The new James Bond movie releases next week and I can’t wait. The best part of watching a 007 flick is seeing all the new gadgets that Q has cooked up for Bond to use. Over the years their have been some really great ones going all the way back to the Sean Connery era in the 1960’s. Even though the new bond movies don’t include the same amount of cool 007 gadgetry, I thought it would be fun to do a blog on 7 of my personal favorites from the Bond series anyway. When these gadgets were showcased at the movies they were bleeding edge and futuristic.

Read more

I recently came across another way to span traffic to ports on Cisco switches. This one was new to me since I usually just use VACL Capture for traffic spanning. I found it while reading the latest release notes for Cisco IPS version 6.2(1)E3 that just released. This IPS version includes tons of IPv6 features and signature engines.

Read more

PCI compliance has been a focus for retail companies for years, but it is only recently that healthcare providers are diving into the PCI pool. Healthcare providers, like hospitals, doctor’s offices, clinics, etc., are just starting to appreciate the sometimes massive amount of credit card data that is being transmitted and stored on their networks and hosts. Traditionally, PCI compliance and credit card data protection just wasn’t a key focus area for healthcare providers. HIPAA has always gotten the attention.

Read more

My guess is many of you have never heard of the FTC’s Red Flag Rules. Even so, I would bet that a fair number of you work for a business that needs to comply with the rules. This unawareness is the reason behind the FTC’s decision to extend the enforcement date. Here are just a few example business types that may need to comply: car dealers, mortgage brokers, and healthcare entities. Read on to find out if your business falls under the rules and what that means.

Read more

Cisco announced the availability of NAC Appliance release 4.5. This is a major release upgrade that contains many of the features that customers and I have been waiting for. NAC Appliance 4.5 steps up Cisco’s offering to the next level. According to Cisco, “Release 4.5 increases the scalability and power of the Cisco NAC Appliance by delivering many new functions, including wireless out-of-band support, Mac OS posture assessment, and importing and exporting of NAC policies.”

Read more

Businesses who use Cisco gear seem to constantly struggle with how best to determine the code version they should run on a particular Cisco product. IT departments are looking for the best balance of features and stability. Customers frequently ask me for my advice on this when it deals with security products. To that end, I thought it would be a good idea to share with you some of the public resources that I use for researching (scrubbing) code versions for Cisco security products.

Read more

On November 12th Cisco will host the Cisco IT Security Forum an interactive online event packed with all the things you’d typically find at a Networkers event. This includes top notch speakers like Bob Russo, General Manager PCI Security Standards Council and John Stewart, Chief Security Officer to name a couple. The security forum will be broken up into two areas, a virtual conference hall and a virtual exhibit floor complete with virtual security solution booths.

Read more

Is it possible to be both a security market share leader and have best of breed solutions? Cisco thinks so.

Read more

Have you run out of traffic spanning sessions on your Cisco switches, are you treating them like gold because of their scarcity? If so, you should take a good look at VACL capture, a feature that provides you with a virtually unlimited number of SPAN sessions.
VACL capture works with most of the newer Cisco switches including the 6500, 4500, 4900, 3750E, 3750, 3560E, and the 3560. To find out if your switch supports this feature take a look at the Cisco Catalyst Switch Guide.

VACL stands for VLAN Access Control List. It operates like a typical port based ACL but instead of being enabled on a per port or L3 interface level it is enabled on a VLAN bases. A VACL is an extended ACL that controls traffic that enters or exists a VLAN. The VACL capture feature adds a keyword capture to the end of an ACL entry. The capture keyword tells the switch to make a copy of any matching packets and send them to a configured capture destination port. Because the VACL feature controls traffic flow just like an ACL would you must always be sure to configure a permit rule to allow traffic that is not already being captured. This is to deal with the implicit deny that exists at the end of any ACL. If you don’t then you’ll end up capturing and forwarding traffic for your capture command but then denying all other non-captured traffic in that VLAN because of the implicit deny at the end of all ACLs.

Here is a simple configuration example to illustrate how this works:

1. Define the interesting traffic you want to be captured

IOS(config)#ip access-list extended Capture_HTTPandUDP

IOS(config-ext-nacl)#permit tcp 10.10.10.128 0.0.0.127 host 20.10.10.1 eq 80
IOS(config-ext-nacl)#permit udp any any

Read more

Taking just 5 seconds to inspect any credit/debit card readers before you swipe could end up saving you from identity and credit card theft. I’ll show you what to look for before you swipe your next card. The con is called skimming. Skimming works by retrofitting a perfectly legitimate card reader (like an ATM) with a camouflaged counterfeit card reader. The counterfeit reader records all of your card’s information as it passes through. To give you an idea of what we are dealing with, here is a picture of an ATM with a skimmer overlaid on to the slot where you insert your card and a micro camera hidden behind a bogus white plastic piece above the PIN keypad. This ATM was reported to police on September 6, 2008.
Image is Courtesy of Naples Police Department:

Would you have known it was stealing card data? The purpose of this blog is to educate you on how to identify a skimmer. To that end I’ve compiled a portfolio of example photos made up of both basic and advanced skimmers. It is by no means all inclusive but should give you a heads up on what to look out for the next time you go to swipe your card.

Cisco is setting its sights on the competitors in the packet shaping market place with its newest release of the Application Performance Assurance (APA) Network Module the NME-APA-E3 2.0. The APA 2.0 code adds many of the features that Cisco needed to compete in this market, like the ability to classify and control over 1000 applications and report on its findings with over 100 built-in reporting templates. The APA allows for per user traffic profile granularity that hooks into Microsoft Active Directory. The new NME-APA-E3 leverages ASIC components and RISC processors that allow it to scale up to 45Mpbs of performance. The NME-APA-E3 is targeted at the branch office and regional office segment of corporations.

Read more

According to Cisco the APA solution provides these features:

• Layer 7 stateful packet inspection and classification
• Robust support for over 1000 protocols and applications, including:
• –Business—Systems, Applications, and Products (SAP), Oracle, Citrix, Digital Imaging and Communications in Medicine (DICOM), Healthcare Level 7 (HL7), FIX, and Blackboard
• –General—HTTP, HTTPS, FTP, Telnet, Network News Transfer Protocol (NNTP), Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), Internet Message Access Protocol (IMAP), Wireless Application Protocol (WAP), and others
• –Peer-to-Peer (P2P file sharing—FastTrack-KazaA, Gnutella, BitTorrent, Winny, Hotline, eDonkey, DirectConnect, Piolet, and others
• –P2P VoIP—Skype, Skinny, DingoTel, and others
• –Instant Messaging—Yahoo Messenger, AIM, Google Talk, and MSN
• –Streaming and Multimedia—Real Time Streaming Protocol (RTSP), Session Initiation Protocol (SIP), HTTP streaming, Real Time Protocol (RTP) and Real Time Control Protocol (RTCP), and others
• Programmable system core for flexible reporting

Cisco recently released a new code upgrade for their ASA security appliance. The new release, 8.0.4, contains several new features and many bug fixes. Cisco also released a new version of its GUI, ASDM 6.1.3, that supports the new features of 8.0.4. The fact that 8.0.4 is an Early Deployment (ED) release means that it goes through extensive dev testing before release. It also means that it is meant to be a very stable release of ASA code and will contain numerous bug fixes to support that premise. In fact, 8.0.4 contains some 514 closed caveats that were discovered in previous ASA builds. Most ASA customers who are using SSLVPN features or are on an 8.0.3.X engineering release should seriously consider moving to the new 8.0.4 ED release. 8.0.4 doesn’t just include closed caveats but also some important new features.

My favorite new feature has to be the IP Phone and Presence Proxy feature. First the IP Phone Proxy feature. This allows you to take your Cisco IP Phone home with you, plug it into the internet, have it setup an encrypted TLS tunnel back to your ASA, and register with your Cisco Call Manager just like you were at the office. Basically it gives you a VPN from your IP Phone to the Cisco ASA. This allows you to enable work from anywhere voice using your existing Cisco IP Phones.

Now the presence proxy feature. This allows you to share your presence information with your other business partners and affiliates. Enterprises share Presence information, and can use IM applications. It allows you to secure connectivity (TLS proxy) between Cisco Unified Presence servers and Cisco or Microsoft Presence servers. Here are some of the benefits of using a Presence solution as reported by Cisco:
• Increase productivity: Connect with colleagues on the first try by knowing their availability in advance on either Cisco Unified Personal Communicator and Cisco Unified IP Phone.

Read more

Cisco is jumping into the Anti-virus and Data Leakage Prevention (DLP) client market with their recent release of Cisco Security Agent 6.0 (CSA). CSA has been around for quite a while now but was focused mainly on addressing the HIPS, PFW, and 0 day protection market. CSA 6.0 broadens that scope by adding AV, DLP, and some way overdue ease of use/deployment features to the product line. Cisco CSA is a security client that runs on windows, linux, and solaris systems, both servers and desktops, to protect them from malicious harassment. I’ve always considered CSA to be the most effective security product that Cisco has in its portfolio. However, CSA has never been able to capture that valuable desktop and server footprint like Mcafee, Symantec, etc. have. By moving CSA simultaneously into both the hot DLP market and the capital rich AV market Cisco hopes to change that. The devil is always in the details so let’s walk through some of what’s new.

First Anti-virus; Cisco has embedded the open source ClamAV product into CSA 6.0. Clam is a free AV client that has a big footprint but mostly on Linux systems, especially email gateways. The embedded ClamAV is managed and updated using the centralized CSA management center (CSAMC) so it doesn’t require a separate management station. ClamAV doesn’t really add any new protections to CSA’s behavioral malware detection but it does allow for the naming of that malware and allows for on-demand or periodic scans of the system. It also will detect and stop non-malicious, but otherwise annoying, adware type apps from installing; something that CSA alone would not do in the past.

Read more

iPhone hacker, author, and data forensics expert Jonathan Zdziarski, aka. “NerveGas”, revealed a major privacy issue with the iPhone on a webcast yesterday. He disclosed that every time a user pushes the Home button on the iPhone it takes a screenshot of whatever you are doing at that moment. This is done so that Apple can create that cool, page disappearing animation they have. The problem is that these screenshots are saved and can be recovered using basic iPhone forensic techniques like the ones that Zdziarski writes about in his new book.

Read more

I installed Google’s new Chrome web browser (beta) last Thursday to see what all the hype is about. My first impressions of Chrome are not stellar. In fact they ranked similarly to my first impressions after eating boiled chicken feet. Sure it tastes like chicken but theirs really no meat on the bone and the taste is awfully bland.



Read more

The Democratic National Convention is in my home state this year. Many of my downtown Denver customers and friends have worked diligently over the past couple months to setup a remote access teleworker solution for their businesses. Projects and timetables were linked to the coming of the DNC, surprise, surprise. Downtown Denver businesses are worried that their employees might not be able to commute in for work everyday. Things like increase in traffic, closings of streets due to motorcades, and the possibility of a perimeter lockdown of the City due to security incidents or threats are all top of mind. This has caused many businesses to look to teleworker solutions as a way to have employees work from home during the DNC and beyond.

Read more

Blackhat '08 disclosed several SSLVPN and DNS vulnerabilities that caused several people to sit up and take notice. Some of these new exploits performed a brilliant Man-in-the-Middle attack on SSLVPN tunnels. I'll walk you through how using certificates, instead of OTP tokens, for second factor authentication can increase the security of your SSLVPN solution against these new types of attacks. I wrote an article a while ago about using certificates as a second factor for authentication to an SSL or IPSEC VPN. The model is based on a feature that came out in the Cisco ASA 8.x release which allows an SSL VPN to be configured to require a certificate plus AAA authentication.

Read more

Let me start by saying that Vegas Rules!!! And, I am currently up about $10,000. And I have this nice piece of land to sell you. Anyway, the first day of Black Hat was superb, as usual. It retains its title of the best security conference available, if you have to pick just one a year this should be it.

I plan on writing at least two more articles on the topics covered but wanted to get out quick summary today for you all. Here was my agenda for today

Read more

Apple came up with a slick way to allow you to distribute various iPhone setting to your users via email or the web, it is called profiles. Profiles are basically xml config files that act like plug-ins for the iPhone. They can configure things like Wi-FI, network, passcode, email and VPN settings on each iPhone. They can even be used to install certificates. Profiles like this are helpful if you have a large number of devices to manage or if you just have a large number of settings you want enforced on each users iPhone. Additionally, for certain settings, like some VPN and Wi-FI settings, you have to use profiles.

Read more

Cisco just released updated router IOS code,12.4(20)T, with several very interesting new security features and a packet capture feature you might be interested in. You can even use the new warm upgrade and Auto-upgrade Manager features that released with 12.4(15)T IOS code to streamline the upgrade process and minimize your downtime. Let’s dive into the new security features and the new upgrade tools that Cisco is offering.

Cisco packed in some pretty hefty security features in this release, 24 new ones to be exact. Here are the highlights:

Read more