Tag Archives: NAC appliance

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration Kekai Kotaki Red Dragon 992x712 Situational Awareness For Cyber Threat Defense

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Cisco ISE 1024x617 Situational Awareness For Cyber Threat Defense

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

NetWitness Situational Awareness For Cyber Threat Defense

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

  • Network reconnaissance
  • Network interior malware proliferation
  • Command and control traffic
  • Data ex-filtration

Lancope Situational Awareness For Cyber Threat Defense

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Watching Cisco’s Cyber Solutions – What Is Happening In Your NetworkToday’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day.  There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

ISE Auth Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Screen Shot 2013 03 01 at 8.36.52 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkProfiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Screen Shot 2013 03 01 at 8.36.01 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Some default profiles for Cisco ISE. 

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Screen Shot 2013 02 22 at 12.08.05 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Screen Shot 2013 02 22 at 5.03.01 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Main Dashboard

Screen Shot 2013 02 22 at 12.07.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Screen Shot 2013 02 22 at 12.11.20 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMain Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Screen Shot 2013 02 22 at 12.12.19 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Windows 7 Workstation With Botnet

Screen Shot 2013 02 22 at 12.12.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Screen Shot 2013 02 22 at 12.13.00 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkLancope Dataloss Diagram
Screen Shot 2013 02 22 at 12.13.18 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMalware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Screen Shot 2013 02 22 at 12.14.47 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkKnown Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 8, 2013

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

The Business Value Of NetFlow : Why Invest In NetFlow Technology?There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.

Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.

Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.

Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.

What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 29, 2012

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference Architecture

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitecturePress around the DDoS attack Operation Ababil has caught the attention of many of our customers. This sophisticated cyber strike used a combination of three separate rootkits targeting webservers, which produced a very high upstream attack method on multiple companies simultaneously. The scary part about Operation Ababil was it was designed to bypass standard DDoS defense methods. This clearly demonstrates there isn’t a silver bullet for addressing advanced DDoS attacks. Distributed Denial of Service DDoS, web application and DNS infrastructure attacks represent some of the most critical threats to enterprises today.  Here is some suggestions for a reference architecture to defend against these an other advanced threats.

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitectureThe best approach for defending against advanced DDoS as well as other cyber attacks is having multiple security solutions using different methods to detect malicious activity for both internal and external threats. For internal threats, it’s critical to have a well-designed and mature security infrastructure that includes components such as firewalls, IPS/IDS, email and content / application security solutions. Similar security standards need to be applied to endpoints as well as in the datacenter such as proper patch management, anti-virus and anti-malware. It’s important to enable DDoS defense features for these tools. For example, some best practices are leveraging ACLs for ingress and egress filtering, rate limiting ICMP and SYN packets as well as verifying if the source IP of packets have a route from where they arrived.

Defending Against The Next Generation Distributed Denial of Service DDoS Attacks : DDoS Defense Reference ArchitectureStandard internal security solutions are important however will not completely protect you from advanced DDoS and other cyber threats. Security administrators need full network visibility to quickly identify anomalies regardless of their location or form of communication. Best practice to identify malicious activity inside your network is monitoring the wire using a NetFlow or Packet capture approach (more can be found HERE and HERE). It’s also important to match identity to devices found. An example is how Cisco offers integration with its flagship access control solution, Identity Services Engine ISE, to network forensic tools such as Lancope, NetWitness and most major SIEMs. Having a tuned monitoring solution will dramatically improve reaction time to internal cyber threats.

Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 15, 2012

Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

Zenprise recently released an upgrade to their flagship mobile device management MDM solution. My team has been showcasing a previous version 6.6 and went through the upgrade to Zenprise 7.01 this week. The Zenprise ZDM upgrade took around 15- 20 minutes, which steps included upgrading the software and java on the hosting server. Here is a comparison of both versions of Zenprise ZDM.

Dashboard: Zenprise 7.01 now includes a dashboard or centralized landing page. From a visual perspective, it’s a great way to quickly identify the state of the system and managed endpoints. The picture below is customized for 6 different reports. Functionality wise, the previous version of Zenprise could accomplish the same things by clicking around.

