Tag Archives: ISE.1.1

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Watching Cisco’s Cyber Solutions – What Is Happening In Your NetworkToday’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day.  There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

ISE Auth Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Screen Shot 2013 03 01 at 8.36.52 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkProfiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Screen Shot 2013 03 01 at 8.36.01 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Some default profiles for Cisco ISE. 

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Screen Shot 2013 02 22 at 12.08.05 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Screen Shot 2013 02 22 at 5.03.01 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Main Dashboard

Screen Shot 2013 02 22 at 12.07.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Screen Shot 2013 02 22 at 12.11.20 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMain Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Screen Shot 2013 02 22 at 12.12.19 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Windows 7 Workstation With Botnet

Screen Shot 2013 02 22 at 12.12.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Screen Shot 2013 02 22 at 12.13.00 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkLancope Dataloss Diagram
Screen Shot 2013 02 22 at 12.13.18 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMalware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Screen Shot 2013 02 22 at 12.14.47 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkKnown Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology.  Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Screen Shot 2012 05 21 at 5.35.16 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Screen Shot 2012 05 21 at 5.37.02 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Once launched, the management interface of Lancope looks like this.

Screen Shot 2012 05 21 at 5.38.27 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

Screen Shot 2012 05 21 at 5.39.18 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope dashboard shows traffic by hosts and bandwidth usage.

Screen Shot 2012 05 21 at 5.39.39 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

Screen Shot 2012 05 21 at 5.39.47 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope diagram shows a global map of host relationship usage.

Screen Shot 2012 05 21 at 5.39.54 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

Screen Shot 2012 05 23 at 4.24.49 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 14, 2012

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your NetworkMany network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.

Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.

ports Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network
To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.shot11 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.

I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)nmap Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Networkshot2 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

1 Comment

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 20, 2012

Cisco Identity Services Engine 1.1 Update Is Now Available – Some Details On The Release | ISE

Cisco Identity Solutions Engine 1.1 Update Is Now Available ISE

ISE 1.04Screen Shot 2012 03 19 at 5.22.17 PM Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE
Screen Shot 2012 03 19 at 5.22.52 PM Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISEISE 1.1

Cisco recently released the latest update for Identity Solutions Engine (ISE). Below are some features and findings. My team has been running this in the lab for a while and so far it’s been rock solid. For those who have seen Cisco Prime Network Control System (NCS), the ISE GUI now has the same theme (see the pictures above and below).

ISE 1.04

Screen Shot 2012 03 19 at 5.23.02 PM 1024x543 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

ISE 1.1

Screen Shot 2012 03 19 at 5.24.01 PM1 1024x537 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

FEATURES

  • Common Criteria Certification – This release will be submitted for Common Criteria Certification, which is a requirement for many federal agencies.
  • FIPSISE 802.1x services with Common Access Card (CAC) including NAC & AnyConnect Agent
  • IOS Sensor on 15.0(1) SE1 for Cat 3000 and IOS 15.1(1) SG for CAT 4000. This is a huge for Profiling since it’s the first time Cisco is leveraging the switches for profiling data rather than probing from the ISE server down (like all other profiling type solutions). It makes sense to do this since typical information being probed is already available on switches.* Catalyst 2000 support and DHCP data for IOS Sensor will come later.
  • Active Endpoint Scanning – Manual scan and specific scan action per profile template
  • Endpoint protection services aka (Blacklisting devices) – Enable administrators to quarantine devices by IP or MAC address.

Screen Shot 2012 03 19 at 5.24.23 PM 300x191 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

  • Multiple language support for guest, sponsor and client provisioning portals.
  • NAC agent, AnyConnect NAM client, ISE user input fields and reports.
  • Guest without Logon (Device registration WebAuth). Simple URL for Sponsor Portal Access (A simple, short link). Custom Portal Theme
  • OCSP Support
  • NTP Server authentication
  • External Authentication for Administrators (including CAC)
  • ISE VM Appliance will include VMWare Tools
  • SGA Out Of Band PAC Provisioning
  • SGACL Monitor Mode
  • NMAP added to profiling
Screen Shot 2012 03 24 at 9.31.47 PM 300x148 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

SOME OTHER THINGS TO NOTE ABOUT THE ISE 1.1 RELEASE:

  • There are some Internet Explorer 8 problems that are performance related. The current release notes claim “be patient” and “click several times”.
  • There are some disk space and performance issues on the UCS SATA-2 storage systems.
  • We have been running it on vshpare 5.0 without a problem even though 4 is the supported platform. Same goes for ISE 1.04
  • ISE IPEP will need to be disconnect and use Certificate Based Authetnication to connect to a PAP prior to upgrade  http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html#wp248769 - IPEP Bug CSCtu39612

ISE 1.1 release notes can be found HERE

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

5 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,