Archive for April, 2009

NAC up your alley! – NAC Appliance…

Published April 29, 2009 Cisco Security Leave a Comment
Tags:

In previous posts, we discussed the authentication component of the NAC Appliance and how the trigger process begins once a host is introduced to the network. In our last discussion I brought up the NAA (NAC Appliance Agent) so let’s dive further into this agent.

The NAA is our “middleware” that allows the NAC Appliance to communicate with your host and check for compliance (aka authorization) and authentication. I mean if you think about it, a NAC Appliance cannot just ask your corporate hosts what software is installed. There are firewalls and all the other software you’ve installed on the hosts, so the only way to query the host is by use of an agent. The agent itself should be installed ahead of time before the Appliances go live at all. So here is the kicker;

  1. The agent requires admin rights to be installed.
  2. The agent runs as a process under the logged in user and not as a system service (in the next rev this will be updated).

So while you are adding the NAA to the host you should also add a couple of other key components including the “stub installer” and the root CA certificate. The stub installer can be found either by doing an SCP copy from the NAM or browsing into the NAMs GUI to download the exe file. You will want the stub installer because if a user ever downloads the NAA or needs to update their NAA by means of the NAM providing the file, the stub will automatically be invoked to allow the NAA to be installed/patched therefore not requiring your users to have admin rights. (The downfall to installing the stub installer by the way is that the stub itself needs to be installed with admin rights so this will need to be scripted to be automatically installed by your IT staff.)

The CAs certificate will need also to be installed ahead of time or else the users will see a certificate popup window everytime they log in. Remember that the CA will sign the website certificate used on the NAS and NAM.

Also keep in mind the NAA runs as a Process on the local host. That means the user will need to be logged in order to check for any compliance on the host. A user cannot simply leave their PC on yet logout and expect compliance checking to work correctly. Cisco has mentioned that a service version of the NAA will be coming out shortly, but until then we are stuck with the process.

There are also a few sticking points to the agent. If the user logs in to their Windows host and decides to hold the shift key down to prevent any startup programs from starting, the NAA is subjected to the same bypass, preventing the NAA from loading. It’s the same case if a user simply kills the process in TaskManager. In either of those two cases, the users’ PC will be redirected to the web page of the NAC Appliance once they decide to open their browser and browse to the network or Internet.

Author: Jim Thomas

Basics of IT

Published April 28, 2009 Uncategorized Leave a Comment
Tags:

Global Knowledge has a new member of its IT training family: Introduction to Information Technology.

It's a...new course!

It's a...new course!

This course is perfect for anyone who needs some basic training on the fundamentals of IT. Students will learn about data centers, wireless technology basics, encryption, and the management of IT infrastructures. The course will also cover introductory-level information on unified communications, fixed mobile convergence, cloud computing, RFID, and IPTV.

Not only is Intro to IT a good start for entry-level or newly-hired technical professionals, executives, marketers, and sales teams who need to learn basic IT concepts and vocabulary would also benefit.

Check out the course page for schedule and locations.

Photo from istockphoto.com

Cisco’s Realm wraps up…or does it?

Published April 27, 2009 Cisco Security Leave a Comment
Tags:

The Realm

I’ve been catching up with my offline comic books and it occurred to me that I haven’t checked in on Cisco’s The Realm in a while. Well, they’ve wrapped up the first release of four episodes and the employees at Synocorp all seem to have survived unscathed. But of course, like any good comic book, they left plenty of room for sequels.

I’ve been having fun following these releases, but I’m not in a position to buy equipment from Cisco. So you tell me – did these make you more or less confident in Cisco’s security products? Or did it have any impact at all?

~Editor

NAC up your Alley! – NAC Appliance

Published April 24, 2009 Cisco Security Comment
Tags:

To refresh everyone’s memory, my last few posts have been discussing the Network Admission Control (NAC) Appliance and Framework. So where does this thing called NAC Appliance fit in? Is this technology right for you? Are you ready for NAC? Here is an introduction to the Cisco NAC Appliance and how it differs from the NAC Framework we discussed in those earlier posts.

In October of 2004, Cisco acquired a company called Perfigo. Perfigo was originally responsible for creating the now-known-as NAC Appliances that we’ve grown to love (or hate). Back then, they were known as Clean Access Appliances. When Cisco got a hold of the product they rightfully re-named the product Network Admission Control (NAC) Appliance.

The product has grown over time. If you have been following Cisco for a while you kind of get a feel for how acquisitions turn out. They seem to first acquire an organization, then remove the acquired companies’ label and replace it with their own. After that, they seem to sit on the product for a little while making minor modifications until finally one day, it becomes “Cisco-ized”. This means the product is truly enhanced to meet the expectations that Cisco seems to have met time after time again. We’ll get into that later, but for now we’ll keep our discussion focused on the technology.

Continue reading ‘NAC up your Alley! – NAC Appliance’

The Importance of Administrative Controls

Published April 21, 2009 Uncategorized Leave a Comment
Tags: ,

Security is not always about who has the most high-tech firewall, the latest hardware solution or has upgraded to the newest operation system.  While all of these are important, sometimes the simplest of controls – the most non-technical mundane items – can be used to prevent devastating attacks.  A good example is the reported logic bomb that was planted at Fanny Mae.   Had this attack been successfully carried out, it is believed it would have knocked out all 4,000 of the organization’s servers on January 31, 2009.
This attack was made possible because of weak administrative controls. Administrative controls define the human factors of security. Some may consider this the boring stuff, because after all, I am referring to hiring practices, background checks, education checks, separation of duties, least control, rotation of duties, and good termination practices.

While these controls are not glamorous, they are extremely important.  The example I mentioned above had to do with a UNIX engineer, Rajendrasinh Babubha Makwana, who was terminated on October 24, 2008, yet did not immediately have his access removed.  According to the FBI indictment, the suspect is alleged to have accessed company systems between the time of his reported termination notice and when access was finally blocked (much later that evening). During this gap, the indictment charges that the suspect planted a logic bomb designed to wipe out data on the comapny’s 4,000 servers.  Had the coded time bomb not been discovered, it is believed the malware could have caused millions of dollars in damage and possibly shut down the government-sponsored mortgage lender for a week.

The next time management is asking you to tighten security by reviewing firewall rule sets and tightening the newly implemented NAC, don’t forget the small stuff like administrative controls, as these controls can have a potentially huge impact on the company if not enforced.

From Michael Gregg

Image © Reuters

NAC up your alley? Framework Continued…

Published April 17, 2009 Cisco Security Leave a Comment
Tags:

When we last left off we were discussing a Cisco NAC Framework scenario using a router. We had discussed the required configuration on the ACS server with ACLs and Attribute Definition Files. But we cannot just get away with only configuring the ACS server and NADs. You must also think about the hosts themselves. Our goal here with NAC is to check for specific software on our hosts.

In order to accomplish this we’ll need some software on the host called Cisco Trust Agent (CTA). Luckily this agent is free from Cisco with a valid CCO account.  CTA is going to be installed on your users’ PCs and is providing middleware services on the host. That means that once the ACS is configured to check for software on the host, the ACS will be querying CTA to check if your host is in compliance. If the host is not in compliance, then a pop-up appears on your users’ PC with a configurable message.

The nice thing here is that we can be pushing down ACLs to the router on the fly giving this user specific access to network resources for remediation (fixing/patching their host). Unfortunately there are quite a few negative components to this tale.

The first being that this technology is slowly (it’s almost gone now) being phased out in lieu of the NAC Appliance. (I mean why use something you already have when you can spend an enormous amount of payola with Cisco on new equipment?)

Continue reading ‘NAC up your alley? Framework Continued…’

Personal Development and Continued Education

Published April 17, 2009 Uncategorized Leave a Comment
Tags:

While all the talk in the news is of bailouts and rescues, I would offer the advice that each of us should plan for our own personal bailout.  Now, while some of you may be thinking that I am talking about financial rescue plans, in reality, I am talking about education and continued learning.
Everyone knows that we are living in a different environment than just a few years ago.  While some may have careers and jobs that may seem to be secure, nothing is a given in this world.  According to CBS news, the demand for adult education is on the rise. If you have not already done so, I believe that you should think about how you can sharpen your skills: be it attending a night class, continuing your education, or going for that certification that you have been putting off.  Continued learning is critical for personal growth, updating skills for the workplace, advancing a degree, and learning more about a passion or interest.

For me that passion is IT security. If you look at all the books I have authored, you will see that they all deal with security; many are on the topic of certification.  Consider this, according to a Gartner study, “Hiring managers tend to view certifications as a more objective measure of a candidate’s skill level than self-reported skills and competency.” More important is the fact that the same study found, “The added market value that a certification brings can be as high as 30%-40%.”

I am making a promise to myself to continue learning this year and expanding my abilities; I hope you will consider doing the same.  I wish I could offer you a catchy acronym to call your plan such as TARP, TANF, or FSP, but the best I could think of was what it will bring you – SUCCESS!

From Michael Gregg

Photo Credit

NAC up your alley?

Published April 13, 2009 Cisco Security Comments
Tags: ,

We’ll deviate a little from my last blog entry to discuss something a little more recent. In the past few weeks a massive zombie was exposed called conficker. Although the payload of this zombie is not yet apparent, it still caused many organizations to upgrade their corporate hosts to the latest patch level from Microsoft. To enforce these latest updates, that is to make absolutely sure that all hosts comply to the latest patch level, we can look at a Cisco product called the Network Admission Control (NAC) Appliance.

To truly understand the power of NAC Appliance we should really look at its’ predecessor: NAC Framework. Many students who come into the various Cisco courses are really confused about the two technologies. It’s even gotten to the point where we were having NAC Appliance students showing up in the NAC Framework courses. The easiest way to get NAC Framework down is to think about it as leveraging your existing network infrastructure. If you want to use your existing switches, routers, concentrators and ASA’s to check for software on your users’ PC’s then NAC Framework is right up your alley.

Basically think about a host connecting to your layer 2 switch and getting an IP on your network. As the users send packets to the internal network, a Network Access Device (NAD) intercepts the host request, which in turn triggers the NAC policy on the NAD to kick-in. The NAD can be a router, switch, concentrator, ASA, or any enforcement device that has an ACL on it that drops user traffic. That being said, not all switches will support this technology since Port Based Access Lists (PACLs) are required.

Continue reading ‘NAC up your alley?’

Stop the Cyber Criminal

Published April 9, 2009 Hacking & Cybercrime Leave a Comment

To test your knowledge about basic internet security, try your hand at this interactive game from www.onguardonline.gov. Challenge other computer users whose IT security you support to see how much they really know about keeping their computer and personal information safe from hackers, phishing, and spyware.

Posted by Alison

GhostNet – Organized Threat or Random Hack?

Published April 6, 2009 Hacking & Cybercrime Leave a Comment
Tags: ,

According to an article published in the New York Times on March 28, 2009, there is a rather large spy system at work that has targeted government organizations and private businesses around the world. The article reports that at least 1,295 computers in 103 countries we successfully breached.

4 Toronto academic researchers who are studying GhostNet.

While it is unknown who is behind these attacks, the source IP addresses trace back to computer systems based in China. The attacks follow a similar approach:

1. The victim receives a spoofed e-mail with an attachment
2. The e-mail appears to come from a trusted source
3. The contents seem logical and make sense
4. There is an attachment that is a PDF, DOC, PPT, or XLS
5. When the victim opens up the attachment, the document appears valid but actually launches an exploit
6. The exploit drops the malware

The mechanism “dropper” used to infect the attachments and install the malware onto targeted systems is described by F-Secure at http://www.f-secure.com/weblog/archives/00001450.html. The heart of this attack is the malware being used. It is known as Gh0st RAT and is based on a previous Trojan know as Poison Ivy which is provided free by the developers. Such tools are typically open source and are easy to modify and adapt to make it more difficult for anti-virus to detect. Once installed, it gives the attacker full control of the victim’s computer. Gh0st RAT can not only capture key strokes but also controls the webcam and microphone. What makes this particular attack so important is the ease at which it was deployed and the number of particularly critical systems it was installed on. If you are responsible for securing your organization’s systems or simply interested in IT security, I suggest you read the in-depth report issued by Cambridge University titled, “The snooping dragon.”

From Michael Gregg

Photo taken by Tim Leyes of the New York Times

Next Page »

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

Featured Courses