Cisco’s Umbrella – Another Effective Layer of Security

umbUp and running for only 20 days, Cisco Umbrella has protected us from 358 potential security issues. Diving deeper into the actual events show that many of these events are potentially dangerous sites, but better safe than sorry.

The most compelling aspect of this product is that it works in the cloud, before the data even gets to you. Most Web Filtering security solutions work at the perimeter level, meaning the data gets to your firewall and then it is blocked. Umbrella, does this at the DNS layer in the cloud, ultimately cutting down on your own bandwidth usage and providing security. two birds with one stone.

While I wouldn’t suggest you go and throw out any of your other security solutions, Umbrella can be a great add on to your overall security strategy.

Feel free to contact me to discuss further.

NGFW and UTM, What is the difference?

Over the last week or so I have been researching and trying to find the difference between NGFW (Next Generation Firewall) and UTM (Unified Threat Management). I came across some great blogs that helped me cut through the marketing hype.

https://blog.anitian.com/utm-v-ngfw-a-single-shade-of-gray/

In this blog the Author makes some great points that essentially argue that there is no difference. As I read through the comments on the blog, it was not so clear, as many argued that there is a big difference.

When I looked up the definition of NGFW and UTM in Wikipedia to get a baseline as to where I would end up on this argument, it solidified in my mind that these are in fact the same thing.

Gartner states an NGFW should provide:

  • Non-disruptive in-line bump-in-the-wire configuration
  • Standard first-generation firewall capabilities, e.g., network-address translation (NAT), stateful protocol inspection (SPI) and virtual private networking (VPN), etc.
  • Integrated signature based IPS engine
  • Application awareness, full stack visibility and granular control
  • Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.
  • Upgrade path to include future information feeds and security threats
  • SSL decryption to enable identifying undesirable encrypted applications

SOURCE: http://en.wikipedia.org/wiki/Next-Generation_Firewall

 

UTMs represent all-in-one security appliances that carry a variety of security capabilities including firewall, VPN,   gateway anti-virus, gateway anti-spam, intrusion prevention, content filtering, bandwidth management, application   control and centralized reporting as basic features. The UTM has a customized OS holding all the security features   at one place, which can lead to better integration and throughput than a collection of disparate devices.

SOURCE: http://en.wikipedia.org/wiki/Unified_threat_management

Now there may be some subtle differences here, but for the most part the two provide the same set of features. It seems to me that the main argument for the difference between the two is that the NGFW is a more robust engine and that it won’t suffer the performance impacts that a UTM would.

This becomes even more confusing when we look at the Gartner Magic Quadrant for the two.

garter

 

 

 

 

 

 

Palo Alto seem to be the only NGFW (or at least of any significance) to not be in the UTM Category. And how is it that Fortinet is both a UTM and NGFW, but is not as good at being a NGFW.

If there is in fact a difference between the two, then one product cannot be both, can it?

My conclusion therefore is that they are the same.. Some may be better than others, but they are essentially equal in features.

Your Thoughts??

 

 

Outsourcing Network Management and Monitoring

Outsourcing to some, is a bad word. Almost as bad as “consulting”…. a word that makes me cringe. The fear of losing control seems to be the driving factor in steering IT folks clear of outsourcing. But it doesn’t have to be that way at least not with End to End. Now I don’t want to sound like a commercial, but I do see a significant advantage to our services over the competition. I will start by addressing the control factor.

Recently we were working with a prospect that had an existing Internet service with one of the big Canadian Carriers, I won’t mention names. As part of our engagement, we needed to gather some information regarding the configuration of the Cisco Router that terminated the Internet connection. The customer engaged their Carrier to provide configuration information and the carrier refused!!! Who’s network is this anyway? They played the “security card” and indicated that everything was provisioned and working as expected… After a couple of emails back and forth with the customer and carrier, I explained that this configuration was required for auditing purposes and that a “scrubbed” configuration, that is, a configuration that removes any reference to the carriers own security, would be fine. They still refused. Now I know we will eventually get a copy of the configuration, we just haven’t pushed hard enough yet. Since we have gone through this before, once we pull the compliance card, they will likely give in, but what a waste of everyone’s time.

Our Differentiator:

Like most MSP’s End to End provides a portal, where customers can access statistical information regarding their network and it’s performance. Unlike others however, End to End also provides access to all configuration files. Configurations are captured nightly and saved in our database. Access to scrubbed configurations are provided only to authorized users and they can be compared against previous configurations. In my previous example, access to these configurations would have saved countless emails, telephone calls and about two weeks.

Security appears to be another factor that shy’s IT folks away from Managed Services, but why is it then, that these same IT professionals allow a Carrier to control their Internet Gateway? I have had a lot of experience working with all of the carriers and I can guarantee you that Security is not their strong suit. In fact, I know the “default” password used by most of the Canadian carriers and I know that they never change it!!! Can you imagine this? Does it scare you? It would scare me!

Our Differentiator:

End to End uses RADIUS to control access to all devices that we Manage. This allows us to quickly add and remove user access to all devices that we manage. It allows us to track access by username, and to give customer either read only access or write access in a shared support model, AKA, co-source.

You have your own tool?

Unlike other Network Management tools our eView Portal is completely agent less. There is nothing to install at the customer premises. There is nothing to install anywhere, all we need is network connectivity – SNMP, Ping, SSH, HTTPS. Similar to the Salesforce.com model for CRM the eView portal can be up, Monitoring, Alarming and Capturing your Network in less time than it takes to install a competitor’s product.

Whats Next?

Our development team is working on an exciting new device access method that will truly be the most secure and functional means of network management, flexibility and control. Already in Beta, we expect the first release of this new access method to be in production by Q4 of 2010.

Perhaps you don’t want to outsource your network management and you just need a tool. End to End has already deployed this model to a number of our wholesale partners and as the need grows, the features are growing along with it.

So while the word “Consulting” still makes me cringe, I hope I have helped to convince you that Outsourcing is only a bad word when done by the wrong people.

Intrusion Prevention – The Beast!

After many years of managing and maintaining network security for our own internal network and our customer networks, it still surprises me that even the largest organizations have not implemented intrusion Detection/Prevention. It reminds me of the 1990’s when we would have to convince potential customers that they needed a Firewall. Now, everyone has a firewall (at least I hope) and you would be considered a fool if you didn’t.

It shouldn’t surprise me though, and I think I know the cause of the slow adoption rate. Security, although important is not a business enabler, in fact it makes doing business more cumbersome and costly. But what are the alternatives? It is certainly easier for me to get into my house if the door is unlocked, or to get into may car if the door is unlocked and the key is in the ignition, but that also makes it easier for the people that you don’t want in your house or driving your car. So, as budgets get eaten up on business enabling technologies security gets pushed out to the next fiscal budget.

Many organizations have trouble getting their minds around IDS/IPS/IDP (Intrusion Detection System/Intrusion Prevention System/Intrusion Detection and Prevention), what they do, how they do it and how to manage such a beast.

In very simple terms:

IDS being the oldest of the beasts, simply detected intrusions and alarmed an administrator of that intrusion attempt. IPS and IDP are essentially the same with prevention capabilities – blocking the attacker, resetting the connection, blocking the subnet etc.

How it does this is quite simple. By having a preloaded set of signatures that match criteria known to be suspect. It goes a lot deeper than that, but this is the general idea.

How to manage such a beast is the toughest question to answer and the success in managing is really determined on how it is deployed in the first place. First you must decide where the IPS unit will be placed in your network and what segments/hosts it will be protecting. Once you have a list of hosts you must determine what those hosts do. Are they Web, FTP, Mail, DNS etc? What Operating System are they running? What version of each application they are running? Are they using the latest patches of the Operating system and the Application.

Then you must choose the signatures that are applicable to those applications. Some signatures are applicable always, as they may detect reconnaissance  or DoS (Denial of Service) activity. And Finally choose what you would like to happen when a signature fires. Alarm, Reset, Block or all of the above.

As these systems have matured, they have become much more friendly in determining what the risks associated with the signature are by providing risk ratings and a plethora of information about the signature, why it might fire and what you could or should do about it.

Even after you have followed all of these steps, you’ll find that you will be overwhelmed with alarms and logs about potential malicious activity. It is only after a couple of weeks of what we call “burn in” that you should be in a position to calm the system down enough to make it manageable.

But what to do when you get an alarm…. Well to start, don’t Panic – 99% of the time it will turn out to be a false positive, or a attempted attack that you are not sussepatble to based on other security measures deployed throughout your infrastructure. Investigate the source of the signature. If you are in North America and the source is China (unless you do business in China) then it could be an attack. Investigate the target. Is it your Web Server? Is the signature a Web based signature? Does the attack profile match your target – i.e. Is the signature only applicable to an IIS 5 Web Server, running on Windows 2000, is that what you have?

For each signature that comes in, this type of investigation is necessarry and not all organizations have the resources to keep up with the demand. That is why we see a lot of IPS deployments being shelved, or ignored after only a few months.

Here at End to End we use MARS (Monitoring Analysis and Response Server), to manage all of the alarms we recieve from both our own IPS and our Customer IPS appliances. This system allows us to create detailed rules on the MARS server without having to configure each IPS server that we manage. This allows us to scale our service and provide cost effective Managed Services for all IPS deployments. If you are considering an IPS deployment look into a system like MARS, or give us a call and we can help you manage the ugly beast….

How to determine what is NOT supported!!!

Much of my time is spent researching data sheets and release notes to determine the capabilities of a product and you can learn a lot about the capabilities of the product by reading these documents. However, the most important thing I’ve learned is how to read a document in such a way that you can determine what the product does not support. The vendors of course never tell you what isn’t supported, they tell you what is supported.

This I have found is the most challenging task in product research and without the skill you can find yourself in a difficult position after the product is already sold into the promises have been made. I don’t think this something you can teach but it is something you learn over time after being burned. Who pays for these mistakes? It is certainly not the vendors and it’s not the customer, it is the person responsible for the implementation.

 

Recently after discussing with a new customer requirements for a the firewall VPN URL filtering IPS device [all in wonder box] I did a little research and came up with a solution utilizing a Cisco IOS ISR router. I had thought I had done all my research, but during deployment we ran into some real snags!

First issue: not enough flash to run SSL VPN at IPS concurrently.
Second issue: URL filtering not supported using C B A C- must use zone-based configuration.

In reading through the data sheets for this router I read nothing about the flash limitations on the router that is sold to support SSL VPN and IPS concurrently. A flash upgrade was obviously required but this could not be determined until we had already ran into the issue. For the second issue, I have no one to blame but myself for I just assumed that URL filtering was supported using Cisco’s original IOS firewall technology. Had I done just a little more research I would’ve found the document to talk about URL filtering and how it’s configured in a zone-based firewall deployment. Nowhere does it say that URL filtering is not available using CBAC.

Live and learn as they say. I won’t be making that mistake again but at the rate that technology changes I probably wouldn’t have the opportunity to make that mistake again. I’m sure a new one is on the horizon but I’ll be sure to read all the documents so that I can determine what they have not told me.

Cisco Zone Based IOS Firewalls

It is about time that Cisco came out with this. I was never really a fan of CBAC – it worked but never really gave me the control I desired. Lets hope they add this functionality to the ASA to allow for Interface to Interface Control.

My testing started off with a basic CBAC configuration for a Secure Router connected to the Internet. Once I was happy with the configuration I migrated to a Zone based Configuration and although in the beginning is was a little confusing I soon got the hang of it…. I must admit that in a very large configuration this could get quite complex, but gives you the kind of control you need in todays environment.

Once I had the basic configuration running I was able to implement a more complex configuration and thats where I started to run into some snags…

For now stay away from the nested class-maps – altohugh they work they don’t currently support statistics, so you can’t really see your configuration in action.

WebVPN anyconnect client also isn’t supported (today) as the SSL SVI interface cannot be configured via command line and therefore can’t have a zone added to it. I am told by Cisco that they should have a fix for this in May in the 12.4(24)T2 software.

I really like the ability the Zone Based Firewall gives you of being able to block P2P data and even data embedded inside the HTTP protocol….

Nice work Cisco – keep it up.

Heath