t worry if some of it is still contaminated with malicious code –you can later scan and clean it of everything abnormal—for now the key thing is to save as much of your site data as quickly as possible.

Before you start your backup process up, disconnect your site from all remote access. This may mean taking it offline and cutting off access to all FTP accounts. You can also later change all of your server/site access passwords in these FTP profiles and elsewhere.

5. Download Everything Again

Once you’ve performed a thorough backup of all your data, cut your site off from outside access, changed all your access passwords and stopped as much malicious activity as possible, you can now download fresh programs for any third party applications that were supporting your site on the server. These may include LAMP software (Linux, Apache, MySQL, PHP), plugins like Java, Flash and Adobe or a CMS bundle like WordPress.

Having downloaded the newest, cleanest copies of all these applications to your newly secured server, you can start re installing all your salvageable backed up data from the site before it was hacked.

When all else fails, you can always contact a company that will perform digital forensics tests to determine the cause of the incident.

About the author: Kyle Olson has written for the tech industry for over 10 years and has operated his own small business in the industry. When he’s not writing poignant articles, you can find him covering civil engineers in Boston or working on his forthcoming novel.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as 5 steps, Compliance, cyber security, Cyber Security Breach, Data Loss, Digital Third Coast Internet Marketing, hacked website, hacking, hacking websites, Home, Joey, Joey Muniz, joseph, joseph muniz, Kyle, Kyle Olson, LanCope, Muniz, network security, Olson, post security breach, Security, service provider security, Stealth Watch, website breach, website security, www.digitalthirdcoast.net

March 27, 2013

Installing Lancope StealthWatch on a Mac mini for Small Lab

Lancope enables visibility for security and network performance. Security capabilities focus on identifying insider threats such as botnets, malware and data loss using non-signature network wide correlation of all traffic. Pretty much anything touching the physical or virtual network leaves a footprint known as NetFlow that is investigated for malicious intent and performance statics.

Lancope offers a virtual and physical appliance option for the StealthWatch technology making it easy to build a lab. This post will explain how to build a simple Lancope lab integrated with Cisco ISE 1.2 beta using an Apple Mac mini server hosting vSphere ESXI 5.1 with ASA 5505 firewall.

It’s important to understand components of Lancope.

StealthWatch Manager (SMC)– This is the centralized system that manages all other components. Administrators will access this system’s IP for GUI management.
StealthWatch Collector – This is what collects NetFlow. All devices generating NetFlow will send data to this device for correlation.
StealthWatch Sensor – This generates NetFlow on behalf of devices unable to send NetFlow. This also can view application layer data providing additional context.
StealthWatch Identity Box OR Cisco ISE – These identify users and devices based on authentication and profiling. IP addresses are linked to USER information.
StealthWatch Replicator – This replicates UDP management data such as Flow data, SNMP traps and syslog.
StealthWatch SLIC – This is a reputation feed that correlates external known threats with possible insider threats.

My lab is using virtualized appliances of all Lancope technology components. You can obtain Lancope .OVA files preloaded on Cisco 3850 switches, Lancope’s website or from a solution provider. The first step is loading the Lancope .OVAs into vSphere. All appliances will ask for basic IP, DNS and NTP information upon launching. The default login for everything is either admin or root and lan1cope or lan411cope. I had some problems with default logins and recommend accessing the administration of each Lancope appliance using command line, typing SystemConfig and resetting the passwords prior to logging into the GUI.

SystemConfig found in the appliance command line

Lancope SMC ESXI Properties

The Lancope SMC requires a minimum of 8 Gigs or memory and 2 CPUs. Step up is basic IP and accessing its GUI via https. Additional system configuration can be done by clicking Administer this server or the User GUI can be opened by clicking Start. One important first step in the GUI is adding the main inside network subnet to the Catch All.

Adding Inside Network To Lancope Catch All

Lancope Collector ESXI Properties

The Lancope Collector lists an 8 Gig memory requirement with 2 CPUs however ESXI 5.1 gave a resource error message upon launching. I reduced the Memory to 4 Gigs per CPU, which fixed that issue. Once the Lancope Collector is up, access its GUI via https. You must point it at the SMC under the configuration tab.

I enabled NetFlow on an ASA5505 firewall (running 8.2(2) or greater) and pointed it at the Lancope Collector for network visibility. My ASA 5505 is also powering my 1121 Access Point for wireless. To enable NetFlow in ASDM, click Configuration under Device Management, click NetFlow under Logging, changed template timeout to 1 min, delay of 15 seconds and checked Disable Redundant Syslog”. Select Inside, enter the collector’s IP and UDP port of 2055.

Creating Netflow Collector in ASA

Next create a firewall policy under Firewall and Server Policy Rules. Click Global, give it a name, select All Traffic, click the tab for NetFlow and select the IP you built under device management. NOTE: If you update device management, you must first delete its reference under the firewall policy to avoid errors.

Add Firewall Policy in ASA

To add visibility into my ESXI environment, I have loaded a Lancope virtual Sensor. The Lancope Sensor requires 1 Gig of memory and 1 CPU. Once the Sensor is up, you must point it at the Lancope Collector and add the ESXI server. Prior to doing that, you must create a read-only user account in ESXI. NOTE: ESXI has discontinued GROUPs. Click Local Users & Groups and create a new user by right clicking and ADD. Give the user a name and password. Next click Permissions right click your New User and Edit. Add a permission of Read-Only. Once the account is ready, login to the https of the Lancope Sensor. Click the Configuration tab and add the Lancope Collector. Next, go under Configuration and add your ESXI server. If the steps are performed correctly, the SMC should automatically detect the new Lancope Sensor and virtual environment.

Adding VMware to Lancope SMC

I have ISE 1.2 providing admission control for my LAN and wireless networks. ISE data can be imported into the Lancope SMC. This is done from the GUI by right clicking Identity Services in the Lancope SMC tree and clicking ADD. Fill out the ISE information using the admin login for ISE.

At this point, the Lancope SMC has NetFlow from an ASA firewall seeing LAN and wireless traffic, ISE authentication and NetFlow from inside a virtualized environment. I plan to add SLIC feed for reputation once I obtain a license. I now have full visibility of my home network.

Lancope SMC Device Tree

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as asa, ASA 5505, ASA firewall, Cisco, Cisco NAC, Clean Access, Compliance, Data Loss Prevention, DLP, esxi, esxi 5.1, Home, Identity Services Engine, ISE, ISE 1.2, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, lan1cope, lan411cope, LanCope, Lancope lab, Mac mini, Mac mini esxi, mac mini lab, mobile, Muniz, NAC, netflow, netflow ninja, network access control, Security, SLIC, SMC, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, StealthWatch Replicator, StealthWatch Sensor, SystemConfig, vmware

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as aamir, Aamir Lakhani, Accelus eGRC, Access Control, Cisco, Cisco NAC, cisco security, Clean Access, cloudcentrics, Compliance, cyber security, cyber threat defense, Enterprise Security Manager, Federal Cyber Initiatives, GRC, Home, Identity Services Engine, ISE, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, LanCope, McAfee, McAfee ESM, mobile, mobile device, Muniz, NAC, NAC appliance, netflow, NetWitness, network access control, Network reconnaissance, network security, network visibility, RSA, Security, Security Logging Events, situational awareness, Stealth Watch, StealthWatch, Symantec, Threat Defense Visibility, World Wide Technology, world wide technology inc., wwt

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

Tag Archives: Home

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Are Mermaids, Aliens and Vampires Real? Researching Bogus Stories

Kali Linux – The next generation for BackTrack

Installing VMware Tools on Kali Linux

SSL Strip – Breaking Secure Websites

How Hackers Crack Weak Passwords

5 Steps to Take Right After Suffering a Cyber Security Breach

Installing Lancope StealthWatch on a Mac mini for Small Lab

Situational Awareness For Cyber Threat Defense

Cisco’s Cyber Solutions – What Is Happening In Your Network

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll