The recent launch of Cisco Identity Services Engine (ISE) 2.2 has increased more visibility and also lots of new features are added. Some of the new enhancements one could see with Cisco Identity Services Engine (ISE) 2.2 are:
The enhance visibility offered by ISE 2.2 helps an administrator to know more about who is on the network. With ISE 2.2 , administrators are empowered with deeper visibility as they can gain additional user and guest-based data like
- User ID
- Type of endpoint
- What applications they are running
Also an administrators can
- Enable bulk actions with device filtering abilities.
- Check port configuration for network access devices (NADs).
- View detailed port connection and configuration information in Network Device Download Reports.
This particular feature enables ISE administrators to make better policy decision and enhance their organization’s security
Next-level Posture Capabilities
When it comes to posture enforcement its always been a challenging task for ISE administrators, as creating the workflows often proves to be very labor-intensive process and can be error-prone for administrators as well. Which sometimes may end with network interruptions.
The Cisco ISE 2.2 offers great improvements in terms of client provisioning for ISE Administrators
- More options are available for client provisioning workflows.
- AnyConnect can be deployed via external portal.
- ISE 2.2 supports more 3rd party network access devices (NADs).
- AnyConnect can be installed in stealth mode, when deployed in this mode the AnyConnect client is installed on a end user’s endpoint in background without interrupting the user’s activities.
The enhanced posture capabilities will certainly
- Improves end user experience.
- Offer more flexibility for deployments.
The ISE 2.2 enhancements doesn’t stops here , it will be continued in next blog post.
After being selected as Cisco Champion 2017, often people asked what is Cisco Champion? Some of them don’t know what Cisco Champion Program offers and what benefits they can avail be becoming a Cisco Champion.
Cisco Champion Program was started by Cisco Systems with an aim to create and nurture a group of people ( Cisco geeks) who are highly influential IT technical experts, who enjoy sharing their knowledge , expertise, ideas and thoughts in innovative way across the social web be it in the form of blogs, supporting the online community by answering their queries or with Cisco
The Cisco Champion program is open all the individuals who are either 18 years in age or older with following qualities
- Is active on social media
- Expresses balanced view of Cisco
- Has Cisco-related expertise
- Has overall expertise in IT industry
- Chooses to actively participated in conversations relevant to Cisco and the IT industry
One can either nominate himself/ herself to Cisco Champion Program at the end of calendar year or their peers can nominate them. Generally the nominations begins after October and cover wide variety of topics. Some of main interest areas
- Cisco Champions for Data Center
- Cisco Champions for Collaboration
- Cisco Champions for Enterprise Networks
- Cisco Champions for the Internet of Things
- Cisco Champions for Security
Cisco Champions are regarded as experts in Cisco products and technologies by their peers and actively share their knowledge, expertise, and thoughts in technical forums, communities, user groups, social media, speaking engagements, and across the social web with Cisco.
Some of the exclusive Cisco Champions benefits are
- Networking with other Cisco Champions – By joining exclusive Cisco Champion-only Community one could interact with like minded Technology enthusiasts from all over the globe
- Communicate to share – Cisco Champions gets an exclusive opportunity to attend and participate in weekly live podcast as well as two blogging spots per year with Cisco Champion Blogger Program
- Access to latest Cisco new – Yes Cisco Champions receive invitations to attend pre-launch briefings to find out the latest Cisco news before the rest of the world.
Its really an honour to be a Cisco Champion, as Cisco does recognize and support the individuals who contribute to community in various forms. One could certainly start contributing the knowledge they gained all over these years and can be part of Cisco Champions Program for year 2018.
Cisco launches the industry first secure internet gateway (SIG) in the cloud with an intention to address the security requirements of todays; mobile, cloud-connected enterprise. And Umbrella happens to Cisco’s Secure Internet gateway product.
In past, organisations contained their services like email, software , ERP, HR solutions mostly into their own network perimeter, however with then advent of cloud things have changed. These days organisations are adopting software-as-a-service products such as WebEx, Office 365, Salesforce, Box and Google Docs and relying on them to improve their productivity and at the same time they are aiming to reduce their OP-EX. Even, these days most of the branch offices are directly connected to Internet instead of backhauling their internet traffic to corporate. Well all these new adoptions always raised security concerns, as one can work even without connecting to VPN and its predicted by 2019 there will be 70% increase in SaaS app usage.
All these concerns are helping in evolving new security technologies and approaches, which are becoming more cloud centric.
With launch of Umbrella, Cisco wants to address the problem of security over the cloud, with this new service Cisco wants to provide safe and secure access from anywhere and everywhere to their customers, even when they are off the VPN.
After acquiring OpenDNS in 2015, Cisco reengineered it with their own security portfolio to create Cisco Umbrella which can be described as the industry’s first Secure Internet Gateway. Cisco built this solution from OpenDNS Umbrella as the foundation, and brought together capabilities from the Cisco Web Security proxy and AMP file reputation and integrated them into this new platform. In future they are planning add Threat Grid sandboxing as well.
Courtesy: Cisco Systems
Cisco says that the Secure Internet Gateway delivered from cloud is capable of providing safe and secure access, can acts as the first line of defense and inspection. The Secure Internet Gateway can prevent current and emergent threats also at the same time can block access to malicious domains, URLs, IPs and files before a connection is established or a file downloaded.
On February 7, 2017 Palo Alto Network launched PAN-OS 8.0 with more than 70 new enhancements and capabilities which can prevent successful cyberattacks.
Courtesy : Palo Alto Networks
As the market share of multi-cloud architectures is increasing day by day , this growth is often a source of security concern. Be it public could, private cloud or software-defined data centres they all pose the same challenge , may be the complexity varies. Keeping in this view Palo Alto Networks have optimised their virtualized next-generation firewalls with new VM-Series models. The newly released PAN-OS 8.0 expands the VM-Series with new models and optimized performance, making it the broadest, most powerful line of virtualized firewall appliances on the market. New scalability and resiliency features for Microsoft® Azure® and Amazon® Web Services enable organizations to build secure cloud centric architectures. Workflow automation features for VMware® NSX® and KVM with OpenStack® help streamline VM-Series deployments.
PAN-OS 8.0 includes numerous enhancements that will provide organizations with significant new capabilities to prevent successful cyberattacks and secure high-performance network, endpoint and cloud environments.
|•||Enhances visibility, control and scale in all major clouds, such as AWS, Azure and SaaS.|
|•||Puts a stop to sandbox-evasive malware and automates the detection of command and control.|
|•||Greatly increases Panorama™ network security management performance, enriches context with Traps™ advanced endpoint protection logs, and automates actions and service ticketing tools, such as ServiceNow®.|
|•||Prevents automated credential theft and abuse, built in to PAN-OS 8.0.|
|•||Delivers high-performance new hardware, PA-5200 Series, PA-800 Series and PA-220 to address encrypted traffic and data center consolidation, and increase internet gateway demands.|
One feature which caught our attention which worth mentioning is “WildFire Phishing Verdict”. The new WildFire Phishing Verdict classifies phishing links detected in emails separately from other emailed links found to be exploits or malware. The firewall logs WildFire submissions that are phishing links to indicate that such a link has been detected in an email. With both a WildFire license and a PAN-DB license, you can block access to phishing sites within 5 minutes of initial discovery. However the WF-500 appliances are not capable of supporting the new phishing verdict.
Since its new release it may need some time to get matured, its always recommended to seek the guidance of Palo Alto TAC support for the most stable release to upgrade the Palo Alto Next Generation Firewalls.
The recent Apple iOS 10.2.1 update has created an issue with Palo Alto global protect agent for iOS devices. Its been observed that the Palo Alto Global Protect client hangs and never opens. The only way one could open a Global Protect client is uninstall and reinstall it. Once the client is reinstalled it opens for first time and its gives an opportunity to enter Server details and login credentials. Once those details are entered, again the same issue occurs. Always the Global Protect client fails to open.
This situation holds good only when the an Apple device is upgraded to an iOS version 10.2.1 and the Global Protect portal is using a self-sign certificate.
The only way to overcome this issue, is to use a valid trusted certificate issued by trusted CA. Once a valid CA certificate is installed the issue will be resolved. However one has to delete the Global Protect Client and reinstall it from an Apple store as the certificate is automatically binded with an app and it cannot be revoked.
There is one more catch as one cannot use wild card certificates with Global Protect portal, often one will see an error ” Gateway xxxxx.com: Server certificate verification failed”. Its always recommended to use a specific certificate which includes the hostname (dns name) in the Subject Alternative Name (SAN) attribute, it should also match the Common Name of the certificate).
Its been observed the recent iOS upgrade has also impacted Microsoft Active Sync as well, unconfirmed sources says Apple is aware of this issue and they are expected to issue a fix in next iOS updates.
Recently Cisco released their annual Cyber Security Report for year 2017. The report presents an insight onto the latest security trends, from the study Cisco conducted across 13 countries with more than 2,900 respondents. The 110 page report is divided into two sections
Courtesy: Cisco Systems
- Attacker Behavior
- Defender Behavior
We this two sections gives an overview how an attackers observe vulnerable networks and deliver malware. What tools they are using to achieve this task. On other hand how end users are reacting, are they patching the updates ? What kind of security measures they are adopting.
Some of the key findings according Cisco along with our views are as follows
- Most companies use more than five security vendors to secure their environment. Well this seems to be a good trend as one cannot solely rely on one Security Vendor for complete security. This always add some defense in depth. Its been observed often those organizations are less affected by latest attacks, who adopted multi vendor approached. The solid example one could have is the recent Shamoon 2 attacks target major Saudi Organizations had little impact on Organizations who had latest security updates and yes they employed multi-vendor security products.
- Budget is the top constraint for major organizations to adopt advance security products, this been a case for at least a decade, often Organizations are not aware of the impact one could face by not investing in security products. Awareness among top management need to be created.
- According to an investigation conducted by Cisco across 130 organizations across verticals reveals at least 75% of the companies are affected adware infections. Again people are not educated and awareness need to be created among the end user by organizations to ensure their employees don’t get fooled by this.
- 65% of total emails circulated are spam and about 8 to 10% of them are malware. Good email security solutions are needed to stop them. Cisco ESA powered by AMP proves to be one of good security solution to stop spam and infected emails.
Cisco gives an interesting snapshot of the sources of concerns for Security professionals to secure their environment, its proves Mobile devices followed by public could data constitutes major source of concern to protect.
Courtesy : Cisco Cyber Security Report
Its worth reading the complete the report as it has great info and could add value to security professionals to come our with their Security Vision for year 2017.
Starting today i.e. 31st Jan 2017 , CCCIE Security Version 5 exams both lab and written are available for all CCIE aspirers all over the globe in authorised centres. The written exam known as CCIE Security Written Exam (400-251) version 5.0 is a two-hour test with 90-110 questions. However the CCIE Security LAN Exam version 5.0 comes with major changes. It follows the same pattern of CCIE R&S, CCIE Data Centre and CCIE Service Provider. Its an eight-hour lab divided into three modules
- Troubleshooting module
- Diagnostic module
- Configuration Module
Cisco has released a unified Blue Print which covers the topics for both written and lab exam. The blue print is divided into six sections or domains. All these domains are part of both written and lab exam with an exception of Evolving technologies domain. This domain is only part of the CCIE Security Written exam.
|Domain||Written Exam (%)||Lab Exam (%)|
|1.0 Perimeter Security and Intrusion Prevention||21%||23%|
|2.0 Advanced Threat Protection and Content Security||17%||19%|
|3.0 Secure Connectivity and Segmentation||17%||19%|
|4.0 Identity Management, Information Exchange, and Access Control||22%||24%|
|5.0 Infrastructure Security, Virtualization, and Automation||13%||15%|
|6.0 Evolving Technologies||10%||N/A|
Following topics have been removed from CCIE Security Version 5 exam
- Legacy IPS
- Easy VPN
These topics were part of CCIE Security Version 4 exams. However they are no more relevant to version 5 exam.
A huge list of topics are added to CCIE Security Version 5 exams , some of them are as follows
- Cisco FirePOWER Threat Defense (FTD)
- ASA Clustering
- NAT for IPv6
- Firepower Management Center (FMC)
- Cloud Web Security
- Email Security Appliance (ESA)
- Content Security Management Appliance
- Advance Malware Protection (AMP)
- Virtual Security Gateway
- TrustSEC with SGT and SXP
- ACI, EVPN, VXLAN and NVGRE
- ISE Personas with multimode deployment
- MDM Integration with ISE
- Wireless concepts such as FlexCONNECT and ANCHOR
- NetFLOW/IPFIX and eStreamer
- APIC-EM Controller
- RESTful API in scripting languages such as Python
- Evolving Technologies (Cloud, SDN and IoT) are part of written exam only
The CCIE Security Version 5 Lab will be delivered using following hardware and software appliances
CCIE Security exam is going to be quite challenging as there are quite new Security products introduced by Cisco in the year 2015 & 2016 and now they are part of the CCIE Security exam. The challenge one could face is related to Cisco FirePOWER Threat Defense as, its not used widely deployed by enterprise customers. It would be great if Cisco start providing some of the virtual appliances in Cisco VIRL. This makes one’s life easy to try out the new products. We wish all the best for those who are planning to take the CCIE Security Challenge.
We were trying to access the Cisco ASA Firewall using the ASDM, while accessing the login credential prompt came. After entering all the valid credentials an error “Unable to launch device manager from x.x.x.x” appeared.
One of the known issues why the error “Unable to launch device manager from x.x.x.x” appears is due to disabling of some of the SSL encryption cipher. One should ensure following ciphers are enabled in the ASA Firewall
If by mistake some one deleted above mentioned ciphers and just kept the below mentioned ciphers the ASDM will not work
Another known issue is related to Java, however in our case all these things were good yet we were seeing the error “Unable to launch device manager from x.x.x.x”.
One more strange observation we saw was once we login to any other ASA Firewall using ASDM we could login to the affected firewall just clicking its IP from the device list shown on the left panel of ASDM with our any error.
When we checked the configuration related to ASDM it was fine there were no issues with that, and also ASDM image was available in the ASA Firewall.
The only fix which worked for us was to reinstall the ASDM image in the ASA Firewall. Once the ASDM file was copied to the ASA firewall the error “Unable to launch device manager from x.x.x.x” disappeared.
Since the introduction of Internet in early 90’s to general public, no one ever imagined that Internet will grow so fast, and vast majority of organizations and consumers will be interconnected using the internet. It has expanded exponentially and still its is growing at its greatest speed. The invent of Internet of things (IoT) has changed the game, as huge numbers of new devices and users are interconnected either using an internet or an enterprise network . These changing trends have created a need not only for the visibility of the connected devices but also how control them, secure them and segment them.
According a latest blog update from Cisco suggests that its cost overs $4M on average yearly for companies to follow best-practices, such as segmentation, and mandating stringent rules and regulations in traditional way.
According to Cisco the launching of version 2.2 of the Cisco Identity Services Engine, or ISE gives their customers the visibility and control they need to defend their network from an ever-increasing number of attack vectors, contain advanced persistent threats, and secure access across today’s distributed networks.
Some of the highlights of ISE 2.2 are
Control All Access throughout the Network
- Introducing greater control for endpoints. Coupled with much richer endpoint and application visibility, Cisco ISE can now enforce very granular user behavior and device compliance. Major improvements to architecture and functionality provide even greater access control including additional AnyConnect distribution options, more robust deployment resiliency, and the ability to support more posture functionality with non-Cisco network access devices.
- The new, built-in ISE Setup tool makes it easier and faster than ever to get started with enterprise-grade network access security. This includes out-of-the-box wireless setup for secure access, guest services, and BYOD in as little as 10 minutes with Cisco Wireless LAN Controllers!
- Customers of any size can now take advantage of efficient and scalable role-based segmentation through a TrustSec-enabled border router such as the Cisco ASR 1000.
- ISE Device Administration is better than ever with the addition of features Cisco ACS customers enjoy. And migrating from ACS to ISE has been streamlined with new migration tools and resources. With the recent announcement of the ACS End-of-Sale (EoS) as well as the ACS-to-ISE Migration Program, there’s never been a better time to deploy device administration with Cisco ISE.
- Separate administrative domains for differentiated control based on flexible criteria such as place in network, geographical location, or role and responsibilities, using multiple TrustSec matrixes.
Stop and Contain Threats
- Don’t just block bad devices from entering your network, get deep visibility at the application-level so you can set policy based on what the user is doing.
- Quickly raise the drawbridges and effectively wall off your crown jewels from threats with simplified and agile threat responsiveness. Develop a next-level segmentation strategy with ISE DEFCON. Set multiple policy scenarios pre-defined within multiple TrustSec matrixes for software-defined segmentation that can be dynamically deployed immediately based on an organization’s threat climate.
- Stop malicious devices before they connect to your network by consuming more Indications of Compromise (IoCs) from your vulnerability assessment and threat incident intelligence solutions such as Tenable, Cisco Cognitive Threat Analytics (CTA) and Rapid7. We call this new layer of posture assessment Threat-Centric NAC.
This will certainly further enhance the end point security not only from visibility perspective but also controlling them by applying security polices and protecting them growing attacks.
These days most of the traffic passes though various network is SSL/TLS. People used to believe by using SSL encryption they are free from attacks and can protect their organisations from any call backs, malware etc. However trends are changing as attackers are capable of sending malware in the encrypted SSL tunnel, unless one doesn’t decrypt the SSL/TLS traffic they can’t detect what’s there in the packet.
Looking at these challenges most of Next Generation Firewall started offering SSL interception for both incoming and out going traffic from the Enterprise network. This is the one added value anyone can get by having a Next Generation Firewalls as they can intercept both the incoming and outgoing SSL traffic. Does this mean are they capable of handling all the SSL traffic passes through them?
If the intercepted SSL/TLS traffic is of low volume ( in few Mega bytes) to certain extent yes the Next Generation Firewalls are capable, however this holds no good when the volume of intercepted traffic is increased. They often tends to under perform and consume all the hardware resources and finally they stop working.
The better alternative is to have a dedicated SSL descriptors. Leading companies like A10, Bluecoat and F5 are offering dedicated SSL appliances which are capable of decrypting and encrypting back the large volume of SSL /TLS traffic. One can rely on dedicated SSL appliances are they capable of supporting huge throughput, can intercept huge SSL/TLS traffic without any performance degradation.