Mike's Cisco Blog - Now Focusing on Not Focusing

Cisco Security Agent 6.0 Out!

2008-08-14T20:58:00.002-04:00

For all you Cisco security freaks out there, the long awaited CSA 6.0 is now released. This latest version of Cisco Security Agent bring some great enhancements, including Vista agent support, an integrated signature-based anti-virus scanner, and a very cool data leakage protection (DLP) feature. I've been part of the beta the past couple months and have seen the terrific changes from 5.2 to 6.0. All you 5.2 owners with SAU, start downloading 6.0 and try it out. Checke the rather verbose release notes here, and enjoy. If there's enough interest I can do a few posts on the new features bundled with 6.0.

-Mike

CCNP BCMSN: Passed!

2008-05-23T19:24:00.002-04:00

Just thought I'd share my excitement on succesfully passing my BCMSN exam this past Monday. This is my first CCNP-level exam and gets me renewed on my CCNA until 2011! The certification exams have certainly gotten more brutal. I was expecting lots of spanning tree questions, but there ended up being a lot of focus on QoS and HSRP/GLBP. Just goes to show you that anything is up for grabs with these exams. What should be next: ONT, ISCW, or BSCI?

-Mike

Mike's Blog: A New Direction

2008-04-26T21:45:00.002-04:00

What's this... it's changing? Well, not really. The title of my blog is going to be changing (domain name still the same) to reflect the new direction I plan to take this blog. I try to focus on security, but with the project load I have, I'm finding not everything focuses on security. I'm learning a lot, much like everyone reading this. I want to share the ups and downs, and I think by lifting the security-focus of this blog, I can discuss topics on some of the newer systems I work on. You've already seen some posts about wireless and VoIP. I consider Chris over at The Unofficial MARS Blog the man to go to about everything CS-MARS. I'd hate to take away any attention from him by having a competing blog (I never saw it as a competition), when he has a wealth of knowledge on MARS to share. I'll still post about MARS and security, but now you'll see some topics I previously saw as not necessary on a MARS/security blog. Stay tuned...

-Mike

Data Breach: Are You Next? - Part 2

2008-04-20T11:49:00.003-04:00

So last time I talked a little bit about the current state of affairs in IT security. We've seen attack that have gone from D0S'ing perimeter system to application-based attacks that are stealthy and can cause equal or more damage. I wanted to dedicate this part of my series on Data Breaches to talking about way we can protect our data without spending money or burying ourselves in purchased solutions. Some of these may seem like standard practice, but take this opportunity to reflect on each of these and if there's a way to improve.

Data Classification
This long journey down the never-ending path of security starts with this key step. You must define what your organization sees as sensitive data. Something basic like SSN is practically a given in every company, but look beyond that and clearly define the data you consider sensitive. This can be credit card numbers, sales data, or any other type of data that is sensitive to your company. This is important, as you'll need to know the data to protect in order to define the rest of you security blueprint.

Policies
I can't speak enough about a good security policy. A policy defines a set of standards that yield repeatable results. So, if we take my definition of a policy and apply it to security, a good security policy will define security standards and yield results that consistently meet security standards. I don't think you can find a security book today that doesn't talk to having a firm security policy. I joke with one of my co-workers who is learning IPS, and just about every chapter he turns to talks to implementing IPS based upon your corporate security policies.

I see too often that policies are too broad and are open for too much interpretation. A policy must be exact in it's definition, and the sum of all policies should reflect the security goal for an organization. Where do you start though? If you must define policies for all systems, how do you begin and provide immediate protection for day one? If you must start from the beginning, I urge you to define you policies for protection of you sensitive data, which I'll talk about next. This can include something as basic as password policies and something more complex like all sensitive data cannot travel using clear text protocols (FTP/Telnet/HTTP). I can't define how each organization should write a policy, but as we move onto our next discussion, I think the proper policy design should come to light.

Know Your Data
I want you to memorize this: you cannot protect the data you do not know about. This is similar to data classification above, but goes a step further. All too often, systems are implemented on-the-fly as organizations expand. This can cause a centralized data model to become more of a mesh, where data must be passed from system to system during processing. This means that data you previously classified as sensitive, is being passed through multiple systems. Take your sensitive data classification, and now map out where the data travels on the network and where it stays at-rest. This is very important, as you'll need to define auditing around these systems so you can record data access and flow.

Audit Yourself
The final practice you can use is auditing. I could go on-and-on about this, but I'll keep it brief. Now that you have your data defined, understand it's flow, and have the policies to protect it, check you work.... and check it often. This is auditing. Plan to review server/network security logs periodically for any anomalies. Get your system to log to a common location (a basic syslog server will do), and use the central repository to audit access and flow of data. This is as important as every other step, because it keeps your policies and data in check, so you don't end up in the situation of not knowing where you sensitive data is again. Another great audit technique is trying to breach yourself. Take a security tool, such as Nessus, and scan the systems defined in your sensitive data map. Nessus will audit the system for vulnerabilities and give recommendations how to patch or mitigate the issue.

If you start this process by employing all of the above, you are well on your way to being secure. Some of these items may be trivial, but none of them are any less important then the others. I'll see you all next week for part 3 on this topic, where I'll talk about the current generation of security products to build a fortress around your data.

-Mike

Data Breach: Are You Next? - Part 1

2008-04-12T16:04:00.005-04:00

I thought I'd take some time to have a little talk about the growing trend of data breaches at organizations. There's no lack of these in the news, with the most recent being the loss of over 4 million credit cards by Hannaford. This gained a lot of publicity due to the scale of the breach. Just look at this month alone... there's already been 9 reports of data stolen from companies/organizations. I think it makes this an appropriate time to talk openly about breaches like the one at Hannaford, and what options network professionals have to combat these attacks.

If you're on my blog, you're at least starting in the right direction. Not every issue can be solved with money though, and that's the same with IT security. Security isn't something you implement or buy, security becomes a methodology by which you deploy all systems. The most secure networks can be ridden with applications that can leave holes open that firewalls can't protect against. These type of attacks are becoming the fad of data breaching. Previous hacks involved finding a way to DoS (denial-of-service) attack perimeter security measures, then breaching the systems behind them. The latest wave of attacks are much more intelligent and stealthy. These attacks actually target application vulnerabilities and inject malicious code on systems that are trusted by perimeter application servers. A common form of this is SQL injection. SQL injection allows the attacker to execute raw SQL code against backend database servers. Within a few steps from the initial SQL injection attack, the attacker has access to system level commands deep within the backend database servers. The most hardened perimeter ASA (Cisco Adaptive Security Appliance) won't block these ports, as the traffic is passed via standard web ports.

So what can we do? Is the answer to write more secure applications? That's one important change that can happen, but defenses cannot be left to the applications alone. Looks to part 2 of this series where I'll talk more in details about the logistics of these attacks and how you can defend with little investment in current technology. Part 3 will look at how we secure the environment end-to-send, and use MARS to correlate the massive amount of security data into actionable events. Happy defending...

-Mike

CMPC v1.5 In the Wild!

2008-03-08T23:17:00.003-05:00

I'm happy to announce v1.5 is now released and available to download here. This version includes a number of enhancements and new packages. Here's some snippets from the release:

- Added support for CCO tree-style release listing.
- Removed restriction on number of runtime arguments.
- Added the following package options for notifications:
- Cisco Wireless LAN Controllers
- Cisco Wireless Control System
- Cisco ACS (Windows Version)
- Cisco VPN 3000 Concentrator
- Cisco VPN Client for Windows
- Cisco CSS 11500
- Cisco WAAS
- Added the ability for CMPC to check your current MARS apppliance version via SSH.

CONFIGURING CMPC TO CHECK MARS APPLIANCE VERSION
================================================
CMPC now has the ability to check your MARS appliance version via SSH. This is made possible by use of libraries from the SharpSSH project (http://sharpssh.sourceforge.net/). There is a bit of configuration to make this possible. First, make sure the following dlls from the releases zip file are in the CMPC running directory:

DiffieHellman.dll
Org.Mentalis.Security.dll
Tamir.SharpSSH.dll

Now you'll need to add the following lines to your config.xml file:
SEE RELEASE NOTES

The "mars_check_version" field should be set to "1" to enable the processing of your MARS appliance. Switch to "0" (or anything besides 1) to disable this feature). You'll also need to make sure your pnadmin password is encrypted in the XML file. Run CMPC like so to have it encrypt your password.

Example: "C:\>cmpc.exe --encryptpass "

Now when you run CMPC with the --ciscomars option, it will get the current software version of your MARS appliance and add that to the e-mail notification.

Enjoy this latest release and any comments or issues let me know.

-Mike

User Question: MARS on 3rd Party Hardware?

2008-03-01T23:55:00.002-05:00

Another great question from the community. Fabio writes in and asks:

Does Cisco Mars come only on box or could I get the software and install it on
my server?

The short answer: No. But why? I'm sure in a way it has to do with costs and how Cisco is able to required Cisco hardware to be used. There's also less cynical reasons. One that I know of is that MARS is using Oracle embedded for it's database. As part of using Oracle on an appliance and having it licensed as embedded, is that the distributor of the appliance must no allow users to alter the database or exploit it for unlicensed purposes. Mandating the use of a purchased appliance keeps greater control over how the software is installed and the experience it provides to it's users. Hope this helped!

-Mike

Unified Communications Manager: 6.0(1) to 6.1(1) Stalled Upgrade

2008-02-28T21:54:00.002-05:00

What's this... Cisco voice now? I'm working on a few Cisco voice projects right now so you'll see some posts in the future about the exciting voice offerings from Cisco. Today I was running an upgrade of our Unified Communications Manager (UCM, formerly CallManager) to version 6.1(1) from 6.0(1). The upgrade went well for about 45 minutes, and then seemed to stall out. The update log, viewable on the web console from OS Administration -> Software Upgrades -> Install/Upgrade, was "stuck" on this step:

Create new OS image for future upgrades

Come to find out, this was just a UI log issue. By refreshing the page I was able to see the upgrade completed. I made the new partition active and the upgrade worked great. When in doubt... refresh.

-Mike

Congrats to Chris @ The Cisco MARS Blog!

2008-02-24T16:52:00.003-05:00

Doing my normal scouring on the Internet, I see Network World has posted a list of the top 20 Internet resources for Cisco networking professionals. The list is chock full of great sites, and my friend Chris from http://ciscomars.blogspot.com has been listed in the top 20. I just wanted to say congrats to Chris and all the other great Cisco bloggers out there. They all deserve the recognition of dedicating their free time to sharing the wealth of knowledge they all have.

-Mike

Cisco Nexus 7000: Next Generation Data Center Switiching

2008-01-28T10:12:00.001-05:00

While doing some work this morning, I stumbled across a product announcement from Cisco that is pretty exciting. Cisco has introduced a new line of data center-class switching known as the Nexus 7000 Series Switch. That name is about as catchy as it gets! Reviewing some of the information Cisco has about this next generation platform, there's a slew of innovations that include security and availability. Here's what the new behemoth looks like:
There's a lot of details about this new platform on cisco.com. Make sure to check it out and read about the features included in it's OS known as the NX-OS. The link-layer AES encryption looks particularly interesting for those wondering about the security benefits of the platform. When I get a chance I'll browse the available info and share anything interesting I find.

-Mike

User Question: Difference Between Gen 1 & Gen 2

2008-01-25T15:40:00.000-05:00

Blogger user axiom posted this question in response to my recent post about the EOL/EOS announcement from Cisco about the MARS Generation 1 platform:

How do you find out if your product is a Gen 1 or Gen 2 product?

This is a great question. The easiest way is to visually look at the appliance and the difference will be apparent (click the images for larger versions).

Cisco MARS Generation 1 Appliance

Cisco MARS Generation 2 Appliance

As you can see, the gen 2 appliance has the common Cisco logo and color scheme. The 2nd generation represents the migration of the MARS platform to a standard hardware configuration governed by Cisco. The gen 1 appliances has had known hardware issues that were the result of poort components used by Protego (acquired by Cisco for the MARS product line) within the MARS appliance. The gen 2 models now use all Cisco certified components and show significant performance and reliability increases versus the gen 1 platform.

You can also SSH into the appliance and run the command show version. Any version 4.x is a gen 1 appliance, while version 5.x is a gen 2 appliance. I hope this brief post answered your question axiom and can help others discern between the MARS generations.

-Mike

CMPC v1.4 Released!

2008-01-05T00:24:00.001-05:00

As promised, the latest version of CMPC is now available. You can download v1.4 from here.

Please read the readme for information about important updates in this release. Take special note about the inclusion of encryption to your CCO password information in your config.xml file. Here's the info from the readme:

CONFIGURING CCO PASSWORD ENCRYPTION AND CMPC
============================================
A long standing issue I've had with CMPC has been the fact that users were leaving their passwords as clear-text in the config.xml. Users will now be required to place encrypted passwords in the config.xml. Encryption is handled by running CMPC like so:

Example: "C:\>cmpc.exe --ccoencryptpass SomePassword"

Upon running this you'll receive a dialog box with the new CCO password line for use in your config.xml file. Unencrypted passwords are NOT supported in the config.xml file beginning with release 1.4.

CMPC Testers Needed!

2007-12-27T17:44:00.000-05:00

The newest version of CMPC is nearing release. It's functionality has been restored since the Cisco switch to the new login scheme, along with some enhancements. Before I release it I'd like a brave soul or two to test it to make sure the new authentication class is working, along with testing some of the newer functionality. Expect a release soon after. Sorry again for it breaking
previously.

NOTE: Testing completed. Thanks to all. Release coming soon!

-Mike

CS-MARS Generation 1 EOL/EOS Announcement

2007-12-23T14:37:00.000-05:00

For all CS-MARS customers with gen 1 appliances, Cisco has formally announced EOL/EOS for the product line. You can find the detail here. I'd recommend talking to your Cisco account rep about replacement of the gen 1 appliance with a gen 2. The 2nd generation of MARS appliances have numerous enhancements to speed and reliability. I had a dialogue with TAC about issues we were having and it seems that the 1st generation of hardware (labeled Protego) had numerous issues due lackluster hardware. This is why Cisco created the 2nd generation of hardware outfitted with components that meet Cisco's hardware requirements. Lean on your account reps to get replacements for you 1st generation appliance if you had issues. TAC and the account teams know of the issues and are willing to help. Keep in mind that TAC cannot upgrade you to a 2nd generation appliance, only your account team can.

-Mike

Cisco NAC Appliance 4.1(3) Released

2007-12-21T11:21:00.000-05:00

Cisco had promised version 4.1(3) of their NAC appliance would be out for Christmas. Talk about cutting it close. The latest version was just released (found by luck, I miss my CMPC!) and can be downloaded off of CCO. Release notes can be found here. Some major enhancements are:

New web agent for client scanning
Enhanced HA support (fixes the ARP issue of switching IPs it seems)
Enhanced guest access option (policy acceptance and flexible ID fields)
OOB enhancement for VoIP environments

Get downloading!

-Mike

CS-MARS Package Checker (CMPC) Broken!

2007-12-20T09:58:00.000-05:00

Your comments haven't fallen of deaf ears at all. My beloved CMPC is no longer working. It looks like Cisco changed the authentication schema to their website and now uses forms-based authentication (seen here) rather than the previous method of an authentication pop-up. This has broken my CiscoWebReader class that was used to authenticate to CCO and pull package information. It looks they use SSL for authentication, along with requiring cookies and generating a new viewstate for each session. Well, I'm no developer but I'm re-writing the CiscoWebReader class to get around these hurdles. Expect to see more new on CMPC, along with enhanced features and a new name coming soon. A big sorry to all of those that have used CMPC and lost it's functionality.

-Mike

CS-MARS Package Checker (CMPC) v1.2 Released!

2007-07-04T17:40:00.000-04:00

As promised... the latest CMPC is now available for download. Here's what's been updated:

- Re-written to no longer run as a command line executable (no more black box popping up!)
- Added the following package options for notifications:
- Cisco Adaptive Secuirty Appliance OS and Device Manager
- Cisco PIX Secuirty Appliance OS and Device Manager
- Cisco Security Manager
- Cisco IPS v6 OS updates
- Cisco IPS v6 signature updates
- Cisco Security Agent Management Center
- Cisco Anomaly Detector

The latestest version can be downloaded from here.

Cisco ASA v8.0 and AnyConnect VPN Client Released!

2007-06-18T15:24:00.000-04:00

To all those loyal Cisco VPN customers, some exciting news. Cisco has announced the release of ASA 8.0 and the long-awaited AnyConnect VPN Client. Release notes for ASA 8.0 can be found here, while release notes for AnyConnect can be found here. Lots of reading to keep everyone busy. Very exciting news for those admins waiting to support Vista VPN connections. Hopefully I'll get some time in the coming weeks to get this loaded into the lab and play around with it. Expect to see ASA and AnyConnect updates to be available for notification via CMPC very soon!

-Mike

Some of My Favorite Links

2007-06-15T10:23:00.000-04:00

I know my blog may seem like the best resource for everything networking, but I have to share the love (hmm... if blogger only had a button for showing sarcasm). There are some terrific resources available out there and I wanted to take a post to dedicate to linking to some fellow bloggers and project from around the Internet.

Blogs:
- Cisco MARS Blog - A terrific blog operated by Chris from the UK. Chris shares a wealth of knowledge about his MARS experiences in his excellent and detailed posts.
- Network Response - Another terrific blog by Chris. This one is more focused on security offerings from Cisco other than MARS.
- Cisco Blog - A general Cisco blog from JC. Offers some very well written posts about some advanced Cisco networking topics. Gave me the inspiration to start this blog.

Projects (free network sh*t!!):
- Cacti - An amazing open-source project aimed at providing an easy-to-use web interface for graphing a variety of SNMP statisticis. Highly customizable and a very extensive plugin offering available via their forums. I'll soon integrate this into CMPC to provide notification when updates are available.
- IPPlan - Another amazing open-source project. This one aims to provide an architecture to manage IP address tracking and provisioning. If you have any more than 5 subnets... download this and love it. I'll soon integrate this into CMPC to provide notification when updates are available.
- Nessus - Software provides one of the most extensive network threat scanners I have ever dealt with. This used to be very hard to use and configure... but the Windows version is ridiculously easy to configure. I'll soon integrate this into CMPC to provide notification when updates are available.

-Mike

CS-MARS Package Checker (CMPC) v1.0.0.0 Released

2007-06-14T13:16:00.000-04:00

I'm pleased to announce the first release of CMPC v1.0.0.0. You may download the distribution from the following location:

http://www.mediafire.com/?c2wwmbmbzxh

Enjoy and leave feedback!

-Mike

CS-MARS Package Checker (CMPC) v1.0.0.0 Upcoming Release

2007-06-13T13:52:00.000-04:00

As promised... CS-MARS Package Checker (CMPC) will be released within the next 24 hours. I'm finalizing some code clean-up and the first release should be ready very soon. As a preview, here's the readme that will be included with the release (doesn't paste well into Blogger... sorry for formatting):

CS-MARS Package Checker (CMPC) v1.0.0.0 readme.txt
Updated June 11, 2007 by Mike

Send all feedback/comments/problems to ****** or let me know on my
blog at http://cs-mars.blogspot.com

WHAT IS CS-MARS PACKAGE CHECKER?
================================

CS-MARS Package Checker (more easily written as CMPC) is a tool to help the
growing user community of the Cisco MARS appliance keep it's rules up-to-date.

It's very basic by design, but wildly useful. It quite simply parses the
required information from an XML configuration file, uses the CCO credentials
to log into cisco.com to check for updated packages, and e-mails the results
to a specified e-mail.

CMPC is current developed as a command line executable. This was easier to port
nearly directly from the first implementation written in PERL under Linux.
Feedback is appreciated on the design, but it is already planned to migrate to
a standard executable.

INSTALLATION
============

The installation of CMPC is rather basic:
- Extract to program archive cmpc.zip. This archive should contain:
- cmpc.exe
- config.xml
- readme.txt

- You may place these files wherever you see fit. The only requirement is that
the cmpc.exe and config.xml are within the same directory. The easiest
location may be something such as C:\CMPC\

CONFIGURING CMPC TO RUN
=======================

Configuration of CMPC for runtime is handled through the included config.xml
configuration file. Open the file in your favorite text editor and fill in all
fields like so:

someuser@company.com
Securepassword123
smtp.company.com
myemail@company.com

Please keep in mind that all fields are required. Certain validity checks are
run while CMPC processing, but a majority of issues running this program are
sourced from an incorrect config.xml. Support is always available on my blog
or by e-mailing me at ******.

REMOVAL
=======
Simply remove the directory in which you installed CMPC.

PROBLEMS USING CMPC
===================

CMPC has been developed to catch most exceptions and give informative errors
when issues occur. That being said, errors do occur that I may not catch. If
you are running the cmpc.exe executable from Windows XP, the error output may be hard to catch as the dialog will close after erroring. To solve this, open up
the Windows XP command prompt and run the cmpc.exe executable from there. This should allow you to see the error output. If you receive a cryptic error
message, let me know and I'll debug the code on my side.

CMPC HISTORY
============

Apr 27, 2005 v1.0.0.0

- Initial release.

CS-MARS Package Checker: Keeping your MARS appliance up to date

2007-06-02T18:24:00.001-04:00

I just thought I'd put a quick blurb about an upcoming release that will be showing up on this blog soon. I'm in the process of finalizing a program I originally wrote for myself that helps me keep my MARS appliance (and some other Cisco products) up to date. The concept behind the program is for it to, on a defined basis, automatically check CCO for the latest device packages and e-mail them to you.

CS-MARS, like most security devices, is only as useful as the known threats built into the device. Anyone who operates an IPS/IDS device knows how critical it is to keep such a device up-to-date. CS-MARS is no different. Cisco provides no avenue for automated update checking, so rather than remembering to check CCO every once and a while for package, this program does it all for me, and soon for you.

It's very basic in operation. It was originally written in Perl and ran under Linux, but has since been ported to C# for usability. It's an executable, an XML configuration file, and scheduling is done through Windows (scheduled taks). Simply configure the XML file with your CCO credentials, SMTP server, and the From/To mail account. After then, you can execute the program at your leisure or schedule it through Windows.

Though this may sounds simple, it's a wildly useful tool. It's so useful, I've begun re-writing it to allow checking of other packages. It now e-mails me daily with the latest packages for CS-MARS, Unified Wireless, ASA/PIX images, and WAAS updates. Don't expect the first release to have the feature of checking for updates for other products, but it is a planned add-on for later releases. Input about other products you'd like to see have similar notifications is welcomed. Just add a comment to this post!

I'm bringing up the topic of this app now because I don't want my blog to simply be me throwing up information onto the Internet (though if I drink Jack Daniels... well.. different topic). I want input from anyone that has anything to say. I'm wrapping up development now in my free time, but I'd like to hear input about whether this would be useful or not. Drop a comment or two and expect to see the release in the coming weeks.

Unified Wireless Guest Access: Authenticating Users

2007-05-25T10:03:00.000-04:00

Continuing on my series of Unified Wireless Guest Access, I want to dive further into detail about configuring authentication for guest users. Why even go so far as to make the users authenticate? Well the most obvious answer is security. If you have open access with no authentication, any user can just walk into your facility, or even sit just outside if the wireless coverage allows it and be on your network. Though they'll be limited to Internet access, any bandwidth alloted can be saturated by an unknown user. Imagine having a saturated Internet connection and all you have is a MAC address to indentify the user with.

So what type of options does Cisco give us for "out-of-the-box" authentication of users? We have:

Web Policy - Authentication
Web Policy - Passthrough
Web Policy - Conditional Web Redirect

For actual guest user authentication, I'm going to focus on using the "Web Policy - Authentication" option. Using this security policy (as configured under our guest SSID), a guest user is re-directed to login if his/her wireless card has just associated to an open SSID and a browser is opened. This is very similar to setups you see in hotels and airports. For this example we will use the canned authentication scheme that Cisco has designed. This requires that a username and password be created for all guest users. With this username/password combination, he or she will authenticate to the guest SSID and be given guest wireless access for a defined period of time.

