Tag Archives: prime

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

January 8, 2013

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.

Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.

Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.

Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.

What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading →

Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Security Management & Analysis

Tagged as advanced persistent threat, APT, buying netflow solutions, Cisco, Compliance, cyber criminals, Data Loss Prevention, DLP, FlowSensor, hacker, Home, Identity Services Engine, ISE, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, Muniz, NAC, NAC appliance, netflow, network access control, network performance, network performance monitoring, network security, network visibility, network wide visibility, packet capture, prime, Security, sflow, Stealth Watch, StealthWatch

September 17, 2012

802.1X Challenges For Department of Defense

Aamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network. Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated. NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading →

Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as 802.1x, aamir, Aamir Lakhani, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, CAM, CAS, certificate authority, ChapCrack, Cisco, Cisco NAC, Clean Access, cloud centrics technology, Compliance, Department of Defense, DISA, dod, EAP, EAP-TLS, EAP-TTLS, Guest Server, Home, Identity Services Engine, IEEE, ISE, ISE1.0, ISE1.1, ISE1.1.1, ISE1.1MR, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, mandates, military standards for networks, MS-CHAPv2, Muniz, NAC, NAC appliance, network access control, Network port protection, network security, PEAP, PNAC, prime, Profiler, Radius, RADIUS Cisco, Security, supplicant, V-7542, wireless security, World Wide Technology, world wide technology inc., wwt

August 23, 2012

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.

On-boarding simply means brining a new device onto the network for the first time. This process includes certificate enrollment and profile provisioning without involving IT as well as little interaction with the end user. ISE 1.1MR accomplishes these goals levering an existing Certificate Authority, user database such as Active Directory and ISE framework.

The ISE on-boarding process can vary however will be explained as having a new device connecting to a SSID specified for on-boarding new devices (can be open or secured with PEAP). Devices that connect to the on-boarding SSID will be redirected to a guest registration portal. The user will authenticate, which will trigger the certificate enrollment and profile provisioning process. Parameters to connect to the internal secure SSID will be included with the configuration profile that is provisioned to the mobile device post authentication. From that point on, the device will use the internal SSID for network access, which may have different ISE authorization rules depending on the design. Devices that fail to complete the on-boarding process will default to ether a guest SSID or be denied access depending on the desired policy.

WIRELESS: On-boarding can be designed many ways however for this post we will use two SSIDs called Provisioning_Wireless for new devices and Employee_Wireless for existing approved devices. An accesslist limiting access to ISE, DHCP and DNS will be enabled to prevent devices from staying on the provisioning SSID. A possible configuration for both SSIDS could be as follow

Attribute: Provisioning_Wireless / Employee_Wireless
Broadcast SSID: Enable / Enable
Layer2 Security: None / WPA+WPA2
MAC Filtering: Enable / Disabled
WPA+WPA2 Parameters: None / WPA2 Policy, AES, 802.1x
Layer 3 Security: None / None
AAA Server: ISE / ISE
Advanced: AAA Override Enabled / AAA Override Enabled
Advanced: NAC State – Radius NAC / NAC State – Radius NAC

To build this, go to WLANs > Create New > Go and fill out the profile details. Use NONE for the layer 2 settings so it’s OPEN. For AAA, set the Radius server for ISE. Under advanced, enabled Allow AAA Override and change the NAC state to Radius NAC. Go to Controller > General > Fast SSID change and enabled Fast SSID to help speed up the SSID changing.

ISE: (1) First in ISE setup Active Directory by going to Admin > External Identity Sources > Active Directory and join ISE to an AD system.

(2) Next go to Admin > External Identity Sources > Certificate Authentication Profile > ADD to define the certificate authentication profile (name it and choose Common Name for X509).

(3) Next define an Identity Source Sequence by going to Admin > Identity Source Sequences > Add. Give it a name, enabled and select the certification profile you just created then add AD for the authentication search list.

(4) Next configure ISE to act as a Simple Certificate Enrollment proxy server (SCEP). Go to Admin > Certificates > SCEP CA Profiles > Add. After defining your SCEP server, ISE will download the RA and root CA certificates of the CA server (this can be verified uner the certificate store via SYSTEM > Certificate > Certificate Store).

For this scenario, we will configure ISE authentication to use MAB for on-boarding new devices. It many cases, ISE will not know the MAC address in advance so it must be configured to continue the authentication process via redirection regardless.

This is done in ISE:

(1) Going to Policy > Authentication, choose your MAB wireless policy, click the carrot after allow protocols to show the user options and click the + sign for use.

(2) Select IF USERS NOT FOUND, CONTINUE. As a reminder, ISE Authentication policies are verified top down so make sure your MAB policy used for BYOD is at the top and open for all identity stores. You should lock down the 802.1x wireless to only wireless certificates.

Client provisioning is based on how ISE classifies the client machine. There are customized packages in ISE available that include a software-provisioning wizard, which configures 802.1x settings and ability to obtain digital certificates on the endpoint.

To download wizard packages in ISE, go to Policy Elements > Results > Client Provisioning > Resources > Add. Common mobile devices such as iOS typically have these settings enabled natively so a wizard is not needed.

To configure client provisioning in ISE:

(1) Go to Policy Elements > Results > Client Provisioning > Resources > Add.

(2) Create a native suppliant profile by giving it a name, selecting the Wireless Checkbox, your on-boarding SSID, WPA2 for security, TLS for allow protocals and key size 2048.

(3) Next go to Policy > Client > Provisioning to build your provisioning resources. Create one for native devices and select the mobile profile you just created for the results (example RULE = IOS, Identiy Group = Any, Operating systems MAC IOS ALL and your new mobile profile for results).

(4) Create another that is similar however use Android for the operating systems. Create a third for generic MacOsX devices and use the downloaded wizard. You may also want to create a separate one for Wired and Wireless. The same goes for two more to cover wireless and wired Windows devices. Here is an example of my Client Polices

The final steps are verifying profiling for wireless is working as well as your authorization profiles are setup for redirection, employee and guest access (see previous postings for these configs). These can vary depending on how you want to restrict devices that pass and fail your polices.

Written by Joseph Muniz and Aamir Lakhani

Reviewed by Aman Diwakar and Brian Trulove

Rating: 5.0/5 (1 vote cast)

3 Comments

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as 802.1x, Access Control, bring your own device, bring your own technology, byod, CAM, CAS, Cisco, Cisco NAC, Clean Access, Client Provisioning, Enhanced Client Provisioning, Guest Server, Home, Identity Services Engine, iPad, iPhone, ISE, ISE advance license, ise lab, ISE new device, ISE new features, ISE1.0, ISE1.1, ISE1.1.1, ISE1.1MR, Joey, Joey Muniz, joseph, joseph muniz, Maintenance Release, mobile, mobile certificate, mobile device, mobile device management, mobile device security, Mobile phone security, Muniz, NAC, NAC appliance, NAC to ISE, network access control, network security, on boarding, on-boarding SSID, prime, Profiler, testing mobile security, trustsec, wireless security, World Wide Technology, world wide technology inc., wpa2, wwt

July 11, 2012

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1 is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation

Here is a breakdown of what is new with ISE 1.1.1

New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated

Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration

New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end users

Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and Android

Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)

SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the network

RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.

EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication.

EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP

Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports

New Reports in Cisco ISE 1.1.1
- Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.
- Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time.
Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases

Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.

ISE-10MR2/admin# application upgrade ise-appbundle-1.1.1.268.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
% This application Install or Upgrade requires reboot, rebooting now…
Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
The system is going down for reboot NOW!

Rating: 5.0/5 (7 votes cast)

23 Comments

Filed under Network Admission Control

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, blacklist, bring your own device, byod, CAM, CAS, Cisco, Cisco Identity Services Engine (ISE), Cisco NAC, cisco security, cisco trustsec, Clean Access, Compliance, Device Registration Portal, Dictionary Attribute, EAP-TLS, Enhanced Client Provisioning, Guest Server, Home, Identity Services Engine, iPad, iPhone, ISE, ISE 1.1 MR, ISE 1.1.1, ISE 1.1MR, ISE blacklist, ISE BYOD, ISE EAP-TLS, ISE maintenance release, ISE NAC, ISE release, ISE Supplicant, ISE update, ISE upgrade, ISE1.0, ISE1.1.1, Joey, Joey Muniz, joseph, joseph muniz, mobile, Muniz, NAC, NAC appliance, Native Supplicant Provisioning, network access control, network security, onboarding, prime, Profiler, RADIUS Cisco, RADIUS Proxy Attribute, SCEP, Security, trustsec, wireless security, World Wide Technology, world wide technology inc., wwt

May 24, 2012

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Cisco recently announced a partnership with Lancope to address Advanced Persistent Threat or APT type attacks. The reason Lancope / StealthWatch was added is most security solutions are based on signatures or behavior to identify threats. Some newer technologies are leveraging reputation (see my post HERE) or honey pots (example FireEye) however advanced attacks aka APTs are bypassing these traditional security solutions.

APTs are typically customized for a specific target and designed to stay under the radar using technics such as throttling network usage, communicating through standard ports, encryption and other means that bypass common security solutions. Examples of common security devices are Firewalls, IPS/IDS, Content filters, Anti-Virus / Anti-Malware, and other technologies that operate on a “probe” type design meaning they can only see traffic in a specific network segment. The APT problem becomes difficult to address with traditional tools due to lack of ability to detect the methods APTs operate on the network as well as difficultly to places detection technology in all network areas monitoring all layers of the network stack.

Some recent offerings to combat the APT threat are packet level and flow based monitoring solutions (Lancope being flow based). Both approaches look at all network traffic and flag anomalies that would bypass other security technology. Both views have pros and cons however one clear advantage of using NetFlow is many network devices are capable of generating flows which makes it more cost effective than capturing and storing packet level data. I’m not saying packet level monitoring is a bad however storage requirements tend to quickly raise the price tag of this approach.

Lancope StealthWatch works by viewing any host with an IP address that creates TCP/IP traffic on the network. Lancope collects metadata on hosts and builds a profile of behavior. Network hosts connected to devices such as switches, routers and firewalls generate flows of information which typically are NetFlow or sFlow. As flows are collected, Lancope aggregates, normalizes and analyzes NetFlow telemetry data to detect threats and suspicious behavior. Lancope can also integrate with Cisco Identity Services Engine aka ISE by taking in contextual information such as User Identity, Endpoint Device Profiling and Posture information. Lancope essentially enables security monitoring on network devices. This dramatically improves the time to identify and react to threats. We had one customer identify some malware that apparently had been active for months throttling its communication phone home patterns to bypass their IPS and SIEM solution.

MY Lancope LAB

When logging into the management interface of Lancope StealthWatch, you first have to launch a Java session.

Once launched, the management interface of Lancope looks like this.

I have specific dashboards that come up which are customizable. Lancope offers TONs of reports that can pop up upon login. NOTE: My Lancope lab is using dummy data. Below is a breakdown of some of that data via the fake hosts, network devices and ISE system.

This Lancope dashboard shows traffic by hosts and bandwidth usage.

This shows a flow table in my Lancope lab. Flows are typically one way communications (Cisco ASAs are the only exception). Lancope stitches flows together so admins can easily see the full communication chain between hosts.

This Lancope diagram shows a global map of host relationship usage.

Here is a Lancope report showcasing user integration with Cisco Identity Services Engine aka ISE. Notice how inside Lancope, you can see who the users are , where they are located and what type of devices they have on the network utilizing the authorization and profiling capabilities of Cisco ISE.

