Article

I thought I’d post up a reference to an interesting article posted on Network World about Cisco’s place in the security market.  It seems that customers now care less about appliance performance and more about overall strategy and product integration.  The data gathered by the IDC shows that customers do not rate Cisco as a “best of breed” vendor” but that they are keen to use Cisco products because of the manner in which they integrate into their network.

If security is of the utmost concern then in my opinion the best solution to the problem should be applied - end of story.  However, with overworked staff and a lack of multi-vendor skills it is easy to see why companies choose Cisco with the similar looking administration GUI’s, CLI’s and the ability to expand appliance capability by using software modules. 

I believe that Cisco are making huge strides in the security market and feel that that although some products may not offer the same performance as others in a certain environment, their products for the most part integrate well into organisations with less administrative overhead if the customer is already a Cisco customer.  I’m trying to stay neutral here and not show a preference either way but I will say that I think Cisco’s layered approach to security is very good.  It is because they have such a wide range of products that slot together well that customers are keen to choose Cisco, in my opinion.  UTM solutions are good for the SMB market but offer little in way of tiered defence.  That said, if I was recommending an appliance for a customer who specified strong security was the priority then performance has to be the deciding factor regardless of vendor.

Anyway, here’s the article -> http://www.networkworld.com/news/2008/111708-cisco-sec.html

The area of my job that I probably dislike the most is policies.  I like technology and finding ways to make things possible that weren’t possible before; enabling businesses to become more efficient in their day-to-day work by streamlining cumbersome security strategies into slicker operating methodologies.  Network security is an excellent arena for someone who loves technology because of the ever changing environment but a constantly changing environment brings challenges with it and the biggest of all is ensuring that when you’re business adapts to meet the challenge, it adapts in a manner that is controlled, directed, managed and monitored.  To do that in my job you need a Security Model to operate within. 

Security Model by SecuraNET

With new and improved technologies being released every day there are pressures to keep pace with them but without structure you are soon left with a myriad of solutions that are unsupportable and working independently making them difficult to administer and a burden to maintain.  When you have the proper framework in place to direct your efforts in the appropriate direction, that is when things start coming together and improving.  Security Models are comprised of a number of different elements, all of which you will hear banded around loosely at meetings.  The diagram below shows how they slot together to create a security model.  The policy is the “why”, standards and baselines are the “what”, and procedures and guidelines are the “how” of the security model.

Policies

The policy, as you can perhaps interpret from the name, is put in place to police the user’s actions.  Its purpose is to define how information is managed and dissipated throughout your business and there will usually be polices for key areas.  For instance, a common example would be an Acceptable Use Policy that outlines the acceptable use of IT equipment.  The aim of the policy is to define the end results and not necessarily the means.  The policy may refer to standards, procedures or guidelines and are enforceable which can result in disciplinary action should a member of staff breach them.

Standards & Baselines

A standard is written to describe the mandatory rules that must be followed to adhere with the policy.  For example, there will be a standard specified for the allocation of IP addresses that a company uses that may define a specified range for use.  They are usually specific to a system or procedure and employees must follow these standards.  They are usually industry recognized best practices.  ISO27002 is the current ISO standard for Information Security Management.  Standards usually describe the baselines for the minimum level of compliance that must be met in order to meet the standards requirements.

Procedures & Guidelines

Without procedures it would be very hard to enforce a policy.  With procedures we can effectively instruct the employee into acting in a deliberate manner when carrying out certain tasks.  In reference to the earlier example of issuing an IP address range, there may be an IP Address Allocation procedure that instructs the employee to update certain documents with the new details and communicate the details to certain parties.  In contrast, guidelines are recommendations that are set out to help comply with the policies objectives by providing a structure or framework to work against.  They are meant to guide the employee into acting in a manner that is supportive of the policy or model and in a way that helps them comply better with the standards.  There are usually frequent references to the guidelines within the policy document.

There are various ways to interpret how the elements work together, I feel that the policy is a seperate entity but standards and baselines work together to determine the levels of adherence while guidelines and procedures give us the methods in which to acheive these levels so that we may adhere to the policy and work under the model as a whole.   This area certainly isn’t my forte but I hope you find the article helpful.

Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to.  Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network.  SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting.  Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices.  The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM.  An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors.  CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked.  CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it.  STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories.  Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds.  MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to.  Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

I think it would be beneficial to have an overview of how an IPsec VPN is built so we can at least see the “big picture” before delving into the specifics.  There are essentially five main phases.  They are as follows:

1.  “Interesting Traffic” initiates the VPN process on the security appliance.

There are usually many different data streams flowing through your devices and not all of them will be part of the VPN tunnel.  Some may be HTTP traffic, SMTP connections etc.  There needs to be a way of the appliance distinguishing what traffic should be tunnelled and what shouldn’t.  The most common method is to use an Access Control List (ACL) or rulebase.

2.  IKE Phase 1.  IKE (Internet Key Management protocol)

IKE Phase 1 is the process that occurs when the two endpoints first establish connectivity.  The purpose of which is to create a secure connection between VPN peers that will facilitate the IKE Phase 2 security parameters agreement.

3.  IKE Phase 2

Once a temporary secure connection has been formed between the two VPN peers, IKE Phase 2 will negotiate the security parameters that will be used between the two endpoints for the VPN tunnel and then periodically renegotiate them throughout the lifetime of the tunnel to ensure maximum security in the event of an attack.

4.  IPsec VPN Tunnel Established

Once IKE Phase 2 has completed both peers may now send data to each other.  As data is sent and received through the tunnel it will be encrypted and decrypted by the VPN peers using the security parameters agreed upon in IKE Phase 2.

5.  IPsec VPN Tunnel Terminated

IPsec VPN tunnels will be torn down after a specified period or by manually stopping the IPsec.  The tunnel can be re-established before the timeout is reached if new security parameters can be agreed again using IKE Phase 2.  This ensure a stable connection and no interuption of data flow should the timeout expire during communications.

How many USB keys are lost or stolen every year?  Lots.

How many of those keys have confidential corporate information on them?  Lots.

How many of those data keys are encrypted?  Not many.

USB Data Keys..  A great little gadget that allows users to store up to 320GBs of data in their pocket that’s accessible simply by plugging it into a USB slot on a PC.

or

USB Data Keys..  An Information Security nightmare!  Taking data security away from secured systems and putting it in the trust of a user.

Anyone who knows a little about IT security can appreciate the risks involved with using USB data keys.  Don’t get me wrong, I think they’re great little tools and I have one myself, in fact, I rely quite heavily upon it!  I use it for storing programs, files, data sheets, expense claims and even my Linux distribution that boots from it.  It’s a brilliant little thing.

But what happens when we lose it?  And let’s face it; they are easy to lose.  Why do companies present themselves with and accept this huge risk?  Everything and anything can be stored on these keys by your users – users that can’t remember passwords for more than one week let alone secure a small, easily lost data key filled with sensitive information!

There are two solutions:

1)    Disable the use of USB data keys through a group policy or PC build configuration.

2)    Secure the data on the USB key so that if it is lost it cannot be read or recovered.

The first one is an instant no-go.  Getting that signed off under the IT security policy would be extremely difficult given the convenience of mobile data to users.

Securing the data is where we really need to focus our attention when looking for a solution to our problem and there are two ways of doing so.

1)    Use a date key with built in hardware encryption.

2)    Use third party software to encrypt the USB drive/data.

Option 1 – I’m sure there are a few vendors out there who manufacture USB keys with built in encryption but the leader by far in this area is a company called IronKey.  Their USB keys appear to be very easy to use for the end user (I said appear as I’ve never used one - send me one for review IronKey! ).  Basically, it is a USB key with a encryption chip between the USB interface and the memory chip that encrypts and decrypts data as it is passed to and fro the USB memory chip.  When the USB key is inserted the user is prompted for a password and that is used as the key to encrypting/decrypting the data on the fly.  Don’r worry about brute force attacks on the password either, 10 strikes and you’re out!  Dangerous, but secure - I like it.  Reports indicate that the data transfer speeds are very quick due to the high quality memory being used internally.  So, we have a very secure, fast and easy to operate USB memory key with IronKey, the only drawback is the price.  IronKeys are a fair bit more expensive than traditional USB memory keys with prices starting at $79 for the 1GB Basic version right up to $299 for the 8GB Basic version but hey, you get what you pay for right?

Option 2 – If something like an IronKey is out of your price range or you would simply rather not pay for the convenience that they offer then the alternative is to use third party encryption software (as I do) such as TrueCrypt.  TrueCrypt allows you to either encrypt the whole USB stick or create a secure “container” on it and encrypt that.  The container is then mounted using the TrueCrypt application and is seen as another volume.  The only drawback is that you have to use the application to mount the volume however this can be stored on an unencrypted area of the disk for use on any PC.  TrueCrypt will run on Windows, Linux, OS X and is free to use for personal and enterprise use.

Hope that helps!

Ian

Two weeks ago, renowned security researcher Dan Kaminsky released information to the security community that alluded to a major DNS flaw on the internet.  However, instead of spreading the exploit to all and sundry he instead decided to inform major DNS vendors that the flaw existed and required patched before it became common knowledge to all and exploited.

In doing so, Dan dared to became the subject of criticism from his peers.  Their mindset was that exploits should be released and be public knowledge so that fixes can be deployed and the theory reviewed by other security professionals.  Dan himself admits that he was wrong in not seeking peer review before going public; he instead chose to go public about the flaw that he identified before all systems were fully patched and announce that a fix was being deployed.  He admitted he was wrong but I can’t help but think he wasn’t - although I must credit him for falling on his own sword after the scorn of fellow security professionals.  He didn’t release the flaw to any of his online peers because he was concerned that it would be released early before all DNS servers could be patched – which is exactly what happened.

After receiving this criticism he instead opted to seek out the opinions of two other prominent security professionals.  One being Dino Dai Zovi and the other Thomas Ptacek, a security expert and Principal over at Matasano Security.  Both validated Dans claims – he was right, the DNS vulnerability is real.  Dan was due to speak at Black Hat in Las Vegas where he would release details of the vulnerability as sufficient time would have passed to allow the patching of vulnerable servers.  However, before he had the chance, someone beat him to the punch.

Halvar Flake, otherwise know as Thomas Dullien, CEO and Head of Research over at Zynamics, decided to post his own hypothesis on what the vulnerability was.  It turned out that he was almost bang on with his theory but this was then corroborated when a post by a researcher at Matasano Security corrected some of the details Halvar Flake had posted - swiftly hitting the nail on the head of any secrecy left out there about the vulnerability.  As soon as Matasano realised the blog post had been published early they removed it and a letter of apology was published from Thomas Ptacek.  He explained that the post was not supposed to have been published, apologised for the leak and praised Dan for his work in finding the exploit.

As it stands, the patches are being applied but Dan suggests that for now you use OpenDNS for your DNS services, they are expecting your traffic and their DNS servers are safe to use.

Who says IT is boring?

Ian

I recently installed Cisco Security Manager for a client and up until then I had pretty limited experience with it as it’s still relatively fresh on the market. The install itself is very easy.  Next, next, next… almost. After a few teething problems with McAfee AV hanging the server it was all up and running and ready for devices to be added in. McAfee, by the way, was trying to scan the CSM database and couldn’t and that was what hung the machine. The only way around it was to exclude the folder where the database is and it worked fine after that.

For those of you who don’t know what Cisco Security Manager does it’s basically a replacement for the old Cisco VMS Works, in my opinion anyway – I’m not sure if Cisco market it as that. It has some pretty good features built into it that allow you to manage your security policies in a more uniform fashion across your network. The ability to copy policies from one device to another is a great way of adding extra layers of security throughout your network. I installed a Cisco 4260 IPS after the CSM server and I especially liked the benefit of copying signature polices between IPS’s as it saves a lot of time wasted on ensuring devices have the same signature set when inspecting segments that should have the same inspection policies applied.

I also added in a live Cisco ASA5540 to the device repository but it threw a lot of errors up so I have deleted it out for the time being as the customer is not looking to use CSM with his firewalls at the moment. We’ll also be installing CS-MARS in the near future and that can tie in with CSM so I’ll report back on how that goes.

Ian

Hello there!

Welcome to my new blog, SYN-ACK.  I intend to use this as a means of sharing knowledge, building knowledge and networking with my fellow IT security peers.  Topics of discussion will be wide and varied ranging from my current projects, little white papers on security related topics and updates on my own career path.

Please feel free to comment on any posts and while I expect debate and conflicting views, please keep all discussions constructive and pleasant.

I’ve also imported the few posts from my previous blog that I started a few months ago.

Thanks for looking!

Ian