The first place to start is with the basic guest authentication screen. This is accessed by clicking Security -> Web Login Page. You can do some basic HTML customization and change titles. Use and abuse the "Preview..." button to make sure it looks like how you would expect. Next... let's take a look at how a guest user is created. Click on Security -> AAA: Local Net Users -> New... Fill out the fields as seen below. Make sure to create the user as a Guest user so you an enable timing out the account. Once the account is created... the user may now login through the guest web portal you designed above.

Sounds like a good plan, right? Well, the issue I take with this is that it requires your receptionists to access a controller to build in a username and password. I'm thinking an easier way would be to provide some front-end to a receptionist to allow him or her to simply enter a username to authorize a users. The guest user then builds his or her own password and provides a company name to be used for authentication. Problem is... this is not how guest access was designed by Cisco and will require some programming on our side. Interested how this is done? Stay tuned for an in-depth view behind how guest users are created and how we can customize a front-end for guest user registration.

Unified Wireless Guest Access: Prep'ing the Controller

2007-03-28T15:24:00.000-04:00

Continuing on with my discussion of UW and Guest Access, I'd like to go into some detail about how to configure your master controller (the "nexus") to access the guest network. Before we continue we have to have an idea how we want to design our guest network. The goal of the guest network is to allow Internet access that is segemented from all other internal network resources. How this is developed is completely up to your implementation. I'll use our configuration as an example. Our existing guest access is handle through a non-routed VLAN that's switched via our L2 core. For the sake of examples... we'll say this VLAN is VLAN 125.

As I stated this is a non-routed VLAN that in our example will use the IP scheme of 192.68.1.X. The VLAN has a default gateway of 192.168.1.1, which is PIX 506E that has an outside interface on our Internet segment. All clients on this network are NAT'd through the PIX, completely seperate from our existing ASA cluster that's used for employees. This keeps the guest segment completely separate from our existing IP routing infrastructure. Here's an overview of the design.

Now let's get into how this is configured on the WLAN Controller. Please note that the configuration is being done on version 4.0.206.0 of the WLC. The first step for creating a new WLAN is to create an interface on the controller for the clients. I'll be using the WLC GUI for the configuration. Go to CONTROLLER -> Interfaces -> New... This will bring you to the dialog to build in the new guest interface. Give the interface any name and tag the VLAN for the guest VLAN. So... in my example I'll use VLAN 125. Fill in the fields noted below.

The above image should explain this part of the configration for the most part. I'd just like to note the importance of the DHCP server option field. Ensure that you are placing the IP of the management interface of the controller. Using any other IP address on the controller will not work. Next lets build the DHCP pool that will be required for the clients. You have the option of using an external DHCP server, but we have opted to use the server local to the WLC. To access the DHCP options, click CONTROLLER -> Internal DHCP Server. Create a new scope and set the necessary options. I don't need to show this as it's very self-explanatory. Obviously we'll set the PIX as the "Default Router" and DNS is provided by an open DNS server on the Internet. You can use your own outside DNS server if you wish.

Our final step is to setup the WLAN... which for now will have no authentication. To create a WLAN... to to WLANs -> WLANs -> New... Give it an ID and the profile name can be "Open Access" and the WLAN SSID can be something like "Open Internet Access." This is the name of the WLAN that will be shown on the users laptops. Now lets get into the details. Note the options I have arrows next to.

Again... a pretty easy configuration. Once this step is complete you should be able to connect to your guest SSID and get Internet access. This is just the first step in providing Guest Access. In future posts I'll review enabling web authentication along with developing a customizable interface for users to register that ties into the WLC local user database. Leave feedback and let me know if you're unsure about anything or if I can help at all.

Unified Wireless: My Take on Guest Access

2007-03-27T10:25:00.000-04:00

As I said in a previous post, I've been working on a Cisco Unified Wireless implementation. I gave a brief overview of UW (unified wireless) below, but I want to go into depth on the topic of Guest Access. The documentation is limited and I just want to take some time to share how I'm implementing Guest Access and the configuration required.

Guest Access is pretty much what it sounds like. It's taking your wireless infrastructure and allowing "guest" users to access it while keeping your existing UW infrastructure secure. This could be used to provide Internet access to vendors visiting your facilities, or could go beyond and actually act as a open hotspot for customers. The version of Guest Access I'm working on involves allowing guests at our corporate campus to use our Internet connectivity for presentations/remote VPN access. Our corporate campus is comprised of multiple facilities all linked over our private MPLS VPN cloud.

Let me go a little bit into the architecture behind the implementation. In our headquarters facility we have installed a Cisco 4402 Wireless LAN controller. This controller acts as the "nexus" for our Guest Access infrastructure, along with allowing secure access to internal network resources for mobile employees. Our satellite offices, also part of the corporate campus, are all connected via Cisco 2811 Integrated Services Routers. In these offices we will be using NM-WLC-6 network modules. Essentially these modules are Wireless LAN Controllers which sit on-board ISR routers.

I don't want to get too in-depth with Guest Access this first post. Let me leave with a quick diagram of how I've decided to implement Guest Access. In future posts I'll go into detail as to how this can be implemented. Keep in mind that my implementation may not be the same as yours, but the concepts I use may be shared amongst many implementations.

CS-MARS v4.2.5(2456) Available!

2007-03-22T11:31:00.000-04:00

To all those CS-MARS owners... Cisco has released a new version of CS-MARS. This update includes numerous signature updates, along with a slew of resolved caveats. Make sure to check out the details here before updating.

And in other news...our Clean Access project has been placed on hold to focus resources on a new Cisco Unified Wireless implementation. The budget money was available, so the equipment is here and the system is being developed. The unified wireless system focuses on extending security across your wireless network while enabling services that are normally available to only wired clients. Keep an eye out for details on our implementation... along with some in-depth discussion as to how we'll be handling guest access in the near future.

The World of Clean Access

2007-03-06T17:48:00.000-05:00

Another update from the front lines of network security. I hope everyone has been well and keeping busy in this ever evolving market. While this blog does focus on CS-MARS... over the next few weeks you'll begin to see me post updates about "everything security at Cisco." My most recent project has me working on a terrific product from Cisco known as Clean Access (aka Cisco NAC Appliance). For those of you in the dark, NAC is a framework and methodology for network security in which security is no longer exclusively adapted in network infrastructure devices, but also end-user work stations.

