Tag Archives: web security

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

October 2, 2012

Defending Against Google Hacking : Know What Can Be Found On Search Engines

Its shocking how organizations are compromised due to administration carelessness such as using default passwords or advertising sensitive information on public sources. Many companies purchase top dollar security solutions however fail at addressing the most common security weakness; enforcing thorough security policies. One popular reconnaissance technic known as Google Hacking (however can use other search engines) can expose confidential information, vulnerabilities and login credentials using Internet search engines. Here are some tips to avoid being abused by Google Hacking or other reconnaissance techniques.

Strong Passwords:

Anything facing the Internet should have very strict security policies implemented to defend against hackers. For starters, all default passwords should be changed using a strong policy. Strong password formats do not contain words found in spoken languages including changing letters to other characters (IE: Ex@mp1e would be considered weak). An example of a good password format is using the first or last letter of a sentence plus numbers and special characters (IE: This Blog Talks About Many Crazy Things CONVERTED WITH FIRST LETTER OF EACH WORD = tbtamct135@!). Also length, expiration time and number of factors impact password security strength. More on passwords can be found HERE

HERE is an example list of default passwords for popular network devices. It’s common to uncover default logins on small neighborhood wireless networks however my team finds default information on large corporate systems as well using targeted Google Hacking queries. Some examples are searching #-Frontpage- inurl:administrator.pwd or inurl:odbc.ini ext:ini –csv for Microsoft and ODBC passwords. Some automated hacker tools use Google Hacking queries to gather system information prior to launching exploits and password cracking efforts. Don’t be a victim to weak passwords!

Know What Is Public Facing:

It is key to protect sensitive information such as vulnerability reports, employee information and confidential records. There are great tools available to audit for sensitive information such as data loss prevention products and compliance tools (more on DLP HERE). Crazy enough, sometimes administrators unknowingly let audit results for confidential information leak to public search engines. One example is searching for audit report headers (IE “This Report Was Generated By Nessus”) to identify vulnerable targets without setting off alarms using penetration testing techniques. Another example is searching for phases such as Classified via intext:classified COMPANY to find sensitive corporate information. Its shocking what is out there.

Some fun search terms are looking for cameras using queries such as Linksys inurl:main.cgi or ViewerFrame?Mode= . Be careful, some people don’t know they are in front of a live camera. Seriously, try it! You can move around cameras and see different parts of the world

Continue reading →

Rating: 5.0/5 (1 vote cast)

3 Comments

Filed under Internet Defense

Tagged as Access Control, Cenzic, Cisco, cisco-linksys, Compliance, Creating Secure Passwords, cross site scripting, Data Loss Prevention, default passwords, DLP, exploits, GHDB, Google Hacking, Google search engine, hacking passwords, Home, iPad, iPhone, Joey, Joey Muniz, johhny.ihackstuff.com, Johnny Long, joseph, joseph muniz, linksys, linksys camera, McAfee, mobile, mobile device, Muniz, nessus, network access control, network audit, network security, password security, passwords, pen testing, Penetration Testing, Radware, robots.txt, secure passwords, Security, security audit, Tenable, vulnerabilities, vulnerability, Web applications, web reconnaissance, web security, World Wide Technology, world wide technology inc., wwt, yahoo

August 15, 2012

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Today’s Internet is a dangerous place. Imagine a small village with law and order surrounded by a wall keeping out miles of ungoverned ruthless territory. Most known websites surfed daily by your users make up a small percentage of the total Internet. The remaining 80% or more of uncategorized websites are contaminated with Botnets, malware and short-lived websites targeting your users. Many of these malicious websites are embedded in trusted sites such as social networks by hiding in advertisements or silly links posted by your friends. The best protection for this threat vector is limiting Internet usage to trusted websites and monitoring those websites for malicious applications.

The most common method to protect users while surfing the Internet is leveraging a web security solution. I wrote a post about this HERE. Cisco has two web security flavors, which are a dedicated proxy and application firewall add-on. The dedicated proxy, known as the Web Security Appliance (WSA) came from the acquisition of IronPort. Cisco replaced its content filter module for their ASA firewalls based on McAfee technology with an application aware addition known as CX Context-Aware. There are many overlapping features between the two approaches however there is a clear distinction when to choose one over the other.

Both CX and WSA provide features expected from a web security solution. Both CX and WSA offer the ability to monitor and control what type of websites are available for users based on categories (examples Adult, Hate, Gambling, etc.). Both CX and WSA include reputation controls meaning ability to blacklist known malicious websites (more on reputation HERE). Both CX and WSA can limit or deny traffic types based on user groups such as denying Skype, throttle download speeds and target specific applications (example permitting Facebook while denying Farmsville for employees 9am-5pm). Both solutions can scale beyond the internal network using VPNs to route traffic from remote users.

CX DASHBOARD (click to see larger)

CX Web Categories

IronPort WSA Categories

WSA Reputation Score Settings

Features offered by IronPort not included with CX are focused on what happens after traffic passes reputation and content policies. WSA offers anti-malware scanning licenses for McAfee, Sophos and Webroot for any traffic tagged as “grey” meaning traffic that passes the reputation blacklist but not considered completely trusted or “white-listed”. These signature-based verdict engines are licensed separately and can be stacked to provide a wide range of scanning capability. WSA also offers a dedicated layer 4 Botnet scanner targeting phone home communication from infected machines. These additional features provide more layers of defense beyond common application firewall technologies including Cisco CX.

Some other differences are based on the design and implantation of WSA and CX. The WSA is a dedicated proxy, which can be deployed using host inline proxy settings or directing network traffic to the WSA using WCCP. The CX uses policy maps routing traffic seen by an ASA through the CX addition. WSA includes caching to improve network performance. WSA can direct traffic through a DLP solution adding network based DLP scanning (A possible roadmap is including DLP in the appliance as a add-on license similar to the IronPort Email Security Appliance). Cisco roadmaps show IronPort offerings will include a virtualized option in the near future. Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. CX is also not available on some ASA 5500X models such as 5585-40s and 5585-60s. Expanding CX to other ASA models and dual IPS CX support are roadmap items at this time.

To summarize, its best to consider Cisco CX for essential web security meaning content filtering and reputation based protection. The CX is also a viable option if you don’t require IPS from your ASA 5500X. WSA is suited for Comprehensive web security meaning content filtering, reputation protection, malware scanning and layer 4 botnet awareness. WSA is also a dedicated proxy providing performance benefits as well as design options such as including Data Loss Prevention. If you desire your ASA to include IPS functionality, today you will need to consider a WSA to handle web security. Hopefully this post helps with distinguishing when to choose CX or IronPort WSA.

Rating: 5.0/5 (4 votes cast)

2 Comments

Filed under Internet Defense

Tagged as 5585, 5585-20, 5585-40, 5585-X, Adaptive Security Appliances, anti-malware, anti-virus, application, application firewall, application firewalls, asa, blue coat, Bluecoat, botnet, botnet scanner, Botnet Threat Mitigation, botnets, Cisco, cisco cx, Compliance, context-aware, CX, Data Loss Prevention, DLP, ESA, Home, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 4 scanner, layer 7 firewall, layer 7 firewalls, malware, malware defense, mobile, mobile device, MSA, Muniz, network security, palo alto, palo alto networks, proxy, S-Series, S170, S370, S670, secure facebook, Security, security apps, web proxy, web security, web security appliance, web sense, web washer, websense, World Wide Technology, world wide technology inc., wsa, wwt

July 2, 2012

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Many corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.

Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.

Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.

The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.

ScreenShot2012 06 04at92743PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

(Cisco’s Web-Security Portfolio)

A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office. ScreenShot2012 06 30at110329PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.

Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security, Host And Mobile Device Security

Tagged as Access Control, anyconnect, audit, Cisco, cisco cx, citrix, Compliance, content filer, continuous monitoring, Data Loss Prevention, DLP, Home, Identity Services Engine, ironport, Joey, Joey Muniz, joseph, joseph muniz, mobile, mobile device, mobile device management, monitoring, Muniz, NAC, network access control, network monitoring, network policy, network security, OEAP, palo alto, phishing, phishing attack, phishing defense, phone home, remote work policy, RSA, sandbox, scan safe, scansafe, Security, security audit, ssl, Symantec, Telework, Teleworker, virus, VPN, vpn technology, web security, web washer, websense, wireless security, World Wide Technology, world wide technology inc., worm, wwt

September 19, 2011

Internet Defense Technology : Web Proxy / Content Filter / Application Firewalls

The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.

The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.

Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.

Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.

The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.

Rating: 4.5/5 (2 votes cast)

9 Comments

Filed under Internet Defense

Tagged as anti-malware, anti-virus, application firewall, application firewalls, blue coat, Bluecoat, botnet, botnets, Cisco, Cisco IronPort, content filter, Data Loss Prevention, DLP, fireeye, GTI Proxy, Internet based threats, Internet Defense, internet security, Iron Port, ironport, Joey, Joey Muniz, joseph, joseph muniz, layer 7 firewall, layer 7 firewalls, malware defense, McAfee, Muniz, palo alto, palo alto networks, phishing defense, popup defense, Security, spam defense, stop spam, stopping botnets, stopping popups, Symantec, symnatec email proxy, web defense, web proxy, web security, web sense, websense, World Wide Technology, world wide technology inc., wwt

August 31, 2011

Securing Teleworkers: Building A Remote Access Solution For Teleworking

Securing Teleworkers is at the top of the to do list for many organizations. President Obama signed a bill aimed to significantly boost teleworking by federal employees. There are lots of business benefits from teleworking however permitting remote access to internal resources increases risk. Here are some tips to consider when securing your teleworkers.

The most common method for Securing Teleworkers is using a Virtual Private Network (VPN). The concept is establishing an encrypted tunnel between remote endpoints and the internal network so endpoints are serviced like an internal resource. Leading vendors utilize endpoint agents or web-based VPN portals that control what can be accessed. Best practice is to adjust the level of access based on how users authenticate, data being accessed and network they are connecting from. Strong solutions auto establish VPN connections outside the cooperate network and scan endpoints for key loggers prior to permitting access.

A popular enhancement to Securing Teleworkers through a VPN is Network Access Control (NAC) technology. NAC verifies who is accessing the network, captures information about the devices and distributes access based on policy. NAC is like airport security verifying people’s identity and risk level BEFORE permitted access to the plane. Best practice is to increase policy requirements as you increase access rights. For example, permit employees if they are using cooperate laptops with a specific version of antivirus while limit contractors with any version of antivirus. Automating remediation for teleworkers who don’t meet policy is key to reducing NAC trouble tickets.

Another recommended solution for securing teleworkers is filtering all VPN traffic through a Content Filter. Content Filters enforce web usage policies such as denying adult websites or tracking hours wasted on social networks. Research shows users involved with popular social media games like Farmville spend hours each day that may take place during business hours if not tracked. Leading Content Filters also offer security features to protect users from malicious websites that aim to breach the internal network through compromised workstations.

A popular alternative to using VPN solutions for Securing Teleworkers is adopting a virtual desktop infrastructure (VDI). Data is kept on the protected network and accessed through a server-client model. The security benefit is clients never directly access the inside network so risk of infection is reduced. A common obstacle for virtual desktop infrastructures is user demands for direct access to data. Permitting direct access could jeopardize VDI benefits unless proper access control and data security transfer methods such as encryption are enforced.

Other options to consider for securing teleworkers are Data Loss Prevention (DLP), host security applications, encryption, and patch management solutions. Best practice recommends DLP for endpoints, email, network and servers that have access to sensitive data. Encrypting sensitive data can add a lot of value as long access rights are enforced. Hardening endpoints with features like disabling wireless when physically connected, limiting USB access to approved devices, forcing sensitive data through encrypted channels and updating endpoints without user intervention is important. The best way to manage security features like these is to limit remote access to corporate issued devices. It’s also a good idea to have all teleworkers sign an agreement specifying your telework policies prior to permitting remote access.

There are many solutions for Securing Teleworkers so it’s important to understand your business operations before selecting a technology. Rushing into a technology could expose your organization to unnecessary risk or an unreliable solution.

Rating: 5.0/5 (1 vote cast)

Tag Archives: web security

Cisco’s Cyber Solutions – What Is Happening In Your Network

Defending Against Google Hacking : Know What Can Be Found On Search Engines

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Securing Teleworkers: Building A Remote Access Solution For Teleworking

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll