Network Response

Cisco IPS 6.1 and IME Released

noreply@blogger.com (Chris Durkin) — Thu, 01 May 2008 13:10:00 +0000

Cisco IPS Sensor Software 6.1 and the new Cisco IPS Manager Express software have been released. Thanks to Joe Harris` Blog for this.

IPS Sensor Software 6.1 now includes auto-update direct from Cisco.com, great about time!

And the free IPS Manager Express is a very welcome feature, that also includes many video trainings built-in, on how to use the product.

See a sample of screen shots below, if you manage under 5 sensors, i definitely recommend you take a look.

IPS Sensor Updates

Managing Upto 5 Sensors

Event Monitoring/Deny Attacker

IPS Policy/Risk Rating

Video Training

New Components of the Cisco Self Defending Network

noreply@blogger.com (Chris Durkin) — Thu, 10 Apr 2008 09:05:00 +0000

Joe Harris, on the 6200networks blog, has some great info on the next phase of the Cisco Self-Defending Network strategy.

One new component that caught my eye, is the Cisco IPS Manager Express (IME), a brand new all-in one application for IPS provisioning, monitorin and reporting, for upto 5 sensors.

You can find the data sheet HERE.

WAAS Mobile Released

noreply@blogger.com (Chris Durkin) — Mon, 04 Feb 2008 10:02:00 +0000

I noticed from the Cisco Networkers 2008 Blog, that WAAS Mobile was released.

You can find the VIDEO datasheet HERE, and also the product datasheet HERE.

EOL/EOS for the Cisco IDS 4215 Sensor

noreply@blogger.com (Chris Durkin) — Thu, 31 Jan 2008 09:33:00 +0000

Not being content enough with the EOL for the Cisco PIX, Cisco have now announced the end-of-sale and end-of life dates for the Cisco IDS 4215 Sensor!

The EOL notice can be found here.

"Customers with the Cisco IDS 4215 Sensor are encouraged to migrate to the Cisco ASA 5510 Adaptive Security Appliance Intrusion Prevention System (IPS) solution with Advanced Inspection and Prevention Security Services Module AIP-SSM-10. The Cisco ASA 5510 IPS solution with AIP-SSM-10 provides a higher IPS throughput of 150 Mbps plus industry-leading firewall protection. Customers with higher performance requirements can purchase the Cisco IPS 4240 Sensor or the Cisco ASA 5520 IPS solution with AIP-SSM-20. Supporting throughput of 250 Mbps, the Cisco IPS 4240 Sensor supports inline, promiscuous, and hybrid deployment modes. The Cisco ASA 5520 IPS solution with AIP-SSM-20 provides IPS throughput of 375 Mbps in addition to industry-leading firewall protection."

EOL for Cisco PIX!

noreply@blogger.com (Chris Durkin) — Thu, 31 Jan 2008 09:27:00 +0000

Well its been coming for ages, but Cisco have finally announced the EOL for the Cisco PIX.

The EOL and EOS Notices can be found HERE, but basically all models, 501,506,515E,525,535 are now effectively End of Life, along with the software versions 6.3, 7.0, 7.2 and 8.0!

"Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. In addition to providing more firewall capabilities and the same IPsec VPN capabilities as Cisco PIX Security Appliances running version 8.0 software, the Cisco ASA 5500 Series offers significantly better performance and scalability, SSL VPN support, advanced Unified Communications (voice/video) security, and a modular design that allows customers to add features such as intrusion prevention (IPS), antivirus, antispam, antiphishing, URL filtering, and more. Migration to the Cisco ASA 5500 Series is straightforward, as consistent management and monitoring interfaces are provided, allowing customers to take advantage of their knowledge and investment in Cisco PIX Security Appliances."

ASA 5580

noreply@blogger.com (Chris Durkin) — Wed, 23 Jan 2008 11:21:00 +0000

The press release states.."Cisco today announced the availability of the Cisco ASA 5580 Series Adaptive Security Appliances, the company's highest-performing security appliance offering. The new Cisco ASA 5580 is a super-high-performance security platform equally well suited for deployment as a highly scalable firewall with up to 20 gigabits per second (Gbps) of throughput, as well as a 10,000 user remote-access concentrator for Secure Sockets Layer (SSL) and IP Security (IPsec)-based virtual private networks (VPN)."

For ASA model comparison click HERE.

