Network technologies and trends


January 29, 2017  7:10 AM

Cisco launches ISE 2.2 with a promise of more visibility and control

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Cisco, Enterprise, Internet, Internet of Things, iot, ISE, NAC, Network, Rapid7, Routers, Security, visibility, VPN, Wireless

Since the introduction of Internet in early 90’s to general public, no one ever imagined that Internet will grow so fast, and vast majority of organizations and consumers will be interconnected using the internet. It has expanded exponentially and still its is growing at its greatest speed. The invent of Internet of things (IoT) has changed the game, as huge numbers of new devices and users are interconnected either using an internet or an enterprise network . These changing  trends  have created a need not only for the visibility of the connected devices but also how control them, secure them and segment them.

According a latest blog update from Cisco suggests that its cost overs $4M on average yearly for companies to follow best-practices, such as segmentation, and mandating stringent rules and regulations in traditional way.

According to Cisco the launching of version 2.2 of the Cisco Identity Services Engine, or ISE gives their customers the visibility and control they need to defend their network from an ever-increasing number of attack vectors, contain advanced persistent threats, and secure access across today’s distributed networks.

Some of the highlights of ISE 2.2 are

Control All Access throughout the Network

  • Introducing greater control for endpoints. Coupled with much richer endpoint and application visibility, Cisco ISE can now enforce very granular user behavior and device compliance. Major improvements to architecture and functionality provide even greater access control including additional AnyConnect distribution options, more robust deployment resiliency, and the ability to support more posture functionality with non-Cisco network access devices.
  • The new, built-in ISE Setup tool makes it easier and faster than ever to get started with enterprise-grade network access security. This includes out-of-the-box wireless setup for secure access, guest services, and BYOD in as little as 10 minutes with Cisco Wireless LAN Controllers!
  • Customers of any size can now take advantage of efficient and scalable role-based segmentation through a TrustSec-enabled border router such as the Cisco ASR 1000.
  • ISE Device Administration is better than ever with the addition of features Cisco ACS customers enjoy. And migrating from ACS to ISE has been streamlined with new migration tools and resources. With the recent announcement of the ACS End-of-Sale (EoS) as well as the ACS-to-ISE Migration Program, there’s never been a better time to deploy device administration with Cisco ISE.
  • Separate administrative domains for differentiated control based on flexible criteria such as place in network, geographical location, or role and responsibilities, using multiple TrustSec matrixes.

Stop and Contain Threats 

  • Don’t just block bad devices from entering your network, get deep visibility at the application-level so you can set policy based on what the user is doing.
  • Quickly raise the drawbridges and effectively wall off your crown jewels from threats with simplified and agile threat responsiveness. Develop a next-level segmentation strategy with ISE DEFCON. Set multiple policy scenarios pre-defined within multiple TrustSec matrixes for software-defined segmentation that can be dynamically deployed immediately based on an organization’s threat climate.
  • Stop malicious devices before they connect to your network by consuming more Indications of Compromise (IoCs) from your vulnerability assessment and threat incident intelligence solutions such as TenableCisco Cognitive Threat Analytics (CTA) and Rapid7. We call this new layer of posture assessment Threat-Centric NAC.

This will certainly further enhance the end point security not only from visibility perspective but also controlling them by applying security polices and protecting them growing attacks.

January 27, 2017  2:39 PM

Are Next Generation Firewalls capable of supporting SSL/TLS interception?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Bluecoat, encrypted, F5, Firewalls, malware, performance, Security, SSL, Throughput, TLS

These days most of the traffic passes though various network  is SSL/TLS. People used to believe by using SSL encryption they are free from attacks and can protect their organisations from any call backs, malware etc. However trends are changing as attackers are capable of sending malware in the encrypted SSL tunnel, unless one doesn’t decrypt the SSL/TLS  traffic they can’t detect what’s there in the packet.

Looking at these challenges most of Next Generation Firewall started offering SSL interception for both incoming and out going traffic from the Enterprise network. This is the one added value anyone can get by having a Next Generation Firewalls as they can intercept both the incoming and outgoing SSL traffic. Does this mean are they capable of handling all the SSL traffic passes through them?

If the intercepted SSL/TLS traffic is of low volume ( in few Mega bytes) to certain extent yes the Next Generation Firewalls are capable, however this holds no good when the volume of intercepted traffic is increased. They often tends to under perform and consume all the hardware resources and finally they stop working.

The better alternative is to have a dedicated SSL descriptors. Leading companies like A10, Bluecoat and F5  are offering dedicated SSL appliances which are capable of decrypting and encrypting back the large volume of SSL /TLS traffic. One can rely on dedicated SSL appliances are they capable of supporting huge throughput, can intercept huge SSL/TLS traffic without any performance degradation.