The Lancope StealthWatch solution, Cisco NAM and Cisco Identity Services Engine or ISE integration is Cisco’s new flagship story to address advanced cyber threats aka APTs. I believe its critical to monitor flow or packet level data since in many cases, its the only way to identify and defend against advanced threats designed to bypass traditional security products. The scary thing about technology such as Lancope is what you will find when you first set it up in your environment. In many cases, customers find they are already owned and have been for a long time.

Rating: 5.0/5 (5 votes cast)

4 Comments

Filed under Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, Adaptive Security Appliances, asa, Cisco, Cisco Identity Services Engine (ISE), Cisco NAC, Cisco NAM, cisco security, Clean Access, Compliance, Continuous Audit, Continuous Controls Monitoring, Continuous Monitoring Architecture, Continuous Monitoring Solution, Continuous Transaction Inspection, cyber attacks, cyber landscape, cyber security, cyber threats, Data Loss Prevention, DLP, flow security, FlowSensor, Home, Identity Services Engine, iPad, iPhone, ISE, ISE 1.1MR, ISE.1.1, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, mobile device, monitoring, Muniz, NAC, NAC appliance, NAM, Near Real-Time, netflow, netflow security, network access control, network scanning, network security, network visibility, prime, Profiler, Security, sflow, sflows, StealthWatch, trustsec, VPN, World Wide Technology, world wide technology inc., wwt

May 14, 2012

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

Many network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.

Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.

To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.

My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.

I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)

Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.

Rating: 5.0/5 (2 votes cast)

1 Comment

Filed under Network Admission Control

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, authentication, Authorization, bring your own device, bring your own technology, byod, CAM, CAS, Cisco, Cisco NAC, Clean Access, Compliance, DHCP, DHCP SPAN, end point management, Guest Server, Home, Identity Services Engine, iPad, iPhone, ISE, ISE.1.1, ISE1.0, ISE1.1, ISE1.1MR, Joey, Joey Muniz, joseph, joseph muniz, mobile device management, Muniz, NAC, NAC appliance, netflow, network access control, network monitoring, network policy, network profiling, network security, nmap, prime, Profiler, profiling, Radius, Security, snmp, trustsec, wireless security, World Wide Technology, world wide technology inc., wwt

May 8, 2012

Configuring Cisco LAN Manager LMS 4.2 To Assess Your Network And Check Compliance

Cisco’s flagship network management solution LMS has come a VERY long way. I was a Cisco LAN Manager LMS hater for a long time however the latest version is a completely new program. I’m now using LMS as my go to assessment tool and extremely happy with its capabilities. Here are a few steps to setup your own Cisco LMS environment.

Go to www.cisco.com/go/LMS and download the latest LMS software (4.2). You will have a full 90-day license upon installation. The requirements for LMS are pretty large however they offer a few options regarding storage (thick takes up around 270 gigs even though its not all used while thin uses around 90 gigs). See the cisco LMS website on the exact specs. I’m currently using ESXI 5 on a customized MACMINI to host my LMS 4.2.

You will be prompted with standard questions upon starting up LMS via command line (IP, Default Gateway, DNS, NTP, Passwords, etc.). Fill out the questions and let the installation complete. Once complete, you should be able to access the LMS 4.2 GUI using your IP:1741 (ex 192.168.45.12:1741).

Login with the username and password you created during the setup. You will hit the LMS Getting Started landing page (also found under the admin tab).

To start capturing network devices, click device management / device addition. Use the workflow to walk through adding devices. First add Credentials (IE login name, Cisco CCO, passwords and SNMP). Next a Policy (IE IP scope to be scanned). The last step is adding Devices. You can do this manually or by bulk. Best practice is to ensure your credentials are setup properly by manually adding one device. Click the manually add a device and try adding one device using the credentials you created.