ASA Threat Detection

noreply@blogger.com (Chris Durkin) — Wed, 21 Nov 2007 09:46:00 +0000

Joe Harris on his 6200networks blog, has done a great write up on the PIX/ASA feature - Threat Detection.

"Threat detection uses historical rates over various firewall operations to provide: * Basic threat detection reports of possible attacks detected by firewall * Scanning threat detection based on host, subnet, port and general threat detected by firewall or inspection engines * Statistics based on host, port, or protocol * Top 10 list for each statistics type"

Type 7 decryption in Cisco IOS

noreply@blogger.com (Chris Durkin) — Wed, 14 Nov 2007 09:12:00 +0000

Ivan Pepelnjak`s great blog IOS Hints and Tricks has a great tip for decoding type-7 passwords, on the router itself, rather than with a password cracking program.

You can see the article here.

Cisco NAC Demos

noreply@blogger.com (Chris Durkin) — Fri, 02 Nov 2007 16:13:00 +0000

Following on from the successful Cisco MARS demos, on Demolabs.co.uk, I thought i`d let you know about some new Cisco NAC Appliance Demos.

There are 2 Demos today, one is using Cisco NAC Appliance with WSUS (Windows Server Update Services), then second is a Demo of the new Cisco NAC Guest Server, integrated with Cisco NAC Appliance.

These can be found here.

Cisco IPS AIM for ISRs

noreply@blogger.com (Chris Durkin) — Wed, 31 Oct 2007 14:04:00 +0000

I noted from the 6200networks blog, that the new Cisco IPS Advanced Integration Module (IPS AIM), is now available.

The Cisco^® Intrusion Prevention System Advanced Integration Module (IPS AIM) brings integrated intrusion prevention to enterprise branch offices and expands network security to the edge. The Cisco IPS AIM for the Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers brings Cisco IPS to branch offices and small businesses.

More info on this can be found here

Cisco NAC Guest Server

noreply@blogger.com (Chris Durkin) — Wed, 31 Oct 2007 14:01:00 +0000

Cisco® NAC Guest Server is a new appliance that works with either Cisco NAC Appliance or Cisco Wireless LAN controllers to manage the entire life cycle of guest access, including:

Provisioning - Allows any internal sponsor to create accounts
Notification - Provides access details by print, email or sms
Management - Change and Suspend Accounts
Reporting - Full Reporting accounts and guest activity

A diagram on the integration with NAC Appliance is shown below..

Further info on this new device, can be found in the datasheet.

New Ask the Expert Forums

noreply@blogger.com (Chris Durkin) — Fri, 26 Oct 2007 11:00:00 +0000

Just a note on two new "Ask the Expert" Forums on the Cisco Website.

The first is discussing Network Admission Control in Branch Office, with Tips for deploying NAC network module for Cisco Integrated Services Router (ISR) to enforce security policies at the branch.

The second, is on how to have a good incident management process to prepare for security threats which have increased dramatically.

Cisco 4270 IPS Sensor

noreply@blogger.com (Chris Durkin) — Wed, 10 Oct 2007 09:39:00 +0000

There is a new model in the IPS Sensor family, the 4270.

Part of the Cisco Intrusion Prevention System family of products, this inline network security appliance provides up to 4 Gbps of intrusion prevention performance. With optional fiber or copper NIC cards for as many as 16 interfaces, you can monitor multiple segments for malicious traffic.

See a Video HERE, or datsheet HERE.

Cisco NAC Module for ISRs

noreply@blogger.com (Chris Durkin) — Tue, 02 Oct 2007 15:58:00 +0000

The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.

A new datasheet is now available HERE.

I have one of these new NAC modules in a demolab, so i`ll be doing a couple of articles soon.

Cisco IPS Engines - Normalizer Continued

noreply@blogger.com (Chris Durkin) — Tue, 02 Oct 2007 14:03:00 +0000

Carrying on with the Cisco IPS Normalizer Engine, and TCP Steam Reassembly. Part One of the article can be found here.

You can configure the sensor to monitor only TCP sessions that have been established by a complete three-way handshake. You can also configure how long to wait for the handshake to complete, and how long to keep monitoring a connection where no more packets have been seen.

The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor.

You first choose the method the sensor will use to perform TCP stream reassembly, then you can tune TCP stream reassembly signatures, which are part of the Normalizer engine.

Stream Reassembly—Lets you configure TCP stream reassembly.

TCP Handshake Required—Specifies that the sensor should only track sessions for which the three-way handshake is completed. (The default is Yes)

TCP Reassembly Mode—Specifies the mode the sensor should use to reassemble TCP sessions with the following options:

Asymmetric—Can only see one direction of bidirectional traffic flow.

Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. The asymmetric option disables TCP window evasion checking.

Strict—If a packet is missed for any reason, all packets after the missed packet are not processed. (This is the default mode)

Loose—Allows gaps in the sequence.

Different TCP Stream Reassembly Signatures have different parameters that can be modified.

Next up will be the Services Engines, and more specifically the Service - DNS.

Cisco Applied Intelligence Response: Microsoft Security Bulletin for September 2007

noreply@blogger.com (Chris Durkin) — Tue, 25 Sep 2007 11:27:00 +0000

Microsoft announced four security bulletins containing four vulnerabilities as part of the monthly Security Bulletin release on September 11, 2007.

This Cisco Applied Intelligence Response document highlights the vulnerabilities that can be effectively identified and/or mitigated using Cisco network devices, including PIX/ASA, IPS, MARS and Cisco Security Agent.

OnPodcasts

noreply@blogger.com (Chris Durkin) — Thu, 20 Sep 2007 08:06:00 +0000

I came across this new Podcast service the other day.

http://www.onpodcastweekly.com/

OnSecurity—will talk to some of the security industry's leading experts about a wide range of network, system, and software security issues. Our interviews include talks with Software Security author Gary McGraw, Security Metrics author Andrew Jaquith, and Firewall Fundamentals author Wes Noonan to name just three. With discussions on topics ranging from rootkits and exploiting online games to Java security and firewall basics, we have something for security professionals working in every part of the industry.

OnNetworking, the OnPodcast Network's newly introduced service, features video and audio conversations with the most influential networking professionals and best-selling authors in the networking technology space.

There are a few other categorys too, OnMicrosoft, OnNetworking plus a few more.

Techwise TV - Email Show

noreply@blogger.com (Chris Durkin) — Thu, 20 Sep 2007 07:56:00 +0000

Techwise TV will be hosting a show on Email Threats and how to deal with them. This looks to be an interesting show, as it will feature the recently acquired IronPort.

Check it out here, on Today.

Great Cisco Icons

noreply@blogger.com (Chris Durkin) — Tue, 11 Sep 2007 11:12:00 +0000

If your always producing Cisco network diagrams for yourself or Customers, then heres a handy set of powerpoint slides for you.

This set of Cisco ICONS has been put together by Jeremy Cioara, who you may know from the CBT Nuggets series, and published on his Cisco Blog.

Book Review: Cisco NAC Appliance: Enforcing Host Security with Clean Access

noreply@blogger.com (Chris Durkin) — Tue, 04 Sep 2007 13:59:00 +0000

Title: Cisco NAC Appliance: Enforcing Host Security with Clean Access
Authors: Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal
Publisher: Cisco Press

Quote "Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point."

This was a long awaited book for me, and i`ve been installing NAC Appliance for a while now.

Inband, Out-of-Band, L2 vs L3, Central and Edge Deployments, SSO, CAM, CAS its very easy to get lost in all the NAC Appliance Jargon, especially when reading the NAC documentation for the first, second or third time!

The Chalk-Talk series on Cisco.com is good, but the book is much, much better, at understanding the Cisco NAC Appliance Solution, and its a whopping 576 pages too.

Its a great resource to have on your desk, that explains the product in detail, potential gotchas, and many helpful hints to aid you in a successfull NAC Appliance Implentation.

There are 15 chapters covering the basis of the solution, the building blocks, the Roles, Traffic Policies, Posture Rules, Remedaition, Single Sign On, Troubleshooting with many examples and switch configs steps along the way.

If your have just implemented a Cisco NAC Appliance solution or are considering doing so, then this book is a definate buy for you.

NME-NAC-K9 module now available

noreply@blogger.com (Chris Durkin) — Mon, 03 Sep 2007 15:37:00 +0000

The new Cisco NAC Module for the ISR, is available now, with the images on CCO.

Quote from Jamie R. Sanbower`s NAC Appliance Blog, "The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers.

The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code."

The release notes for these modules are available HERE.

Cisco IPS Auto Update

noreply@blogger.com (Chris Durkin) — Sun, 12 Aug 2007 20:11:00 +0000

How can you schedule Service Packs and Signature updates for your Cisco IPS Sensor? Well this can be done with the Auto Update feature.

Now before i go into the configuration, there is an important point to note. The sensor cannot automatically download service pack and signature updates from Cisco.com. You must first download the updates with your own CCO account, and save these on your FTP or SCP server. This is where we define the location of the files in the Auto Update feature.

Below, i have used 3CDaemon, but any FTP Server should befine, except a known problem with Microsoft FTP server using MS-DOS style-paths.

You simply define the IP address of the FTP or SCP Server, and a username, password plus directory. Then specify a start time, and frequency.

Hey presto, thats it. If there is an available update, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.

A hint on troubleshooting this feature. There is an event generated, if you specify an incorrect username or password for the FTP/SCP Server...

Lastly, bear in mind there is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow but not inspected if you have auto bypass enabled.

New NAC Book Available on Safari

noreply@blogger.com (Chris Durkin) — Mon, 06 Aug 2007 08:30:00 +0000

The new Cisco NAC Appliance Book: Enforcing Host Security with Clean Access, is now available on Safari BooksOnline, for those people with a subscription.

Look out soon for a review.

NAC Appliance 4.1.2

noreply@blogger.com (Chris Durkin) — Mon, 30 Jul 2007 12:54:00 +0000

NAC Appliance version 4.1.2 should be available very soon, according to the NAC Appliance Blog.

An interesting note from the release notes, is the support for the new NAC appliance module....

"Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs)."

More info on this new module soon.

Cisco IP Signature Engines - Normalizer Engine

noreply@blogger.com (Chris Durkin) — Tue, 10 Jul 2007 14:14:00 +0000

Carrying on with the Cisco IPS Signature Engines, comes the Normalizer Engine.

This article will be in 2 parts.

This signature engine deals with IP Fragment Reassembly and TCP Stream Reassembly.

So what is IP Fragmentation?

Every transmission medium has a limit on the maximum size of a frame (MTU) it can transmit. As IP datagrams are encapsulated in frames, the size of IP datagram is also restricted. If the size of An IP datagram is greater than this limit, then it must be fragmented. The breaking up of a single IP datagram into two or more IP datagrams of smaller size is called IP fragmentation.

And what is Reassembly?

Each fragment becomes its own datagram and is routed independently of any other datagrams. This makes it possible for the fragments of the original datagram to arrive at the final destination out of order. At the final destination, the process of re-constructing the original datagram is called reassembly

On the way to this particular link, packets 3 and 4 have been misordered, and packet 2 has been lost. To solve this, within TCP a sequence number is attached to each packet so the destination machine can re-assemble the data in order. An error detection mechanism is also implemented so any packets that have become corrupted can be identified.

Which RFCs discuss IP fragmentation?

RFC 791 (Internet Protocol) & RFC 815 (IP datagram reassembly algorithms) discusses about IP datagrams, fragmentation and reassembly.

Back to the Signature Engine!

With the Normalizer engine you can set limits on system resource usage, for example, the maximum number of fragments the sensor tries to track at the same time.

NB - You cannot add custom signatures to the Normalizer engine. You can tune the existing ones.

Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult or impossible to detect. An old article for reference is good here.

Reassembling all fragmented datagrams inline and only forwarding completed datagrams, refragmenting the datagram if necessary, prevents this.

The IP Fragmentation Normalization unit performs this function.

IP Fragmentation Normalization

You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets. You can specify boundaries that the sensor uses to determine how many datagram fragments it reassembles and how long to wait for more fragments of a datagram.

The goal is to ensure that the sensor does not allocate all its resources to datagrams that cannot be completely reassembled, either because the sensor missed some frame transmissions or because an attack has been launched that is based on generating random fragmented datagrams.

The tables below show the IP fragment reassembly signatures with the parameters that you can configure for IP fragment reassembly.

We can configure the mode the sensor uses for IP fragment reassembly, by setting the IP Ressembly Mode. This Identifies the method the sensor uses to reassemble the fragments, based on the operating system.

Note: You can configure this option if your sensor is operating in promiscuous mode. If your sensor is operating in line mode, the method is NT only.

Sensors in promiscuous mode report alerts on violations. Sensors in inline mode perform the actionspecified in the event action parameter, such as produce alert, deny packet inline, and modify packet inline.

If we look at Signature 1200 subsig 0 (IP Fragmentation Buffer Full), its default is to Deny Packet Inline, and produce an Alert, plus we can modify a couple of the Engine Parameters above...

In the next part we will look at reassembly, or more specifically TCP Stream Reassembly. We can monitor only TCP sessions that have been established by a complete three-way handshake.The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established.