Tag Archives: wsa

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Watching Cisco’s Cyber Solutions – What Is Happening In Your NetworkToday’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day.  There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

ISE Auth Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Screen Shot 2013 03 01 at 8.36.52 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkProfiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Screen Shot 2013 03 01 at 8.36.01 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Some default profiles for Cisco ISE. 

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Screen Shot 2013 02 22 at 12.08.05 PM Cisco’s Cyber Solutions – What Is Happening In Your Network

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Screen Shot 2013 02 22 at 5.03.01 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Main Dashboard

Screen Shot 2013 02 22 at 12.07.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkCisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Screen Shot 2013 02 22 at 12.11.20 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMain Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Screen Shot 2013 02 22 at 12.12.19 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Windows 7 Workstation With Botnet

Screen Shot 2013 02 22 at 12.12.42 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkEthel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Screen Shot 2013 02 22 at 12.13.00 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkLancope Dataloss Diagram
Screen Shot 2013 02 22 at 12.13.18 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkMalware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Screen Shot 2013 02 22 at 12.14.47 PM Cisco’s Cyber Solutions – What Is Happening In Your NetworkKnown Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 15, 2012

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSAToday’s Internet is a dangerous place. Imagine a small village with law and order surrounded by a wall keeping out miles of ungoverned ruthless territory. Most known websites surfed daily by your users make up a small percentage of the total Internet. The remaining 80% or more of uncategorized websites are contaminated with Botnets, malware and short-lived websites targeting your users. Many of these malicious websites are embedded in trusted sites such as social networks by hiding in advertisements or silly links posted by your friends. The best protection for this threat vector is limiting Internet usage to trusted websites and monitoring those websites for malicious applications.

The most common method to protect users while surfing the Internet is leveraging a web security solution. I wrote a post about this HERE. Cisco has two web security flavors, which are a dedicated proxy and application firewall add-on. The dedicated proxy, known as the Web Security Appliance (WSA) came from the acquisition of IronPort. Cisco replaced its content filter module for their ASA firewalls based on McAfee technology with an application aware addition known as CX Context-Aware. There are many overlapping features between the two approaches however there is a clear distinction when to choose one over the other.

Both CX and WSA provide features expected from a web security solution. Both CX and WSA offer the ability to monitor and control what type of websites are available for users based on categories (examples Adult, Hate, Gambling, etc.). Both CX and WSA include reputation controls meaning ability to blacklist known malicious websites (more on reputation HERE). Both CX and WSA can limit or deny traffic types based on user groups such as denying Skype, throttle download speeds and target specific applications (example permitting Facebook while denying Farmsville for employees 9am-5pm). Both solutions can scale beyond the internal network using VPNs to route traffic from remote users.

CX DASHBOARD (click to see larger)

Screen Shot 2012 08 01 at 7.50.08 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSAScreen Shot 2012 08 01 at 7.50.19 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

CX Web Categories

Screen Shot 2012 08 01 at 7.51.52 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

IronPort WSA Categories

Screen Shot 2012 08 01 at 9.58.33 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

WSA Reputation Score Settings

Screen Shot 2012 08 01 at 10.03.40 PM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSA

Features offered by IronPort not included with CX are focused on what happens after traffic passes reputation and content policies. WSA offers anti-malware scanning licenses for McAfee, Sophos and Webroot for any traffic tagged as “grey” meaning traffic that passes the reputation blacklist but not considered completely trusted or “white-listed”. These signature-based verdict engines are licensed separately and can be stacked to provide a wide range of scanning capability. WSA also offers a dedicated layer 4 Botnet scanner targeting phone home communication from infected machines. These additional features provide more layers of defense beyond common application firewall technologies including Cisco CX.

Some other differences are based on the design and implantation of WSA and CX. The WSA is a dedicated proxy, which can be deployed using host inline proxy settings or directing network traffic to the WSA using WCCP. The CX uses policy maps routing traffic seen by an ASA through the CX addition. WSA includes caching to improve network performance. WSA can direct traffic through a DLP solution adding network based DLP scanning (A possible roadmap is including DLP in the appliance as a add-on license similar to the IronPort Email Security Appliance). Cisco roadmaps show IronPort offerings will include a virtualized option in the near future. Probably the most important CX design consideration is today Cisco ASA 5500X can either leverage CX or IPS however not both simultaneously. CX is also not available on some ASA 5500X models such as 5585-40s and 5585-60s. Expanding CX to other ASA models and dual IPS CX support are roadmap items at this time.

Screen Shot 2012 08 14 at 10.37.48 AM Web Security Offerings From Cisco: Comparing Cisco NEW CX to IronPort Web Security Appliance WSATo summarize, its best to consider Cisco CX for essential web security meaning content filtering and reputation based protection. The CX is also a viable option if you don’t require IPS from your ASA 5500X. WSA is suited for Comprehensive web security meaning content filtering, reputation protection, malware scanning and layer 4 botnet awareness. WSA is also a dedicated proxy providing performance benefits as well as design options such as including Data Loss Prevention. If you desire your ASA to include IPS functionality, today you will need to consider a WSA to handle web security. Hopefully this post helps with distinguishing when to choose CX or IronPort WSA.

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)

2 Comments

Filed under Internet Defense

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 31, 2011

Securing Teleworkers: Building A Remote Access Solution For Teleworking

sales working at home office 300x199 Securing Teleworkers: Building A Remote Access Solution For Teleworking
Securing Teleworkers is at the top of the to do list for many organizations. President Obama signed a bill aimed to significantly boost teleworking by federal employees. There are lots of business benefits from teleworking however permitting remote access to internal resources increases risk. Here are some tips to consider when securing your teleworkers.

The most common method for Securing Teleworkers is using a Virtual Private Network (VPN). The concept is establishing an encrypted tunnel between remote endpoints and the internal network so endpoints are serviced like an internal resource. Leading vendors utilize endpoint agents or web-based VPN portals that control what can be accessed. Best practice is to adjust the level of access based on how users authenticate, data being accessed and network they are connecting from. Strong solutions auto establish VPN connections outside the cooperate network and scan endpoints for key loggers prior to permitting access.

A popular enhancement to Securing Teleworkers through a VPN is Network Access Control (NAC) technology. NAC verifies who is accessing the network, captures information about the devices and distributes access based on policy. NAC is like airport security verifying people’s identity and risk level BEFORE permitted access to the plane. Best practice is to increase policy requirements as you increase access rights. For example, permit employees if they are using cooperate laptops with a specific version of antivirus while limit contractors with any version of antivirus. Automating remediation for teleworkers who don’t meet policy is key to reducing NAC trouble tickets.
500x amazing girl quits 282 300x199 Securing Teleworkers: Building A Remote Access Solution For Teleworking
Another recommended solution for securing teleworkers is filtering all VPN traffic through a Content Filter. Content Filters enforce web usage policies such as denying adult websites or tracking hours wasted on social networks. Research shows users involved with popular social media games like Farmville spend hours each day that may take place during business hours if not tracked. Leading Content Filters also offer security features to protect users from malicious websites that aim to breach the internal network through compromised workstations.

UltraLevel vdi 300x225 Securing Teleworkers: Building A Remote Access Solution For Teleworking
A popular alternative to using VPN solutions for Securing Teleworkers is adopting a virtual desktop infrastructure (VDI). Data is kept on the protected network and accessed through a server-client model. The security benefit is clients never directly access the inside network so risk of infection is reduced. A common obstacle for virtual desktop infrastructures is user demands for direct access to data. Permitting direct access could jeopardize VDI benefits unless proper access control and data security transfer methods such as encryption are enforced.

Other options to consider for securing teleworkers are Data Loss Prevention (DLP), host security applications, encryption, and patch management solutions. Best practice recommends DLP for endpoints, email, network and servers that have access to sensitive data. Encrypting sensitive data can add a lot of value as long access rights are enforced. Hardening endpoints with features like disabling wireless when physically connected, limiting USB access to approved devices, forcing sensitive data through encrypted channels and updating endpoints without user intervention is important. The best way to manage security features like these is to limit remote access to corporate issued devices. It’s also a good idea to have all teleworkers sign an agreement specifying your telework policies prior to permitting remote access.

There are many solutions for Securing Teleworkers so it’s important to understand your business operations before selecting a technology. Rushing into a technology could expose your organization to unnecessary risk or an unreliable solution.

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,