Tag Archives: wireless security

April 15, 2013

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security AuditThe terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable.

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

A Security Audit typically means evaluating a system or application’s risk level against a set of standards or baselines. Standards are mandatory rules while baselines are the minimal acceptable level of security. Standards and baselines achieve consistency in security implementations and can be specific to industries, technologies and processes.

Most requests for Security Audits are focused on passing an official audit (IE preparing for a corporate or government audit) or proving the baseline requirements are met for a mandatory set of regulations (HIPAA, PCI, etc.). In many cases, Security Audit services do not include any level of insurance or protection if an audit isn’t successful post services meaning services will only provide information that a client can use to become compliant.

IMPORTANT: In many cases, security audits give customers a false sense of security. Most standards and baselines have a long update process that is unable to keep up with the rapid changes in threats found in today’s cyber world. It is highly recommended to go beyond standards and baselines to raise the level of security to an acceptable level of protection for real world threats.

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security AuditA Vulnerability Assessment is the process in which network devices, operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities. A vulnerability is a gap, error or weakness in how a system is designed, used and protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of privileges or denial-of-service to the asset.

Vulnerability Assessments typically stop once a vulnerability is found meaning services doesn’t include executing an attack against the vulnerability to verify if it’s legitimate. A Vulnerability Assessment deliverable provides potential risk associated with all vulnerabilities found with possible remediation steps. There are many tools that can be used to scan for vulnerabilities based on system type, operating system, ports open for communication and other means. Vulnerability Assessments are a valuable way to assess a network for potential security weakness to identify where to invest for future security.

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security AuditA Penetration Test is attempting to attack vulnerabilities in a similar method of a real malicious attacker. Typically, penetration services are requested when a system or network has exhausted investments in security and seeking to verify if all avenues of security have been covered. The key difference between a Penetration Test and Vulnerability Assessment is a penetration test will act upon vulnerabilities found and verify if they are legit reducing the list of confirmed risk associated with a target.

IMPORTANT: One popular misconception is a Penetration Testing service enhances IT security since services have a higher cost associated than other security services. Penetration Testing does not make IT networks more secure since services evaluates existing security! A customer should not consider a penetration test if there is a belief the target is not completely secure.

Hopefully these definitions help define future security service requests.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 15, 2013

How To Educate Your Employees About Social Engineering

How To Educate Your Employees About Social EngineeringA common saying is ” Amateurs Hack Systems, Professionals Hack People”.  Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.

Explain Why Policies Exist

How To Educate Your Employees About Social Engineering

It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples Beyond The Intranet

How To Educate Your Employees About Social Engineering

Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 28, 2012

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

es66715 coversecret Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Is There More To This Image?

How we communicate has become extremely easy in today’s digital society.  Most mobile devices offer software that integrates with social networks, business applications and e-mail. People share anything from where they are eating to what they are about to eat in near real-time (personally I find it annoying). This convenience makes securing communication more difficult since most digital messages leave a digital fingerprint as well as usually transmitted over nonsecure sources. My team has demonstrated how hackers can steal data in transit using man-in-the-middle attacks with tools like the Pine Apple (more HERE), BeEF (more HERE), and compromising mobile devices to pull up old text messages and e-mails.

How can you protect your communication? Best practice is investing in multifactor authentication to trusted systems, VPN technology for communication outside of a secure network, data loss prevention monitoring what data is permitted to leave a secure network, internal network security products and host based security to stop key loggers and other threats. Communication solutions should offer a mix of confidentiality (protecting the information), integrity (can’t modify the message), availability, authenticity (message is genuine) and non-repudiation (guarantee sent and received).

Meeting best practice typically requires investments in multiple technologies however what about the average user looking to send a sensitive message? There are methods to send messages securely using free tools. One option is using a secure e-mail solution. Hushmail offers free PGP-encrypted e-mail and file storage. If you look at the image below, you will see the checkbox for encrypting the outgoing message as well as how Hushmail enforces a strong passphrase promoting secure e-mail standards. The downside of Hushmail is it doesn’t offer some of the flashy features other e-mail services include such as chat or customizable backgrounds.

Screen Shot 2012 12 26 at 7.46.40 PM Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Setting up a Hushmail account

Screen Shot 2012 12 26 at 7.47.54 PM1 Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

 Sending Encrypted E-mails Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

7 Comments

Filed under Data Loss Prevention, General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software. Screen Shot 2012 12 10 at 9.53.38 AM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Screen Shot 2012 12 10 at 1.16.37 PM Beating Signature Based Security – Dynamic Software That Obfuscates MalwareScreen Shot 2012 12 10 at 1.26.46 PM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Examples of Java Obfuscation Software Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Internet Defense, Penetration / Hacking, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 3, 2012

Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”

iOS devices can be booted with their own  kernel  and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip 

-       and then complete step 11 then proceed to step 20.

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line and may be wrapped on multiple lines.

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, uninstall the program before starting and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Xcode Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 3: Download and install Xcode Command Line Tools:

1. Download Xcode from the Apple App Store
2. Launch Xcode and go to preferences
3. Install Xcode Command Line tools and Simulators

Command Line Tools Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani
Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Penetration / Hacking

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 15, 2012

Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

Zenprise recently released an upgrade to their flagship mobile device management MDM solution. My team has been showcasing a previous version 6.6 and went through the upgrade to Zenprise 7.01 this week. The Zenprise ZDM upgrade took around 15- 20 minutes, which steps included upgrading the software and java on the hosting server. Here is a comparison of both versions of Zenprise ZDM.

Dashboard: Zenprise 7.01 now includes a dashboard or centralized landing page. From a visual perspective, it’s a great way to quickly identify the state of the system and managed endpoints. The picture below is customized for 6 different reports. Functionality wise, the previous version of Zenprise could accomplish the same things by clicking around.

Screen Shot 2012 10 10 at 12.23.00 AM1 Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS and Android Enrollment: The new 7.01 version of Zenprise offers a dedicated section for device enrollment that includes options such as  MDM server discovery, email or SMS notification. We felt enrollment was a weak spot for Zenprise however this release dramatically simplifies the process. The group enrollment features makes it much easier to deploy the Zenprise MDM software to a larger number of users at once. Furthermore, Zenprise 7.01 can import a CSV file to populate its database for bulk enrollment.

Screen Shot 2012 10 10 at 12.17.26 AM Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS Location Services, Geo-tracking and Geo-fencing: This is a huge feature. Admins can set location service policies to located devices at any given time. Geofencing allows admins to define a geographic perimeter and perform a selective or full wipe upon perimeter breach. We have had requests for Geofencing that range from stopping students from walking off with school issued mobile devices to military secured facilities wiping any device that leaves the controlled area. In high security areas it it possible to wipe a device on-demand as it exists a “safe” zone. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 17, 2012

802.1X Challenges For Department of Defense

DISA 802.1X Challenges For Department of DefenseAamir Lakhani wrote a fantastic post on 802.1x for DOD. You can find the original posting at www.cloudcentrics.com

The Department of Defense added a requirement that all network ports, or on-ramps need to be protected. Applications, server, and data are normally protected; however, most network ports are left open. You get on to a network by plugging into a port and a network address is allocated for the connection. Computers without proper are free to launch attacks from the network.  Network port protection lock down restricts anonymous access and prevents these “attacks”.

When network protection is turned on, a machine plugs into the network; no network access is given until the machine is authenticated to the network.

A few years ago, NAC solutions tried to accomplish goals for locking down networks. Most of my customers hated NAC. It added a layer of complexity that made the network behave unnatural and harder to support. It used a variety of ports, protocols, and physical boxes to implement. In short, it was complicated.  NAC supported networks broke down often, causing nightmares for those legitimate users trying to get access and the people supporting those networks.

What are people doing to support port lockdown today at the Department of Defense and other large enterprise organizations? Surprisingly, the solution has been around for a long time to help secure wireless networks. It is called 802.1x. Historically, 802.1x has worked great on wireless networks and has always been a little troublesome on the wired ports. But things have changed with enterprise policy servers (Cisco Identity Services) that make the connection more easily configurable on modern day operating systems such as Mac OS X Mountain Lion and Windows 8.

How does 802.1x work? According to Wikipedia, IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is part of the IEEE 802.1 group of networking protocols.

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN.  The term ‘supplicant’ is also used interchangeably to refer to the software running on the clients’ device that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point. And the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized. A similar comparison to this would be providing a valid visa at the airport’s arrival immigration booth before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines that the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network. Continue reading

VN:F [1.9.22_1171]
Rating: 4.0/5 (1 vote cast)

3 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 23, 2012

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.

On-boarding simply means brining a new device onto the network for the first time. This process includes certificate enrollment and profile provisioning without involving IT as well as little interaction with the end user. ISE 1.1MR accomplishes these goals levering an existing Certificate Authorityuser database such as Active Directory and ISE frameworkScreen Shot 2012 07 24 at 4.24.42 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The ISE on-boarding process can vary however will be explained as having a new device connecting to a SSID specified for on-boarding new devices (can be open or secured with PEAP). Devices that connect to the on-boarding SSID will be redirected to a guest registration portal.  The user will authenticate, which will trigger the certificate enrollment and profile provisioning process. Parameters to connect to the internal secure SSID will be included with the configuration profile that is provisioned to the mobile device post authentication. From that point on, the device will use the internal SSID for network access, which may have different ISE authorization rules depending on the design. Devices that fail to complete the on-boarding process will default to ether a guest SSID or be denied access depending on the desired policy.Screen Shot 2012 07 24 at 4.26.32 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

WIRELESS: On-boarding can be designed many ways however for this post we will use two SSIDs called Provisioning_Wireless for new devices and Employee_Wireless for existing approved devices.  An accesslist limiting access to ISE, DHCP and DNS will be enabled to prevent devices from staying on the provisioning SSID.  A possible configuration for both SSIDS could be as follow

Attribute: Provisioning_Wireless / Employee_Wireless
Broadcast SSID: Enable / Enable
Layer2 Security: None / WPA+WPA2
MAC Filtering: Enable / Disabled
WPA+WPA2 Parameters: None / WPA2 Policy, AES, 802.1x
Layer 3 Security: None / None
AAA Server: ISE / ISE
Advanced: AAA Override Enabled / AAA Override Enabled
Advanced: NAC State – Radius NAC / NAC State – Radius NAC

To build this, go to WLANs > Create New > Go and fill out the profile details. Use NONE for the layer 2 settings so it’s OPEN. For AAA, set the Radius server for ISE. Under advanced, enabled Allow AAA Override and change the NAC state to Radius NAC. Go to Controller > General > Fast SSID change and enabled Fast SSID to help speed up the SSID changing.

ISE: (1) First in ISE setup Active Directory by going to Admin > External Identity Sources > Active Directory and join ISE to an AD system.

(2) Next go to Admin > External Identity Sources > Certificate Authentication Profile > ADD to define the certificate authentication profile (name it and choose Common Name for X509).

(3) Next define an Identity Source Sequence by going to Admin > Identity Source Sequences > Add.  Give it a name, enabled and select the certification profile you just created then add AD for the authentication search list.

(4) Next configure ISE to act as a Simple Certificate Enrollment proxy server (SCEP). Go to Admin > Certificates > SCEP CA Profiles > Add. After defining your SCEP server, ISE will download the RA and root CA certificates of the CA server (this can be verified uner the certificate store via SYSTEM > Certificate > Certificate Store).

For this scenario, we will configure ISE authentication to use MAB for on-boarding new devices.  It many cases, ISE will not know the MAC address in advance so it must be configured to continue the authentication process via redirection regardless.

This is done in ISE:

(1) Going to Policy > Authentication, choose your MAB wireless policy, click the carrot after allow protocols to show the user options and click the + sign for use.

