If security is of the utmost concern then in my opinion the best solution to the problem should be applied - end of story.  However, with overworked staff and a lack of multi-vendor skills it is easy to see why companies choose Cisco with the similar looking administration GUI’s, CLI’s and the ability to expand appliance capability by using software modules. 

I believe that Cisco are making huge strides in the security market and feel that that although some products may not offer the same performance as others in a certain environment, their products for the most part integrate well into organisations with less administrative overhead if the customer is already a Cisco customer.  I’m trying to stay neutral here and not show a preference either way but I will say that I think Cisco’s layered approach to security is very good.  It is because they have such a wide range of products that slot together well that customers are keen to choose Cisco, in my opinion.  UTM solutions are good for the SMB market but offer little in way of tiered defence.  That said, if I was recommending an appliance for a customer who specified strong security was the priority then performance has to be the deciding factor regardless of vendor.

Anyway, here’s the article -> http://www.networkworld.com/news/2008/111708-cisco-sec.html

Security Model by SecuraNET

With new and improved technologies being released every day there are pressures to keep pace with them but without structure you are soon left with a myriad of solutions that are unsupportable and working independently making them difficult to administer and a burden to maintain.  When you have the proper framework in place to direct your efforts in the appropriate direction, that is when things start coming together and improving.  Security Models are comprised of a number of different elements, all of which you will hear banded around loosely at meetings.  The diagram below shows how they slot together to create a security model.  The policy is the “why”, standards and baselines are the “what”, and procedures and guidelines are the “how” of the security model.

Policies

The policy, as you can perhaps interpret from the name, is put in place to police the user’s actions.  Its purpose is to define how information is managed and dissipated throughout your business and there will usually be polices for key areas.  For instance, a common example would be an Acceptable Use Policy that outlines the acceptable use of IT equipment.  The aim of the policy is to define the end results and not necessarily the means.  The policy may refer to standards, procedures or guidelines and are enforceable which can result in disciplinary action should a member of staff breach them.

Standards & Baselines

A standard is written to describe the mandatory rules that must be followed to adhere with the policy.  For example, there will be a standard specified for the allocation of IP addresses that a company uses that may define a specified range for use.  They are usually specific to a system or procedure and employees must follow these standards.  They are usually industry recognized best practices.  ISO27002 is the current ISO standard for Information Security Management.  Standards usually describe the baselines for the minimum level of compliance that must be met in order to meet the standards requirements.

Procedures & Guidelines

Without procedures it would be very hard to enforce a policy.  With procedures we can effectively instruct the employee into acting in a deliberate manner when carrying out certain tasks.  In reference to the earlier example of issuing an IP address range, there may be an IP Address Allocation procedure that instructs the employee to update certain documents with the new details and communicate the details to certain parties.  In contrast, guidelines are recommendations that are set out to help comply with the policies objectives by providing a structure or framework to work against.  They are meant to guide the employee into acting in a manner that is supportive of the policy or model and in a way that helps them comply better with the standards.  There are usually frequent references to the guidelines within the policy document.

There are various ways to interpret how the elements work together, I feel that the policy is a seperate entity but standards and baselines work together to determine the levels of adherence while guidelines and procedures give us the methods in which to acheive these levels so that we may adhere to the policy and work under the model as a whole.   This area certainly isn’t my forte but I hope you find the article helpful.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to.  Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network.  SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting.  Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices.  The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM.  An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors.  CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked.  CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it.  STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories.  Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds.  MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to.  Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

Stay tuned..

1.  “Interesting Traffic” initiates the VPN process on the security appliance.

There are usually many different data streams flowing through your devices and not all of them will be part of the VPN tunnel.  Some may be HTTP traffic, SMTP connections etc.  There needs to be a way of the appliance distinguishing what traffic should be tunnelled and what shouldn’t.  The most common method is to use an Access Control List (ACL) or rulebase.

2.  IKE Phase 1.  IKE (Internet Key Management protocol)

IKE Phase 1 is the process that occurs when the two endpoints first establish connectivity.  The purpose of which is to create a secure connection between VPN peers that will facilitate the IKE Phase 2 security parameters agreement.

3.  IKE Phase 2

Once a temporary secure connection has been formed between the two VPN peers, IKE Phase 2 will negotiate the security parameters that will be used between the two endpoints for the VPN tunnel and then periodically renegotiate them throughout the lifetime of the tunnel to ensure maximum security in the event of an attack.

4.  IPsec VPN Tunnel Established

Once IKE Phase 2 has completed both peers may now send data to each other.  As data is sent and received through the tunnel it will be encrypted and decrypted by the VPN peers using the security parameters agreed upon in IKE Phase 2.

5.  IPsec VPN Tunnel Terminated

IPsec VPN tunnels will be torn down after a specified period or by manually stopping the IPsec.  The tunnel can be re-established before the timeout is reached if new security parameters can be agreed again using IKE Phase 2.  This ensure a stable connection and no interuption of data flow should the timeout expire during communications.

There are many different vendors producing appliances responsible for terminating VPN tunnels and it is because of this that VPNs must conform to open standards for interoperability.  The IPsec protocol suite was developed to provide a means of securing data transfer between two points and it can provide data encryption, authentication and anti-replay mechanisms.

IPsec works at layer 3 in the OSI stack and can therefore be used independently of application encryption.  As this article is intended as a guide please remember that this is a brief overview of IPsec.

Amongst others discussed later, IPsec uses two protocols to provide these services, both of which offer different security parameters.  They are:

Authentication Header (AH)

and

Encapsulating Security Payload (ESP)

Nowadays, AH is used when the data being sent and received is not deemed confidential and therefore does not require to be encrypted.  AH offers connectionless integrity and data origin authentication and also optionally provides an anti-replay mechanism using sequence numbers.  This function is enabled by default but it is optional to the receiver if they perform anti-replay checking on it.  AH provides authentication by appending a hash value to the packet.

ESP provides data origin authentication, integrity and confidentiality.  The latter being the reason ESP is far more popular than AH.  ESP uses an encryption algorithm to scramble data that only the receiver can unscramble at the other end.  This means that as well as ensuring you are connected to the correct person and the data hasn’t been modified, you can relax knowing that in the event someone is sniffing data along the path they cannot decipher what has been sent.  ESP can use different forms of encryption algorithms to provide confidentiality - more on this in later articles.

Well, that is a a very brief overview of IPsec VPNs.  My next article will discuss the process of a VPN being established, used and then torn down and articles from there on in will discuss individual areas of an IPS VPN.  Once I have bored you all to tears with IPsec I’ll do a few articles about GRE tunnels.

Stay tuned and please remember before commenting that this a brief overview and I’ll focus on the other areas as each article progresses.

Ian

Have a look here -> http://www.doxpara.com/?p=1185

I’m not sure what I’ll focus on now, I’ve got to keep my skills sharp and my certifications current because I’m self employed and the industry can be a bit fickle I suppose - make no mistake, hands on experience is what counts.  Whatever it is I intend to do something fun alongside it.  I really fancy doing Remote Exploits Offensive Security course although I may warm up with the BackTrack WiFu course first - the Remote Exploit team are superb -> http://www.remote-exploit.org/

It’s been a few months since I’ve done any meaty Checkpoint stuff so I may just recertify my CCSA in NGX at the same time.  Decisions decisions!  For now I’m just happy that this ones out of the way!

Ian

How many of those keys have confidential corporate information on them?  Lots.

How many of those data keys are encrypted?  Not many.

USB Data Keys..  A great little gadget that allows users to store up to 320GBs of data in their pocket that’s accessible simply by plugging it into a USB slot on a PC.

or

USB Data Keys..  An Information Security nightmare!  Taking data security away from secured systems and putting it in the trust of a user.

Anyone who knows a little about IT security can appreciate the risks involved with using USB data keys.  Don’t get me wrong, I think they’re great little tools and I have one myself, in fact, I rely quite heavily upon it!  I use it for storing programs, files, data sheets, expense claims and even my Linux distribution that boots from it.  It’s a brilliant little thing.

But what happens when we lose it?  And let’s face it; they are easy to lose.  Why do companies present themselves with and accept this huge risk?  Everything and anything can be stored on these keys by your users – users that can’t remember passwords for more than one week let alone secure a small, easily lost data key filled with sensitive information!

There are two solutions:

1)    Disable the use of USB data keys through a group policy or PC build configuration.

2)    Secure the data on the USB key so that if it is lost it cannot be read or recovered.

The first one is an instant no-go.  Getting that signed off under the IT security policy would be extremely difficult given the convenience of mobile data to users.

Securing the data is where we really need to focus our attention when looking for a solution to our problem and there are two ways of doing so.

1)    Use a date key with built in hardware encryption.

2)    Use third party software to encrypt the USB drive/data.

Option 1 – I’m sure there are a few vendors out there who manufacture USB keys with built in encryption but the leader by far in this area is a company called IronKey.  Their USB keys appear to be very easy to use for the end user (I said appear as I’ve never used one - send me one for review IronKey! ).  Basically, it is a USB key with a encryption chip between the USB interface and the memory chip that encrypts and decrypts data as it is passed to and fro the USB memory chip.  When the USB key is inserted the user is prompted for a password and that is used as the key to encrypting/decrypting the data on the fly.  Don’r worry about brute force attacks on the password either, 10 strikes and you’re out!  Dangerous, but secure - I like it.  Reports indicate that the data transfer speeds are very quick due to the high quality memory being used internally.  So, we have a very secure, fast and easy to operate USB memory key with IronKey, the only drawback is the price.  IronKeys are a fair bit more expensive than traditional USB memory keys with prices starting at $79 for the 1GB Basic version right up to $299 for the 8GB Basic version but hey, you get what you pay for right?

Option 2 – If something like an IronKey is out of your price range or you would simply rather not pay for the convenience that they offer then the alternative is to use third party encryption software (as I do) such as TrueCrypt.  TrueCrypt allows you to either encrypt the whole USB stick or create a secure “container” on it and encrypt that.  The container is then mounted using the TrueCrypt application and is seen as another volume.  The only drawback is that you have to use the application to mount the volume however this can be stored on an unencrypted area of the disk for use on any PC.  TrueCrypt will run on Windows, Linux, OS X and is free to use for personal and enterprise use.

Hope that helps!

Ian

In doing so, Dan dared to became the subject of criticism from his peers.  Their mindset was that exploits should be released and be public knowledge so that fixes can be deployed and the theory reviewed by other security professionals.  Dan himself admits that he was wrong in not seeking peer review before going public; he instead chose to go public about the flaw that he identified before all systems were fully patched and announce that a fix was being deployed.  He admitted he was wrong but I can’t help but think he wasn’t - although I must credit him for falling on his own sword after the scorn of fellow security professionals.  He didn’t release the flaw to any of his online peers because he was concerned that it would be released early before all DNS servers could be patched – which is exactly what happened.

After receiving this criticism he instead opted to seek out the opinions of two other prominent security professionals.  One being Dino Dai Zovi and the other Thomas Ptacek, a security expert and Principal over at Matasano Security.  Both validated Dans claims – he was right, the DNS vulnerability is real.  Dan was due to speak at Black Hat in Las Vegas where he would release details of the vulnerability as sufficient time would have passed to allow the patching of vulnerable servers.  However, before he had the chance, someone beat him to the punch.

Halvar Flake, otherwise know as Thomas Dullien, CEO and Head of Research over at Zynamics, decided to post his own hypothesis on what the vulnerability was.  It turned out that he was almost bang on with his theory but this was then corroborated when a post by a researcher at Matasano Security corrected some of the details Halvar Flake had posted - swiftly hitting the nail on the head of any secrecy left out there about the vulnerability.  As soon as Matasano realised the blog post had been published early they removed it and a letter of apology was published from Thomas Ptacek.  He explained that the post was not supposed to have been published, apologised for the leak and praised Dan for his work in finding the exploit.

As it stands, the patches are being applied but Dan suggests that for now you use OpenDNS for your DNS services, they are expecting your traffic and their DNS servers are safe to use.

Who says IT is boring?

Ian