Let me go into a little detail about Cisco Clean Access (CCA) and how it will be used in our environment. CCA is comprised of a Clean Access Manager (CAM) and Clean Access Server (CAS). The CAM dictates all the policies required to gain access to the network, while the CAS handles authentication of workstations and quarantining as necessary. Both are required components of a Clean Access implementation.

During our initial pilot we will be validating workstations from a remote office, along with select users in our headquarters facility. This brings up some issues that can all be solved based upon the CCA implementation that is selected. Now this update is just a brief overview of my most recent project... but expect updates soon about the infrastructure concepts involved in CCA and some of the configuration involved with the project. The resources on Clean Access are limited on the Internet, so I do want to dedicate a portion of this blog to this exciting product. Continue to expect updates about CS-MARS... along with other Cisco security updates.

-Mike

CS-MARS 4.2.4 Released!

2007-02-16T13:58:00.000-05:00

Hey everyone!

Just a quick note letting everyone know that CS-MARS v4.2.4 has been released. The most important update is for those of us under stress about the upcoming DST change.:

Support for Extended Daylight Savings Time. On March 11, 2007, the United States will adjust to Daylight Saving Time (DST) three weeks earlier than previous years and will end one week later on November 4, 2007. As per the Energy Policy Act of 2005, MARS supports this change in 4.2.4.

Security News: Cisco Update Security Portfolio

2007-02-07T09:28:00.000-05:00

Great news for those of us using Cisco security hardware. Cisco is updating it's entire security portfolio for enhanced product integration. Updates include:

Adaptive Security Appliance v8.0
Cisco IPS v6.0
Cisco Security Agent v5.2
CS-MARS v4.3
Cisco Security Manager v3.1

As you can see nearly every product that is part of the "Self-Defending Network" is being enhanced to support this tighter integration. Of big note is the ASA v8 release, with numerous enhancement to the SSL VPN capabilities of the ASAs. SSL VPN is the next generation of secure remote network access. Below are these enhancements. Note that a new VPN client is to be released... known as "AnyConnect." This appears to be the Cisco-supported Vista VPN client that will be used going forward.

Clientless VPN with enhanced portal design for highly customizable user experience including personalized bookmarks, RSS feeds, and localization support.
Cisco's next-generation "AnyConnect" VPN client, with broader operating system support for Microsoft Vista and Windows, MAC OS X, and Linux.
Cisco AnyConnect Mobile VPN client supports Windows Mobile 5.0 Pocket PC Edition.
Optimized network access for voice over IP (VoIP) and other latency-sensitive traffic.
Ability to create "smart tunnels" that provide policy-driven applications specific access without requiring administrative rights.
Embedded Certificate Authority (CA) and additional user credential options simplify authentication.
Direct mapping of Windows Active Directory membership to VPN access simplifies IT's security management by automatically granting users appropriate VPN permissions.
Posture-assessment extensions adjust users' VPN permissions more efficiently.
Intuitive management via ASA's Adaptive Security Device Manager, CSM 3.1.

Note that the full press release can be found here. It looks like some exciting changes are happening with Cisco's security portfolio. Make sure to check in for the latest updates as I get them.

IPS Troubleshooting: "The root element is required in a well-formed document"

2007-01-16T12:54:00.000-05:00

Two updates in one day... I must feel really guilty about not keeping up with this. I thought I'd share a recent issue I had on a couple of our IPS 4215 sensors while importing it to the IPS MC (again... this is the CiscoWorks management console for IPS sensors). The issue occurred when I had updated the IPS sensors to the latest code at the time (5.1(3)) and then attempted to import their configurations into the IPS MC to be managed. I would get this absolutely meaningless error:

ERROR 13:42:28 [main] - (Log.java:198) - IPS-TEST -SensorConfigImportcaught: Unable to import sensor config using RDEP: java.lang.Exception: An exception occurred during the import of file(null), detail=Error on line 1 ofdocument : The root element is required in a well-formed document.

And for those that are seeing the error... this is what the "status messages" dialog shows:

So now what? What does this mean and how do I get my sensors to import without this issue? The error is Cisco's fault and not yours (I know *snicker* *snicker*). The issue is that the latest version of IPS MC cannot parse the configuration of the sensor due to the addition of the V, which is the anti-virus update version (as seen in the sensor version in the above dialog). This bug is found under CSCsh11502. The workaround as presented by Cisco is:

Downgrade the sensor to an earlier version that does not have the V version in it. Then use the IPSMC to upgrade to the current version.

Well.. I know the next thing that I thought was that re-formating the sensor and then doing the update via the IPS MC was just a tremendous waste of time. How do you get around it? Open up a TAC case with Cisco and ask for the "CSM301SP1_Patch.zip" fix for this issue. Once I patched my CSM 3.01 install I was able to import and update. All together this took nearly a month of investigating and going back-and-forth with TAC about this issue. I hope this info can help anyone else that runs into this come to a quicker resolution. As always, questions are welcomed and comment appreciated.

-Mike

He's Back!

2007-01-16T10:10:00.000-05:00

Hey All!

I hope everyone had a good holiday. I've been so busy that I've lost track of keeping up-to-date with this. But I see there's still plenty of interest... this site still receives over 100 hits a day. So what's been new an exciting in the world of Cisco security? Let's take a look:

+ CS-MARS Updated to 4.2.3 (2403) - This latest update updates vendor signatures along with enhancements to SSL/SSH fingerprint change detection. See the release notes on cisco.com here.

+ IPS 6.0 Released - Definitely some big news for IPS 4200-series & IDSM-2 sensors users. IPS 6.0 has been release for download for users with an IPS Services contract. IPS 6.0 includes many enhancements that are outlined below (right from cisco.com). I'd like to note that users should continue to wait on upgrading to IPS 6.0 until it is fully integrated with existing management products. As of now CS-MARS is not updated to support the new 6.0 fields and current IPS MC (centralized IPS management console provided by CSM or CiscoWorks VMS) cannot be used to manage 6.0 senors. No need to rush... as tempted as we all are:

+ Cisco Security Manager to Replace CiscoWorks VMS - In what I believe is a great move (but may be frowned on by others), VMS (VPN Management System) is to be replaced with the newest security device management product from Cisco, Cisco Security Manager (CSM). I've worked on both and can say from a management standpoint this change is excellent. CSM includes CSM client to manage PIX and ASA devices centrally, IPS MC to manage all IPS sensors and push updates out from a central repository (really a terrific product), and Resource Manager Essentials. I plan to give a tour of each of the CSM product in an upcoming update to show what it has to offer. It has come under scrutiny as it does not include Security Monitor. Instead, CSM integrates directly with CS-MARS so incident detection can include policy lookups to the CSM server.

I hope this update is proof that I'm still alive and keeping busy. I have enjoyed the wonderful comments everyone has left and am impressed with the talent shared by everyone in the discussions.

-Mike

Important CS-MARS Update!

2006-10-07T19:12:00.000-04:00

With the release of 4.2.2 I had updated our production MARS system to the latest code. Upon doing so the system began to repeatedly crash while adding devices and developing new rules. Cisco has released a patch for this bug to bring MARS from 4.2.2 (2302) to 4.2.2 (2303). The patch is available here to download. Even if you are not seeing issues I recommend you update your MARS appliance to this latest revision of code to prevent issues in the future.

Cisco News: The New Cisco.com Unveiled!

2006-10-02T08:55:00.000-04:00

On today, October 2nd, Cisco has officially unveiled the new Cisco.com. The new website boasts improved navigation, a more modern design, a new logo, along with the ability to access the site from a mobile device at www.cisco.mobi. Too bad the NetPro forums haven't been updated with the new design...

CS-MARS Title Available at Cisco Press!

2006-09-29T15:14:00.000-04:00

Hey again everyone! In keeping with trying to bring the most information about MARS that I have I thought I'd share a new resource. I own a slew of Cisco Press titles on everything from CCNA guides to MPLS network design titles. Now available at Cisco Press is a book on MARS... Security Threat Mitigation and Response: Understanding Cisco Security MARS. I'd highly recommend this text to anyone that uses a CS-MARS appliance. I do not own the title but can speak highly on the level of detail I've found in all Cisco Press titles. You can grab a copy here and make sure to sign up for Cisco Press... it's free and you can get all titles for the member price.

CS-MARS v4.2.2. Now Available!

2006-09-26T14:55:00.000-04:00

Just as I was about to finish a new post I received notifcation that v4.2.2 of CS-MARS is now available from CCO. Go download it and make sure to check out the release notes.

CS-MARS Rule: IOS Login Auditing

2006-09-24T17:40:00.000-04:00

I'm back! Sorry for the short break... it's been rather busy around here. So now we've done an introduction about CS-MARS and seen how to get Windows servers logging events. Let's now take a look at creating a rule for our IOS network devices. This first rule we'll design (it actually can be customized into many rules) will allow us to generate incidents whenever a user succeeds or fails login to a monitored IOS device (switch, router, IOS AP, etc...). Start by reading this document at Cisco. Starting with IOS version 12.3(4)T we have the option of generating syslog messages when a user fails or succeeds login to the device. The important commands are:

login on-failure log
login on-success log
login block-for seconds attempts tries within seconds

Now let me briefly talk about the last command. This allows the IOS device to protect it's vty port by dynamically creating an ACL to block the IP that has failed times withing for a configurable amount of . As an example we use login block-for 180 attempt 3 within 60 on all of our IOS devices. With this configured, when I now login to a device a syslog message is generated and forwaded to our MARS server that looks like this:

Sep 25 13:48:58 EDT: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: marsguy] [Source: 10.27.1.11] [localport: 22] at 13:48:58 EDT Mon Sep 25 2006

And if I fail login (which surely never happens!) it would look like this:

Sep 25 13:52:29 EDT: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.27.1.11] [localport: 22] [Reason: Login Authentication Failed] at 13:52:29 EDT Mon Sep 25 2006

Now we have some pretty nifty message... let's write a rule in MARS to generate incidents on successful and failed logins. Let's start with successful logins. I took a screenshot of this rule as we have it written. We have some customizations so we don't get notified whenever our CiscoWorks server logs in (it's a chatter box!). Obviously this can be tuned by just looking at how I have ours tuned and customizing it for your infrastructure.

And here's a look at our failed login attempt rule. Again... edit the customizations to fit your environment:

I hope this was a good example of some basic rule writing I've done with our MARS system. Any questions on how these rules are implemented please let me know and I can help.

Q&A: How does MARS work with Windows Event Logs?

2006-08-09T13:25:00.000-04:00

This questions was posed by Jesmond Psaila in Australia:

Hi Mike,

I think you have a pretty cool blog. My name is Jes I work for a Cisco Gold Partner in Australia. I am focusing on Cisco Security at the time being. I have deployed a couple of MARS deployment mainly using network device for reporting agent.

I notice you have some Windows Servers reporting to your MARS.

I am working on a current opportunity where the customer would like MARS to report on sucessfull and unsucessfull logins for Windows users.

I know that Win Eventlogs capture this. with the use of a SNARE agent can I get MARS to provide an aggregate report of this login activity.

Regards

Jesmond Psaila

This is an excellent question. Since I teach by example I'll show how this is done with an example. In this example we're going to take a Windows 2000 server (SP4 loaded) and have it log login failure and successes to the MARS appliance. We'll even create our own rules to trigger notification of login failures and successes. There's two techniques of getting logs onto the MARS appliance: push and pull. Here I'll be using the "pull" function, in which MARS will log into the server and poll the event log. I prefer this over placing SNARE on all servers and "pushing" the logs to MARS. This mini-tutorial make the assumption you have a base understanding of Windows server administration.

1) Configure your Windows 2000 Server to log login events:

I could sit here an explain this... but Microsoft has a brief tutorial on this. You can find it here. Below is a screenshot of my console after logging is fully enabled. If you view your Security Event Viewer now you should see login/logout events:

2) Configure CS-MARS to pull events from the Windows 2000 Server

Login to your MARS appliance and go to Admin -> Security and Monitor Devices -> Add. Now choose "Add SW security apps on new host." The screen should now look like this:

Fill in all fields and make sure to choose "Windows" Operating System. Then click the "Logging Info" button to choose your event polling options:

After this you can click "Done" and the device should be added. Make sure to "Activate" it in the upper-right hand corner.

3) As an aside you can configure how often MARS will go out and poll for events on the configured servers. This is found under Admin -> System Parameters -> Windows Event Log Pulling Time Interval. I use 60 seconds:

4) Next I like to always verify that logging is properly working.

Let it run for about 10-20 minutes (good time to go grab a coffee) and come back and pull the raw events from MARS. To do this go to Admin -> System Maintenance -> Retrieve Raw Messages. I usually like to go back 10 minutes or more. Fill out the option like below and make sure to select just your Windows 2000 server (mine's named CISCOWORKS). Then click Submit.

5) After you have verified that you see messages... now you want incidents to be created when triggered events happen. I've created an example rule that will create an incident when a user logs into the server. Here's the details on it:

Obviously you can tweak this as you must. Find the keywords in the raw messages and use those as a "Keyword" to fire off incidents.

I hope this helped explain how to get Windows Servers logging with MARS and generating rules to fire events for server logins. Though this was done to help Jesmond, anyone with any questions or that would like more example rules please let me know.

Making the Shoe Fit - CS-MARS Sizing

2006-07-26T11:11:00.000-04:00

So you want a MARS box but don't know which one to buy? Cisco offers many options as to which appliance you can purchase and even has details online as to how each appliance is sized.

So as you can see the sizing is based upon events per second. So how excactly can you measure you events per second? Let me clarify this by showing you the devices we monitor and all together the events per second we generate. Here' our monitored devices:

4 x Windows Server
121 x Cisco 2811 IOS Routers
384 x Cisco 3750 IOS Switches
117 x PIX 506E Firewalls
2 x PIX 520 Firewalls
2 x PIX 515E Firewalls
7 x Cisco 3825/3845 Routers
2 x Cisco 4215 IPS 5.1 Sensors
6 x Unix Servers with Snort

So all together we have a relatively large infrastructure monitored by MARS. So events per second comes to what excactly? At peak usage during the day we generate about only 57 events per second. Which CS-MARS version do we run? We're currently running the 100e, which is capable of 3000 events per second! Wow... that's pretty damn powerful! We bought this size knowing that our infrastructure will soon include more servers along with NAC reporting to MARS. Hopefully this sizing overview helps when making the decision to purchase a CS-MARS appliance. If you ever need any help or recommendations, just ask!

A Visual Intro to CS-MARS

2006-07-24T10:59:00.000-04:00

So what is CS-MARS and why does it deserve a blog? CS-MARS (short for Cisco Security Monitoring, Analysis and Response System) is a security aggregation point for network devices. I could sit here and talk about all the blah blah that the PDFs on Cisco.com provide, but I think a visual tour of our implementation of MARS will best describe this powerful network security tool.

1) Incident Dashboard - The CS-MARS homepage for events. Shows the 5 most recent secuirty events along with daily statistics and brief security diagrams.

2) Incident Listing - Here we see the most recent Incidents as recorded by MARS. You get all the basic information on the Incident triggered, and from here you drill into specific Incidents.

3) Rule View - Here we can see the rules the come built-into the MARS system. There are current 124 system rules. This sounds very minimal, but think of rules as the aggregation of multiple events (which we'll see soon). Rules are what generate incidents and can notify us.

4) Event View - Here is where we see the invidual events that MARS recognizes coming from devices. As of version 4.2.1 there are over 16,000! These are the events that are triggered from logs/polling of the monitored devices. The events are then correlated to the above rules and grouped to form incidents that represent security events.

5) Incident Details - On the final part of this tour I'll drill into a specific incident. Here we see a supposed VPN attack that was successful. This was the result of a user, christine, failing login to our VPN endpoint, disconnecting, then connecting succesfully. MARS detects this as a successful VPN password attack and generates an incident. As a network engineer I know this is a real user and that this incident is the result of a user mistyping credentials. In the event this user was not a real user, we would have an incident to now investigate further.

I hope this introduction showed how much power is behind this appliance. It's been a really exciting system to work on and I'm constantly learning more and more about the true capabilities of it. Now if I can just make it take my off-hour calls I'll be one happy network engineer...

Mobile Messaging Using the Sprint PPC-6700

2006-07-22T18:04:00.000-04:00

Eat this Blackberry! In a company that's pretty large (25,000+ employees), we have an under-staffed IT department. Surprising right? Anyways, when the CS-MARS device was installed we started receiving the built-in e-mail alerts about security events. The issue was that we had no mobile devices to receive the alerts on. Though the e-mail alerts are pretty cheesy, but I have a notification enhancement I'll share on one of these posts (all written in a network engineer's favorite language Perl). So with my large paycheck (pfft!) I purchased a Sprint PPC-6700. This is everything a Blackberry is and more. We're in the process of an MS Exchange 2003 migration and thanks to our awesome Windows admin, he configured Microsoft DirectPush e-mail. This means that the Blackberry "push" functionality is built-in to my device and our new mail environment. I now receive alerts as they occur and can more easily respond to them. Plus it's a cool phone everyone is jealous of. If we could only get EVDO coverage up here!

An Introduction

2006-07-21T15:05:00.000-04:00

A brief introduction of who I am and what I do. My name's Mike and I'm a Cisco-certified network engineer. I'm 22 years old and have worked on networks for the past 5 years. I current works in the private sector as a Network Engineer for a local food retailer. We are based in 6 states in the Northeast. My responsibilities include maintaining the operation of our MPLS network, along with investigate new technologies to enhance services on our network. My main focus now is business continuity connectivity along with investigating the newest network security technologies. My primary focus has been the installation and operation of the Cisco CS-MARS security event manager. This robust product offers a lot, but I find that Cisco falls short on providing an in-depth view of the power of the device and how it benefits any company that operates a secure network. My hope is that this blog will provide insight into the security technologies offered by Cisco, with a focus on the CS-MARS device. Along the way I'll share my experiences in networking and hopefully hear input for fellow engineers out there.