To launch a capture in LMS, click edit custom discovery. LMS 4.2 offers many ways to discover the network. You can choose a “seed” as a starting point from which LMS captures meaning you can select a device and discover neighbor devices from that point. Options for device captures include ARP, BGP, OSPF, Routing tables, CDP, CCDP, Ping, Cluster Discovery Module, and HSRP. Like most Network Management Systems, SNMP is a foundational element of read-only communications from the network devices to the management platform in LMS 4.2. Options are SNMP V1, V2 and V3. Chose how you want new devices labeled / organized and launch the capture. As devices are discovered and logged, your LMS DCR count will increase.

Click on Inventory to see your network

Under Reports you will find a TON of options for reports. My favorites are detailed device information, Hardware / Software statistics, IPV6 support, and Utilization reports. One huge add on with the new LMS 4.2 release is the Compliance and Audit report. It includes a End of Sale / Life report for Cisco hardware and software, Smartnet contract verification and a ton of compliance reports such as HIPPA, NSA’s best practices, PSIRT (Cisco Security Advisory), etc.

The LMS Work Centers tab has an awesome dedicated section for 802.1x. It shows if your devices are 802.1x capable and provides methods to update software and push down configurations using step-by-step templates. This is huge for those looking at 802.1x via Cisco ACS or Identity Services Engine ISE.

There are other dashboards to check out like Energy Wise (aka ability for switches to reduce power for POE devices during non business hours), Medianet (optimizing the network for collaboration technologies), etc. Lots of good stuff. Its worth checking out the latest LMS. Hopefully this guide helps!

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as 4.2, 802.1x, :1741, ACS, CIS, Cisco Lan Manager, Cisco Security Advisory, Compliance, configure LMS, end point management, Energy Wise, hippa, Home, Identity Services Engine, ISE, ISE1.0, ISO, Joey, Joey Muniz, joseph, joseph muniz, LMS, LMS 4.2, LMS lab, MACMINI, Medianet, Muniz, network access control, network assessment, network assessments, network compliance, network security, NSA, NSA best practices, prime, PSIRT, Security, snmp, sox, trustsec, Work Centers, World Wide Technology, world wide technology inc., wwt, www.cisco.com/go/LMS

March 20, 2012

Cisco Identity Services Engine 1.1 Update Is Now Available – Some Details On The Release | ISE

Cisco Identity Solutions Engine 1.1 Update Is Now Available ISE

ISE 1.04
ISE 1.1

Cisco recently released the latest update for Identity Solutions Engine (ISE). Below are some features and findings. My team has been running this in the lab for a while and so far it’s been rock solid. For those who have seen Cisco Prime Network Control System (NCS), the ISE GUI now has the same theme (see the pictures above and below).

ISE 1.04

ISE 1.1

FEATURES

Common Criteria Certification – This release will be submitted for Common Criteria Certification, which is a requirement for many federal agencies.
FIPS – ISE 802.1x services with Common Access Card (CAC) including NAC & AnyConnect Agent
IOS Sensor on 15.0(1) SE1 for Cat 3000 and IOS 15.1(1) SG for CAT 4000. This is a huge for Profiling since it’s the first time Cisco is leveraging the switches for profiling data rather than probing from the ISE server down (like all other profiling type solutions). It makes sense to do this since typical information being probed is already available on switches.* Catalyst 2000 support and DHCP data for IOS Sensor will come later.
Active Endpoint Scanning – Manual scan and specific scan action per profile template
Endpoint protection services aka (Blacklisting devices) – Enable administrators to quarantine devices by IP or MAC address.

Multiple language support for guest, sponsor and client provisioning portals.
NAC agent, AnyConnect NAM client, ISE user input fields and reports.
Guest without Logon (Device registration WebAuth). Simple URL for Sponsor Portal Access (A simple, short link). Custom Portal Theme
OCSP Support
NTP Server authentication
External Authentication for Administrators (including CAC)
ISE VM Appliance will include VMWare Tools
SGA Out Of Band PAC Provisioning
SGACL Monitor Mode
NMAP added to profiling

Screen Shot 2012 03 24 at 9.31.47 PM 300x148 Cisco Identity Services Engine 1.1 Update Is Now Available Some Details On The Release | ISE

SOME OTHER THINGS TO NOTE ABOUT THE ISE 1.1 RELEASE:

There are some Internet Explorer 8 problems that are performance related. The current release notes claim “be patient” and “click several times”.
There are some disk space and performance issues on the UCS SATA-2 storage systems.
We have been running it on vshpare 5.0 without a problem even though 4 is the supported platform. Same goes for ISE 1.04
ISE IPEP will need to be disconnect and use Certificate Based Authetnication to connect to a PAP prior to upgrade http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html#wp248769 - IPEP Bug CSCtu39612

ISE 1.1 release notes can be found HERE

Rating: 5.0/5 (2 votes cast)

5 Comments

Filed under Network Admission Control

Tagged as 802.1x, Access Control, ACS, ACS5.0, ACS5.1, ACS5.2, CAM, CAS, Cisco, Cisco NAC, Cisco Prime, Cisco Prime Network Control System, Cisco Prime Network Control System 1.1, Clean Access, Guest Server, Home, Identity Services Engine, ISE, ISE march, ISE release, ISE.1.04, ISE.1.1, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, Muniz, NAC, NAC appliance, NCS, network access control, network security, prime, Profiler, Security, World Wide Technology, world wide technology inc., wwt

August 29, 2011

Cisco Identity Services Engine ISE 1.0.4 Released

Information on the Cisco Identity Services Engine ISE 1.0.4 release:
Highlights of Cisco Identity Services Engine ISE 1.0.4
Release notes for Cisco Identity Services Engine ISE 1.0.4

Here is a summary of the Cisco Identity Services Engine ISE 1.0.4 release:

1) Integrating Cisco NAC Appliance, Release 4.9 with ISE 1.0.4. and available when you have installed an advanced or wireless license on the maintenance release of Cisco ISE. This is important for customers with NAC appliance looking to add profiling. Cisco NAC profiler appliance technology is no longer for sale so this new release permits using ISE 1.0.4 as a profiling element for NAC appliance installations.

2) New Wireless License options enable the same number of endpoints on existing ISE 1.0.4 Base and Advanced License package

3) Upgrade and Backup/Restore Enhancements: Upgrade ISE 1.0 to ISE 1.0.4. Migrate from ACS 5.1/5.2 to ISE 1.0 and then upgrade to ISE 1.0.4. Do not directly migrate from ACS to ISE 1.0.4

4) Administrator lockout following failed attempts and administrator password reset: In the new release, you can lockout your admin account after a failed number of login attempts. The instructions on how to reset the “locked” administrator password are described in the “Performing Post-Installation Tasks” chapter of the Cisco Identity Services Engine Hardware Installation Guide, Release ISE 1.0.4.

5) Client support for Windows Internet Explorer 9 and Mozilla Firefox 4.x browsers and the Mac OS 10.7 operating system

6) Cisco ISE 1.0.4 does not consume advanced licenses when endpoints are statically assigned to a profile

7) Profiling update: Correlating IP addresses and MAC addresses of endpoints using DHCP and RADIUS probes. The Cisco ISE 1.0.4 release implements an ARP cache in the profiler service so that you can reliably map IP addresses and MAC addresses of endpoints.

8) Some Cisco ACS-to-Cisco ISE 1.0.4 Migration updates

Rating: 3.7/5 (3 votes cast)

Tag Archives: prime

Cisco’s Cyber Solutions – What Is Happening In Your Network

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Identifying Advanced Persistent Threats ATP Using Netflow – Lancope StealthWatch Overview And Lab

Cisco Identity Services Engine ISE 1.1 Profiling – Identify And Monitor What Is On Your Network

Configuring Cisco LAN Manager LMS 4.2 To Assess Your Network And Check Compliance

Cisco Identity Services Engine 1.1 Update Is Now Available – Some Details On The Release | ISE

Cisco Identity Services Engine ISE 1.0.4 Released

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll