Comparing ASA Management: Internal vs. External Cisco Prime Security Manager Overview

management Comparing ASA Management: Internal vs. External Cisco Prime Security Manager Overview

Management of security devices is a critical function for maintaining the best performance and being aware of security related events. Cisco has released their second generation of ASA, which includes new management options. This post will cover the new management interface and compare it to the previous options. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

ASA CX and Cisco Prime Security Manager 9.2 Released – First Look

CX Dashboard ASA CX and Cisco Prime Security Manager 9.2 Released   First Look

Cisco released 9.2 for ASA CX and Prime Security Manager October 14th 2013. I finally got around to updating my system and so far some features are awesome while others can be improved with future releases. Here is a general overview of what is new with CX 9.2 for the mid range appliances has to offer. The formal release document can be found HERE. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)

Cisco’s Cyber Solutions – What Is Happening In Your Network

Watching Cisco’s Cyber Solutions – What Is Happening In Your NetworkToday’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day.  There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

 The Business Value Of NetFlow : Why Invest In NetFlow Technology?There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

802.1X Challenges For Department of Defense

DISA 802.1X Challenges For Department of DefenseAamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network.  Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated.  NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading

VN:F [1.9.22_1171]
Rating: 4.7/5 (3 votes cast)

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

 Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.

Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1  is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (9 votes cast)

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

 Identifying Advanced Persistent Threats ATP Using Netflow   Lancope StealthWatch Overview And LabCisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (5 votes cast)

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

 Cisco Identity Services Engine ISE 1.1 Profiling   Identify And Monitor What Is On Your NetworkMany network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred. Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (3 votes cast)