January 16, 2017  12:27 PM

What is the error “rpf-check Result: DROP” in Cisco ASA Packet-tracer?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Access List, ASA, Cisco, firewall, NAT

When it comes to troubleshooting with Cisco ASA Firewalls one usually rely on packet-tracer options. However NAT configuration and the way how ACL configured changes from version 8.4. Rather than configuring the ACL for a public IP, a private IP address is used as shown below

access-list OUTSIDE extended permit tcp host 222.222.222.222  host 192.168.1.50 eq 443

fig-1-1-asa-rpf-check

 

From the above scenario one could see the Inter Web Server with an IP Address 192.168.1.50 is natted to public IP 111.111.111.111.

Those who comes from strong exposure to ASA version 8.3 they issue the packet-tracer command with the IP addresses used in the ACL. However this never works and the traffic will be dropped with an error  “rpf-check Result: DROP”. This is because the UN-NAT must be equal to NAT RPF-CHECK for the packet to be passed (otherwise it will be dropped).

IKTE-ASA# packet-tracer input OUTSIDE tcp 222.222.222.222 443 192.168.1.50 443

<——-Output removed——–>

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network obj-192.168.1.50

nat (DMZ,OUTSIDE) static obj-111.111.111.111

Additional Information:

 

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

IKTE-ASA#

In this case (static NAT)  the correct way to use  packet-tracer is to use the public IP not the private IP

IKE-ASA# packet-tracer input OUTSIDE  tcp 222.222.222.222 443 111.111.111.111 443

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

NAT divert to egress interface DMZ

Untranslate 111.111.111.111/443 to 192.168.1.50/443

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group OUTSIDE in interface OUTSIDE
access-list OUTSIDE extended permit tcp host 222.222.222.222  host 192.168.1.50 eq 443

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

Static translate 222.222.222.222/443 to 222.222.222.222/443

 

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: SFR

Subtype:

Result: ALLOW

Config:

class-map SFR

match access-list SFR

policy-map global_policy

class SFR

sfr fail-open

service-policy global_policy global

Additional Information:

 

Phase: 7

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (DMZ,OUTSIDE) source static obj-192.168.1.50 obj-111.111.111.111

Additional Information:

 

Phase: 9

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 12

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 333770611, packet dispatched to next module

 

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: DMZ

output-status: up

output-line-status: up

Action: allow

 

ITKE-ASA#


January 10, 2017  9:08 AM

Cisco announces End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
cisco ACS, Radius, tacacs

The recent of End-of-Sale and End-of-Life Announcement for the Cisco Secure Access Control System has left no option but to migrate towards Cisco Identity Services Engine (ISE) product line. Cisco has successfully implemented the Cisco Secure Access Control System (ACS) product functionality into the Cisco Identity Services Engine (ISE) product line.

The Cisco Identity Services Engine (ISE) product line is capable of integrating any Security appliance which can support Tacacs & Radius and similar kind of security polices can be created. Cisco will also offer a migration tool which is capable of migrating the Cisco Secure Access Control System rules into

Cisco Identity Services Engine (ISE). The migration tool uses the Cisco Secure ACS Programmatic Interface (PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). The Cisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applications to run on supported hardware platforms or VMware servers. One cannot directly run the migration tool on a Cisco Secure ACS appliance. The Cisco Secure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIs perform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by Cisco ISE software.

fig-1-1-acs-to-ise-migration

Cisco is offering up to 63% off on Cisco ISE hardware and software license bundles for those who want to migrate from Cisco ACS to Cisco ISE. However the customer with both ACS and ISE installations are not eligible for the migration bundles.

The below table shows the major milestones for the latest announcement.

Milestone Definition Date
End-of-Life Announcement Date The date the document that announces the end of sale and end of life of a product is distributed to the general public. November 30, 2016
End-of-Sale Date The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date. August 30, 2017
Last Ship Date: 

App. SW, HW

The last-possible ship date that can be requested of Cisco and/or its contract manufacturers. Actual ship date is dependent on lead time. November 28, 2017
End of SW Maintenance Releases Date: 

App. SW, HW

The last date that Cisco Engineering may release any final software maintenance releases or bug fixes. After this date, Cisco Engineering will no longer develop, repair, maintain, or test the product software. August 30, 2018
End of Routine Failure Analysis Date: 

HW

The last-possible date a routine failure analysis may be performed to determine the cause of hardware product failure or defect. August 30, 2018
End of New Service Attachment Date: 

App. SW, HW

For equipment and software that is not covered by a service-and-support contract, this is the last date to order a new service-and-support contract or add the equipment and/or software to an existing service-and-support contract. August 30, 2018
End of Service Contract Renewal Date: 

HW

The last date to extend or renew a service contract for the product. November 25, 2021
End of Service Contract Renewal Date: 

App. SW

The last date to extend or renew a service contract for the product. November 26, 2019
Last Date of Support: App. SW The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. August 31, 2020
Last Date of Support: 

HW

The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. August 31, 2022

It’s a good approach from Cisco to push the flavor of Cisco Identity Services Engine (ISE) product towards their customer.


October 30, 2016  5:22 PM

Blue Coat Proxy SG Client Connection methods

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Networking

When Blue Coat Proxy SG is configured for internet in any of the mentioned deployment methods the client must need to establish connection with Blue Coat Proxy SG appliance.  A client uses either an explicit method or a transparent method to establish a connection.

Explicit Proxy:

In this method, a client browser is explicitly configured to forward all the request towards proxy. Usually the browser is configured with an IP address and the port number of the proxy service. One can use Group policies to push the configuration to browsers or can also use Proxy Auto-Configuration (PAC) file to configure the browser to proxy setting from a web server. Explicit proxying is the quickest and simplest proxy solution. However, this method does fit well for large organizations.

Transparent Proxy:

In this method, the client browser does not need any special configuration, neither the browser is aware of how the traffic is being processed by the proxy. The proxy intercepts the traffic and process it. Basically the traffic is directed to proxy SG by using techniques like PBR, WCCP or default route. This method is much easier to deploy and administrate as there no configuration needed at the client end.

Some of the best practice of Blue Coat proxy SG are

Inline is recommend for:

  • Small branch office with very limited scalable plan
  • For POC and short-term deployments

Virtually inline or out-of-path is recommended for:

  • Customers who are looking for scalability
  • Customers who are looking for high availability (redundancy)

Explicit proxy is recommended for:

  • Customers who wants to use extensive authentication

Transparent proxy is recommended for

  • Customers who want inline physical deployment.


October 26, 2016  5:21 AM

Blue Coat Proxy SG Deployment methods – Out of Path Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, Network, PAC, Protocols, Proxy, router, Scalability, Switch, virtual

The Out-of-path deployment mode is commonly used when, one cannot bring down the network. Out-of-path deployment happens to be very difficult to manage as one cannot intercept and redirect the internet traffic at network level (like configuring WCCP, PBR or inline deployment). One needs to explicitly configure the web browser of each client to sent internet request to Proxy SG. Hence this mode of deployment is also known as explicit proxy deployment.

Figure 1.1 - Blue Coat Proxy Out of path Mode

One can use either of the methods to configure the out-of-path / explicit mode to redirect the traffic to Proxy SG

  • Client Brower is manually configured to connect to Proxy SG
  • System administrator can distribute PAC (Proxy Automatic Configuration) files using group policy to explicitly point the end-user’s browsers to the Proxy SG.

Some of the advantages of Out-of Path deployment are

  • No downtime is required to deploy out-of-path mode in any network
  • Easy to deploy

Some of the disadvantages of Out-of-Path deployment are

  • Requires client configuration to redirect the internet traffic towards Proxy SG
  • Increase administrative overheads


October 24, 2016  6:10 PM

Blue Coat Proxy SG Deployment methods – Virtually Inline Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, GRE, Hardware, Network, Protocols, Proxy, router, Routing, Scalability, Switch, virtual, WCCP

In Virtually Inline deployment mode, the Proxy SG can be deployed in any network location, it relies on traffic redirection mechanisms like Web Cache Communication Protocol (WCCP) or Policy Based Routing (PBR) to redirect the interesting traffic, such as HTTP /HTTPS to the Proxy SG. WCCP is a Cisco proprietary protocol that allows certain Cisco routers, switches, Firewalls and Nexus switches to transparently redirect the traffic to a cache engine like Proxy SG. Blue Coat Proxy SG does supports both versions of WCCP 1 and 2.

Figure 1.1 Blue Coat in Virtully Inline Mode

The main advantages of Virtually Inline Deployment mode are

  • No downtime is required to deploy Virtually inline mode in any network
  • Very scalable and Robust
  • Additional Proxy SG appliance can be added for capacity redundancy.
  • The administration overhead is low, as clients need no configurations in their browsers.

Some of the disadvantages of Virtually Inline Deployment mode are

  • Network configurations are needed to enable WCCP. This some times creates additional load on the Switch or Router especially when GRE is used.
  • WCCP / PBR capable hardware is required for Virtually Inline Deployment.

Virtually Inline mode proves to very handy form operation prespective and its been observed this is one of the widely used deployment method for Blue Coat Proxy SG.


October 23, 2016  6:21 PM

Blue Coat Proxy SG Deployment methods – Inline Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, Network, Protocols, Proxy, router, Scalability, Switch, virtual

When it comes to deployment of Blue Coat Proxy SG, it offers some flexibility. One can deploy them in either of the below mentioned methods.