Screen Shot 2012 10 10 at 12.23.00 AM1 Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS and Android Enrollment: The new 7.01 version of Zenprise offers a dedicated section for device enrollment that includes options such as  MDM server discovery, email or SMS notification. We felt enrollment was a weak spot for Zenprise however this release dramatically simplifies the process. The group enrollment features makes it much easier to deploy the Zenprise MDM software to a larger number of users at once. Furthermore, Zenprise 7.01 can import a CSV file to populate its database for bulk enrollment.

Screen Shot 2012 10 10 at 12.17.26 AM Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS Location Services, Geo-tracking and Geo-fencing: This is a huge feature. Admins can set location service policies to located devices at any given time. Geofencing allows admins to define a geographic perimeter and perform a selective or full wipe upon perimeter breach. We have had requests for Geofencing that range from stopping students from walking off with school issued mobile devices to military secured facilities wiping any device that leaves the controlled area. In high security areas it it possible to wipe a device on-demand as it exists a “safe” zone. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 17, 2012

802.1X Challenges For Department of Defense

DISA 802.1X Challenges For Department of DefenseAamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network.  Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated.  NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 23, 2012

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.

On-boarding simply means brining a new device onto the network for the first time. This process includes certificate enrollment and profile provisioning without involving IT as well as little interaction with the end user. ISE 1.1MR accomplishes these goals levering an existing Certificate Authorityuser database such as Active Directory and ISE frameworkScreen Shot 2012 07 24 at 4.24.42 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The ISE on-boarding process can vary however will be explained as having a new device connecting to a SSID specified for on-boarding new devices (can be open or secured with PEAP). Devices that connect to the on-boarding SSID will be redirected to a guest registration portal.  The user will authenticate, which will trigger the certificate enrollment and profile provisioning process. Parameters to connect to the internal secure SSID will be included with the configuration profile that is provisioned to the mobile device post authentication. From that point on, the device will use the internal SSID for network access, which may have different ISE authorization rules depending on the design. Devices that fail to complete the on-boarding process will default to ether a guest SSID or be denied access depending on the desired policy.Screen Shot 2012 07 24 at 4.26.32 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

WIRELESS: On-boarding can be designed many ways however for this post we will use two SSIDs called Provisioning_Wireless for new devices and Employee_Wireless for existing approved devices.  An accesslist limiting access to ISE, DHCP and DNS will be enabled to prevent devices from staying on the provisioning SSID.  A possible configuration for both SSIDS could be as follow

Attribute: Provisioning_Wireless / Employee_Wireless
Broadcast SSID: Enable / Enable
Layer2 Security: None / WPA+WPA2
MAC Filtering: Enable / Disabled
WPA+WPA2 Parameters: None / WPA2 Policy, AES, 802.1x
Layer 3 Security: None / None
AAA Server: ISE / ISE
Advanced: AAA Override Enabled / AAA Override Enabled
Advanced: NAC State – Radius NAC / NAC State – Radius NAC

To build this, go to WLANs > Create New > Go and fill out the profile details. Use NONE for the layer 2 settings so it’s OPEN. For AAA, set the Radius server for ISE. Under advanced, enabled Allow AAA Override and change the NAC state to Radius NAC. Go to Controller > General > Fast SSID change and enabled Fast SSID to help speed up the SSID changing.

ISE: (1) First in ISE setup Active Directory by going to Admin > External Identity Sources > Active Directory and join ISE to an AD system.

(2) Next go to Admin > External Identity Sources > Certificate Authentication Profile > ADD to define the certificate authentication profile (name it and choose Common Name for X509).

(3) Next define an Identity Source Sequence by going to Admin > Identity Source Sequences > Add.  Give it a name, enabled and select the certification profile you just created then add AD for the authentication search list.

(4) Next configure ISE to act as a Simple Certificate Enrollment proxy server (SCEP). Go to Admin > Certificates > SCEP CA Profiles > Add. After defining your SCEP server, ISE will download the RA and root CA certificates of the CA server (this can be verified uner the certificate store via SYSTEM > Certificate > Certificate Store).

For this scenario, we will configure ISE authentication to use MAB for on-boarding new devices.  It many cases, ISE will not know the MAC address in advance so it must be configured to continue the authentication process via redirection regardless.

This is done in ISE:

(1) Going to Policy > Authentication, choose your MAB wireless policy, click the carrot after allow protocols to show the user options and click the + sign for use.

(2) Select IF USERS NOT FOUNDCONTINUE. As a reminder, ISE Authentication policies are verified top down so make sure your MAB policy used for BYOD is at the top and open for all identity stores. You should lock down the 802.1x wireless to only wireless certificates.

Client provisioning is based on how ISE classifies the client machine. There are customized packages in ISE available that include a software-provisioning wizard, which configures 802.1x settings and ability to obtain digital certificates on the endpoint.

To download wizard packages in ISE, go to Policy Elements > Results > Client Provisioning > Resources > Add. Common mobile devices such as iOS typically have these settings enabled natively so a wizard is not needed.

To configure client provisioning in ISE:

(1) Go to Policy Elements > Results > Client Provisioning > Resources > Add.

(2) Create a native suppliant profile by giving it a name, selecting the Wireless Checkbox, your on-boarding SSID, WPA2 for security, TLS for allow protocals and key size 2048.

(3) Next go to Policy > Client > Provisioning to build your provisioning resources. Create one for native devices and select the mobile profile you just created for the results (example RULE = IOS, Identiy Group = Any, Operating systems MAC IOS ALL and your new mobile profile for results).

(4) Create another that is similar however use Android for the operating systems. Create a third for generic MacOsX devices and use the downloaded wizard. You may also want to create a separate one for Wired and Wireless. The same goes for two more to cover wireless and wired Windows devices. Here is an example of my Client PolicesScreen Shot 2012 08 23 at 12.17.38 AM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The final steps are verifying profiling for wireless is working as well as your authorization profiles are setup for redirection, employee and guest access (see previous postings for these configs). These can vary depending on how you want to restrict devices that pass and fail your polices.

Written by Joseph Muniz and Aamir Lakhani

Reviewed by Aman Diwakar and Brian Trulove

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

3 Comments

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 11, 2012

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1  is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation

Here is a breakdown of what is new with ISE 1.1.1

  • New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated Screen Shot 2012 07 11 at 3.28.19 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration Screen Shot 2012 07 11 at 3.32.10 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end usersnew2 Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and AndroidScreen Shot 2012 07 11 at 4.29.25 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)newnew Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the networkScreen Shot 2012 07 11 at 4.22.41 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
  • EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication. Screen Shot 2012 07 11 at 4.02.58 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP Screen Shot 2012 07 11 at 4.00.15 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
    Screen Shot 2012 07 11 at 4.38.34 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Reports in Cisco ISE 1.1.1
    • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.Screen Shot 2012 07 11 at 4.07.51 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.08.24 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
    • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time. Screen Shot 2012 07 11 at 4.09.43 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.09.30 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases

Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.

ISE-10MR2/admin# application upgrade ise-appbundle-1.1.1.268.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
 % This application Install or Upgrade requires reboot, rebooting now…
 Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
 The system is going down for reboot NOW!

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)

23 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology.  Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.
Screen Shot 2012 05 21 at 5.35.16 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Screen Shot 2012 05 21 at 5.37.02 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Once launched, the management interface of Lancope looks like this.

Screen Shot 2012 05 21 at 5.38.27 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

Screen Shot 2012 05 21 at 5.39.18 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope dashboard shows traffic by hosts and bandwidth usage.

Screen Shot 2012 05 21 at 5.39.39 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

Screen Shot 2012 05 21 at 5.39.47 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

This Lancope diagram shows a global map of host relationship usage.

Screen Shot 2012 05 21 at 5.39.54 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

Screen Shot 2012 05 23 at 4.24.49 PM Identifying Advanced Persistent Threats ATP Using Netflow Lancope StealthWatch Overview And Lab

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 14, 2012

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your NetworkMany network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.

Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.

ports Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network
To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.shot11 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.

I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)nmap Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Networkshot2 Cisco Identity Services Engine ISE 1.1 Profiling Identify And Monitor What Is On Your Network

Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

1 Comment

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,