(2) Select IF USERS NOT FOUNDCONTINUE. As a reminder, ISE Authentication policies are verified top down so make sure your MAB policy used for BYOD is at the top and open for all identity stores. You should lock down the 802.1x wireless to only wireless certificates.

Client provisioning is based on how ISE classifies the client machine. There are customized packages in ISE available that include a software-provisioning wizard, which configures 802.1x settings and ability to obtain digital certificates on the endpoint.

To download wizard packages in ISE, go to Policy Elements > Results > Client Provisioning > Resources > Add. Common mobile devices such as iOS typically have these settings enabled natively so a wizard is not needed.

To configure client provisioning in ISE:

(1) Go to Policy Elements > Results > Client Provisioning > Resources > Add.

(2) Create a native suppliant profile by giving it a name, selecting the Wireless Checkbox, your on-boarding SSID, WPA2 for security, TLS for allow protocals and key size 2048.

(3) Next go to Policy > Client > Provisioning to build your provisioning resources. Create one for native devices and select the mobile profile you just created for the results (example RULE = IOS, Identiy Group = Any, Operating systems MAC IOS ALL and your new mobile profile for results).

(4) Create another that is similar however use Android for the operating systems. Create a third for generic MacOsX devices and use the downloaded wizard. You may also want to create a separate one for Wired and Wireless. The same goes for two more to cover wireless and wired Windows devices. Here is an example of my Client PolicesScreen Shot 2012 08 23 at 12.17.38 AM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The final steps are verifying profiling for wireless is working as well as your authorization profiles are setup for redirection, employee and guest access (see previous postings for these configs). These can vary depending on how you want to restrict devices that pass and fail your polices.

Written by Joseph Muniz and Aamir Lakhani

Reviewed by Aman Diwakar and Brian Trulove

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

3 Comments

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 11, 2012

Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now – Update Reviewed

Cisco has posted the next release of their flagship security solution Identity Services Engine ISE 1.1.1 or ISE 1.1MR. ISE 1.1.1  is coined a maintenance release however includes some important new features such as some themed around Bring Your Own Device (BYOD).

You can find the ISE 1.1.1 release HERE and latest ISE 1.1.1 documents HERE or go to

www.cisco.com/go/ise for more information and

http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html for ISE 1.1.1 documentation

Here is a breakdown of what is new with ISE 1.1.1

  • New Default Authorization Profile (“Blacklist”) - ISE 1.1.1 can now “blacklist” user devices that get “lost,” or otherwise become unusable or taken out of circulation, until the device can be reinstated or has been completely removed from the network. Cisco ISE 1.1.1 removes “blacklisted” devices from the network and thay are not allowed back on until the device is reinstated Screen Shot 2012 07 11 at 3.28.19 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Dictionary Attribute-to-Attribute Authorization Policy Configuration - You now have the option, when constructing policy conditions in an Authorization Policy, to specify another Dictionary Attribute to which you can associate the source Attribute during policy configuration Screen Shot 2012 07 11 at 3.32.10 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Device Registration Task Manager - New visual path through the various Cisco ISE 1.1.1 administration and configuration processes necessary to enable administrators to set Cisco ISE 1.1.1 up to provide multiple, configurable device support for end usersnew2 Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Native Supplicant Provisioning Profile Configuration - Configure native supplicant profiles for client provisioning in addition to the existing “ISE Posture Agent Profiles” currently available in Cisco ISE Releases 1.0.4 and 1.1. This profile type allows you to specify settings for user registration via personal devices like iPhones/iPads and AndroidScreen Shot 2012 07 11 at 4.29.25 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Enhanced Client Provisioning Policy Configuration - You can now create or edit client provisioning policies to allow for expanded personal device support, including iPhones/iPads and Android. For the personal device support, specifically, you can configure the policy to upload the appropriate configuration wizard necessary to enable the user’s device to negotiate and register with Cisco ISE 1.1.1 (NOTE: In my example below, I’m using the IOS and Android native while I downloaded from Cisco wizards for MAC OX and Windows.)newnew Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • SCEP Authority Profile Configuration Page - Enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) authority profiles. Cisco ISE 1.1.1 verifies maintains connectivity with the SCEP authority server(s) you specify, and even performs load-balancing among multiple servers to ensure optimal connectivity for users when they use their personal devices to access the networkScreen Shot 2012 07 11 at 4.22.41 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • RADIUS Proxy Attribute - Enhance the RADIUS sequence flows and processing. When Access-Accept is received from an external RADIUS server, Cisco ISE 1.1.1 continues to the configured authorization policy for further decisions making based on additional attributes and groups queried from AD and LDAP.
  • EAP Chaining - Allows authenticating both machine and user in the same EAP-FAST authentication in a configurable order. When EAP-FAST authentication result is determined, Cisco ISE 1.1.1 allows you to apply authorization policy depending on the result of both authentications. When EAP chaining is turned off, Cisco ISE 1.1.1 performs usual EAP-FAST authentication. Screen Shot 2012 07 11 at 4.02.58 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • EAP-TLS as an Inner Method for EAP-FAST- Allows usage of EAP-TLS protocol as an inner method for EAP-FAST protocol. The implementation is equal to usage of EAP-TLS as inner method of PEAP Screen Shot 2012 07 11 at 4.00.15 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Device Registration Portal - A standalone portal that can be completely customized to suite your organization. A network access user who is configured as an employee in an organization can access the portal that allows them to bring in their personal devices into an enterprise network through an employee authentication, and then a device registration process. An employee can manage their devices to add, edit, reinstate, and delete their devices through this portal. Cisco ISE 1.1.1 adds these devices to the endpoints database, and profile them like any other endpoint. The Cisco ISE 1.1.1 administrators can manage the registered endpoints from the administrator user interface, by using the identities list and reports
    Screen Shot 2012 07 11 at 4.38.34 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • New Reports in Cisco ISE 1.1.1
    • Supplicant Provisioning Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) for a specific period of time.Screen Shot 2012 07 11 at 4.07.51 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.08.24 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
    • Registered Endpoint Report—This report provides information about a list of endpoints that are registered through the Asset Registration Portal (ARP) by a specific user for a selected period of time. Screen Shot 2012 07 11 at 4.09.43 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update ReviewedScreen Shot 2012 07 11 at 4.09.30 PM Cisco Identity Services Engine ISE 1.1.1 (Maintenance Release) ISE 1.1MR Out Now Update Reviewed
  • Change of Authorization - Triggers a CoA when an endpoint is added or removed from an endpoint identity group that is used by authorization policy. Any change in an endpoint identity group assignment for an endpoint that occurs due to dynamically profiling or a static assignment to an endpoint identity group, a CoA is triggered in both the cases

Go download the latest ISE 1.1.1 release. The upgrade process will take you around 30 minutes to complete. Here what it will look like.

ISE-10MR2/admin# application upgrade ise-appbundle-1.1.1.268.i386.tar.gz ftp
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration…
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade…
Stopping ISE application before upgrade…
Running ISE Database upgrade…
Upgrading ISE Database schema…
Upgrading Session Directory… Completed.
ISE Database schema upgrade completed.
Running ISE Global data upgrade as this node is a STANDALONE…
Running ISE data upgrade for node specific data…
% NOTICE: Upgrading ADEOS. Appliance will be rebooted after upgrade completes successfully.
The mode is licensed.
 % This application Install or Upgrade requires reboot, rebooting now…
 Broadcast message from root (pts/0) (Wed Jul 11 15:27:38 2012):
 The system is going down for reboot NOW!

VN:F [1.9.22_1171]
Rating: 5.0/5 (7 votes cast)

23 Comments

Filed under Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 2, 2012

Enforcing Network Policy Internally, Remotely And To Mobile Devices

Enforcing Network Policy Internally, Remotely And To Mobile DevicesMany corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.

Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.

Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.

The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.

ScreenShot2012 06 04at92743PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

(Cisco’s Web-Security Portfolio)

A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office.ScreenShot2012 06 30at110329PM Enforcing Network Policy Internally, Remotely And To Mobile Devices

Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.

Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,