  • Physically Inline (Transparent)
  • Out-of-Path or Virtually Inline (Transparent)
  • Explicit

Inline deployment is the simplest among the above mentioned deployments and it well suits for small branch offices. In this mode of deployment, the Proxy SG is placed directly placed between the core Switch and the edge router, logically the Proxy SG is placed in the path of all network traffic going to and from the Internet. In mode the Proxy SG relies on pass-through network card, which basically supports hardware bridging to provide fail-to-wire functionality. This mode of deployment doesn’t require any configuration changes either in core switch or router. Even the clients don’t need any kind of configuration. This mode of deployment is also known as bridge mode due to the hardware bridging network cards in use.

Figure 1.1 - Blue Coat Proxy Inline Mode

Inline deployment mode does have certain draw backs like

  • Single point of failure.
  • Network down time is must to deploy inline mode.
  • Doesn’t offer scalability.
  • Protocols proxied needs to be managed.

Inline deployment holds good for small organization as its is easy to deploy, can be used for evaluations or short-term deployments. However, one cannot rely on this mode for larger organizations for obvious drawback mentioned.


October 21, 2016  7:46 PM

Blue Coat Proxy Deployment methods

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Proxy, virtual, Web, web server

When it comes to deployment of Blue Coat Proxy SG, it can be deployed as a forward proxy or reverse proxy.

Basically forward proxy is used proxy LAN users / Internal user’s requests to the external networks. In this mode of deployment, the Blue Coat Proxy proxies in behalf of client. Basically the tcp session is built between Internal Users and Proxy SG, the proxy then breaks this tcp session and build a new tcp session with the External server. The internet network users are never exposed directly to external servers.  In forward proxy mode, the Proxy is always placed on the same network as Internal users.

Figure 1.1 Blue Coat in Forward Proxy Mode

In the reverse proxy mode, the proxy does the opposite of forward proxy, in this mode the proxy is placed in the same zone as servers.  When the external client initiates the connection towards the internal web server, the Proxy intercepts that connection and proxies the whole communication between the external client and the web server. As forward proxy mode , the proxy breaks the tcp session between the external client and the internal web server.

Figure 1.2 Blue Coat in Reverse Proxy Mode

Proxy either in forward or reverse proxy mode always act as layer of protection, and can be used to implement security policies, caching, anti-virus scanning etc.

Blue Coat proxg SG can be physically deployed in following ways.

  • Physically Inline (Transparent)
  • Out-of-Path or Virtually Inline (Transparent)
  • Explicit

In upcoming post, we will discuss these methods in brief.

 


October 7, 2016  3:57 PM

Blue Coat Proxy SG – A leader in Secure Web Gateways

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Blue Coat, Blue Coat ProxyClient, Gartner, Gartner Magic Quadrant, Proxy, SSL, SSL/TLS, TLS

When it comes to forward proxy or reverse proxy Blue Coat Proxy SG happens to be a Gartner Magic Quadrant leader in Secure Web Gateways category. They are  especially known for  their proxy capabilities for over a decade   Blue Coat offers their Proxy SG appliances in various size and models. More details about their current models and capabilities can be discovered at their website.

Figure 1.1Blue Coat Magic Quadrant

Their strengths according to Gartner are

  • ProxySG is the strongest proxy in the market in terms of breadth of protocols and the number of advanced features. It also supports multiple authentication and directory integration options.
  • Blue Coat’s hybrid offering (cloud service and on-premises appliances) enables operations teams to manage most policies from a single console (although policies can be pushed only in one direction — from the cloud to on-premises appliances).
  • Blue Coat provides strong support for SSL/TLS. All ProxySG models include SSL hardware assist, to offload processing from the main CPU. The stand-alone SSL Visibility Appliance can be used to decrypt SSL/TLS traffic and feed it to Blue Coat and non-Blue Coat security solutions (for example, data loss prevention [DLP], IPS and network sandboxes).
  • Blue Coat’s partnership strategy has enabled it to fill gaps in its product line. Partnerships with six endpoint detection and response (EDR) vendors help ensure that its customers can complement Blue Coat’s network-based advance threat detection with an endpoint strategy. Partnerships with FireEye and Lastline enable customers to use their own sandboxes instead of Blue Coat’s sandbox. A partnership with Cylance adds signatureless file inspection to Blue Coat’s Content Analysis System.
  • Blue Coat’s ownership and integration of CASB technology gives it an early mover advantage in this emerging market

The main intention of starting a series on blogs post about Blue Coat is to create an awareness about Blue Coat  especially the technical capabilities of the appliance as its not easy to find more resources on Blue Coat Proxy SG. One need to rely on Blue Coat portal for more details and the information is not easily accessible especially for those who are not aware about the Blue Coat products.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: