ise training day 3

March 21, 2012 Leave a comment

Posture posture and posture :)

interesting but long labs

Related articles
Categories: Uncategorized Tags: , , , ,

Ise Training day 2

March 20, 2012 2 comments

Ok my turn to talk today:  We talked about one of the most interesting features of ISE, profiling.

Worth to explain a little what profiling is, and what discovery and classification means. it is a very useful and powerful engine but it needs to be understood, also on what it means and why should be used.

other great new, finally  ise 1.1 is available on CCO, worth the upgrade absolutely.

http://www.cisco.com/en/US/docs/security/ise/1.1/release_notes/ise1.1_rn.html

new stuffs:

- Support for IOS Sensor for advanced features and remote profiling on the switch.
- Active scan with NMAP.
- A new portal guest type Device Registration webauth (DRW) to allow guests to self-classify their equipment more immediate.
- Authentication of administrators by AD, LDAP, or RSA SecurID.
- Support of Online Certificate Status Protocol (OCSP) for validating client certificates as an alternative to CRLs.
- Improved management of access lists based on Security Group Tag (SGT) for full integration with the philosophy TrustSec.
- Internationalization automatic captive portal for guests according to the language of the browser.

Related articles
Categories: Security Tags: , , , , , , , , ,

CLUSIT Security Summit:domani al via l’edizione 2012!

March 19, 2012 Leave a comment

CLUSIT Security Summit

 

Milano, 20-21-22 Marzo 2012 AtaHotel Executive – v.le Don Luigi Sturzo, 45 ore 9-18

 

Aggiornamento, formazione e informazione per manager e tecnici della ICT Security!

Categories: Uncategorized Tags: , , ,

Today ISE training day 1

March 19, 2012 Leave a comment
SAN JOSE, CA - AUGUST 10: A sign is posted in...

Image by Getty Images via @daylife

and the day is gonna be at its end for the first day of ISE training here, tomorrow I will have to talk about Profiling, we’ll see Sorriso

Related articles
Categories: Uncategorized Tags: , , , , , , ,

Configure cisco ISE for Cisco Access Points

March 13, 2012 2 comments

Let’s say you have been asked to configure ISE to allow secured network access for Cisco Wireless Access Points.

To do so you should :

· Enable the ISE endpoint profile for Cisco Access Points

· Configure an Authorization Profile and Authorization Policy rule for Cisco Access Points

· Review the access switch configuration to authorize an access point using MAC Authentication Bypass (MAB).

· Verify proper authorization of a Cisco Access Point based on ISE policy

 

Login to ISE

clip_image002

The ISE Home Dashboard page should display. Navigate the interface using the multi-level menus.

Configure the Profiler Policy to assign endpoints matching a Cisco Access Point profile to an Identity Group  called  “Cisco-Access-Points” Caldo.

Navigate to Policy > Profiling and select Cisco-Access-Point from the list of Endpoint Policies, verify that the policy is enabled (Policy Enabled checkbox is checked) and check the option Create Matching Identity Group.

Do not forget to save Sorriso otherwise it will not work Occhiolino

Now define an Authorization Profile for Cisco Access Points.

Navigate to Policy > Policy Elements > Results and double-click Authorization to expand its contents.

Select Authorization Profiles from the left-hand pane and click Add from the right-hand pane and enter the values for the Authorization Profile as shown below:

Attribute Value
Name Cisco_Access_Points
Description Permit access to Cisco Access Points
Access Type ACCESS_ACCEPT
Common Tasks
DACL Name [ ✓ ] PERMIT_ALL_TRAFFIC
VLAN 90 (or 1:90)

The resultant Attribute Details should appear at the bottom of the page as the following:

Access Type = ACCESS_ACCEPT

Tunnel-Private-Group-ID = 1:90

Tunnel-Type = 1:13

Tunnel-Medium-Type = 1:6

DACL = PERMIT_ALL_TRAFFIC

finally click Submit to apply your changes.

Now we should configure a new Authorization Policy rule to assign the new Cisco_Access_Points profile to endpoints that match the Identity Group named Cisco-Access-Point.

To do so go to Policy > Authorization and insert a new rule below the Profiled Cisco IP Phones rule as shown in the policy table below. Use the clip_image006 selector at the end of a rule entry to insert or duplicate rules.

Enter the following values for a new rule named Profiled Cisco Access Points:

Status Rule Name Identity Groups Other Conditions Permissions
clip_image002[4] Profiled Cisco IP Phones Cisco-IP-Phone - Cisco_IP_Phones
clip_image002[5] Profiled Cisco Access Points Cisco-Access-Point - Cisco_Access_Points

 

Don’t forget to  Save when finished making policy updates.

Hint: Verify proper authorization of the wireless access point.

check the status of the port, eventually give the No Shut command in the configuration mode for the selected interface.

check the auth status with:

cisco-access# show authentication sessions interface gi0/x

or

cisco-access(config-if)# do sh auth sess int gi0/x

keep in mind you could need a few minutes to allow the result to be shown (between bootstraps and stuffs…)

To display the current dACL applied to the interface using the command show ip access-lists interface GigabitEthernet 0/3. The output should appear similar to the following:

cisco-access(config-if)# do sh ip access-list int gi0/3

permit ip host 10.1.90.100 any

 

To verify the Cisco Wireless Access Point authentication in the ISE go to Monitor > Authentications log:

S Username Endpoint ID IP Address NAD Device Port AuthZ
Profiles		 Identity Group Event
#ACSACL#-IP-PERMIT_ALL_TRAFFIC 3k-access Authorize Only DACL Download
nn:nn:nn:nn:nn:nn nn:nn:nn:nn:nn:nn 10.1.10.100 3k-access Gi0/3 Cisco_Access_Points Cisco-Access-Point Auth Succeeded

Note: The access point periodically attempts to renew its IP address if no network connectivity. The default port ACL on the switch allows access to DHCP services, so the access point initially receives an IP address in the default access VLAN 10 (10.1.100.10). Once authorized for VLAN 90, the access point will renew its IP address in the new VLAN (10.1.90.100).
The authentication event in the above log reflects the IP address learned at the time of authentication. The access list applied to this session reflects the final endpoint IP address using variable substitution of the “any” value in the dACL’s source IP address.

Related articles
Categories: Uncategorized Tags: , , , , , , ,

Support at its best :)

February 17, 2012 Leave a comment

Comic for February 12, 2012 from Dilbert Daily Strip

Dilbert

Image via Wikipedia

Related articles
Categories: Uncategorized Tags: , , , , , , , ,

Steve Jobs 1955-2011

October 6, 2011 Leave a comment

imageimage

image

Rest in Peace Steve.

Thanks

Categories: Uncategorized

SOA, Cloud and the network–part 1

September 30, 2011 2 comments
Layer interaction in service-oriented Architecture

Image via Wikipedia

It is now a quite very long time we talk about new architectures for our environment.
What is leading the way, nowadays, is talking about SOA and Cloud, but what do really means for us implementing those architecture in our networks?
One of the problem I’ve noticed when talking with customers and partners is that they usually try to use the same techniques they used for the old network deployment to the new ones. this is a mistake for several reasons, but for a mere philosophical point of view make a little, if not at all, sense to apply old rules to new ideas.
So what has really changed in those approach (cloud and SOA) that will require us to shift our way to project ad deploy networks?
Let’s say there are some evident changes, first of all the topology of connection has been dramatically modified. when once we could simply think of an identity between user or service, and relative IP address this is not more possible.
The reason behind this are easily found in both client and server side of this equation.
No more physical servers location
virtualization simply change the rules of the game, braking the identity between the physical location of a server and the service provided. this is a huge change in the way we should plan and deliver our service.
The classic structure was something like that:
image
The service used to be provider by one or more servers with a physical defined location and IP.
The client usually shared the same configuration with a well defined physical location and a fixed IP (or an address taken form a well defined pool).
With this situation was relatively simple to define rules of access and security.
User where defined by the  membership to a specific directory group (Active Directory or LDAP or …who really cares?) as well as client computer was identified and identified by it’s IP range.
From a service delivery and security perspective this was translated in two completely separated set of activities:
The owner of the network used to set delivery and security rules based on IP and MAC address, creating table to allow or block access to physical locations defined by it’s IP range. Tis way there was a sort of identity between IP structure and topology that was then copied at upper layer by software services.
The owner of the service was, at the same time, able to ignore the network structure and limit the relative security and delivery to the authentication of the requester, providing a set of different access to the different layer or services provided by the software.
This approach lead information technology for decades, ten something happened: the disruptive introduction of virtualization.
Virtualization has been a successful technology because of the promise of lower the TCO of our networks.
The original idea was to abstract the physical server from OS and application, making the physical server able to run multiple different instances.
The advantage was a standard physical layer interface seen by OS (no more drivers nightmares, bios upgrade pain and stuffs like this) and the possibility to reduce the overall number of physical devices running more instance on one Hardware.
The increasing power of hardware platforms made this approach approach successful, but at the beginning the virtualization technique was just used to hide the physical server and nothing more.
image
Nothing were really changed here, beside the fact that more services were running on the same physical platform.
But changing technology create new needs and so the virtual infrastructures evolved to something completely new.
Basically the abstraction layer provided by the virtual environment has been expanded in order to offer a complete abstraction from the physical layer topology. Nowadays virtual environment allow to have virtual environment running  as an unique environment on different HW and different locations, at the same time the services running inside this environment are able to move from an hardware structure to another one just according the required computational needs, for the same reason instances can be created on the fly by the service layer or the virtual environment layer.
This is a radical change in the design of applications, security and networks. While before a simple IP was a good token to recognize a physical layer, a virtual one and a service one, now everything is more complex.
image From a logical point of view it is clear that the problem in design is that we have multiple required connection inside the virtual environment, the entities inside the virtual environment can create complex relationship between them (think of a classic SOA implementation) as well they need to instance the physical layer.
There are obvious problems related to authentication, identity flaw control, network control and monitoring inside the virtual environment as well as the interaction with the physical environment. In a single Datacenter the physical backplane and the communication between the physical servers is usually a problem solved with datacenter specific technologies as Unified computing by cisco.
Actually the situation is a way more complex if we consider a geographical implementation as it is used to build SaaS or cloud architectures.
Different environment can be located in different datacenter able to offer a single virtual environment.
Application living in the virtual severs can be located anywhere and change location upon request or load requirement.
image

In this situation we add another complexity to the structure, since the virtual layer needs physical geographical connections that emulate the single virtual environment, and at the same times applications need to communicate outside and inside their virtual environment.
The physical network layer need to manage several different kinds of traffic: the communication between the virtual layer units, the communication between different services that can be in need to communicate outside the virtual environment (typical SOA requirement) and the communication with client requiring service (we’ll explode this further in a few).
image
This kind of situation is typical in cloud implementation where the physical location of the provided service should not influence the client experience no matter where it is.
In a typical SOA implementation we add a new level of complexity since the service provided can be generated by different unit that can be stored generated and delivered in different fashion.
image
This kind of complexity is hard to manage with traditional techniques. the first thing that we have to realize is that we need to extend the control inside the virtual environment and its units form a network , authentication and identity point of view.
Since the post is not strictly on SOA architecture I would not go deeper on the modules authentication and security needs and I will talk generally of some network requirements.
Any service that need to communicate with another inside or outside the the virtual environment trough a network protocol (TCP\IP v4 or TCP\IP v6) usually need to be provided with some sort of connection link. this can be provided by a physical switch or a virtual one running in the virtual environment. using a physical switch can be, apparently, a great solution, in terms of performances and security. this is actually a misconception for several reasons:
First of all the communication outside the virtual environment require an overload to both the service and the virtual environment, if we widen the structure in a geographical scale this overload can be barley manageable.
Second aspect to keep in mind is that some network attack in this situation are easier since the real communicator is hided by the virtual shield. impersonating a service and access data is so not a remote threat.
If the physical cannot scale well, the virtual one has, on the other side, another set of  problems: resource consumptions (cpu and network latency for instance) the need to interface with the physical environment, a non matching vlan system and so on.
The problem is to overcome those limitation and keep the good from the two solutions
The solution the market is presenting nowadays is the integration between a virtual switch layer with a physical one datacenter scalable.
The idea is to have a single switch with two faces, one in the virtual world and one on the physical world. Cisco Nexus is a good example of this kind of approach.
As well as the switching similar requirement are related to firewalling. Since what happen inside a virtual environment is in a sort of black box from the outside world, keeping a security eye to check if the correct communication are in place an nothing strange happen is mandatory. Again we  have a dichotomy between the physical and virtual world, the solution nowadays is to adopt a virtual firewall able to deal with internal virtual environment communications. A good example can be found again in Cisco with VSG and Virtual ASA.
Cisco VSG Security in a Dynamic VM Environment, Including VM Live Migration


Basically this kind of solutions address two needs: manage and secure virtual internal traffic, and give an interface from the physical world to the virtual one and vice versa.
Alas this is only one part of the equation, since if from one side we have the problem to control manage and deploy the services we want to provide, on the pother end we have the problem to deliver those service to someone who can use it.
Here the problem again is evolving due to several factors: the vanishing of the physical borders of our networks, the consumerization of browser capable devices, the shift in use from simple data to rich context aware multimedia contents, just to name a few.
Users try to access resources from anywhere with different devices and we are barely able to know from where they will connect to the resources.
the initial situation was relatively easy to manage, as for the server also the client were easily locable. an IP address was more than enough to build a trust relationship between client and server.
image
With the Datacenter consolidation the number of servers and devices growth, but again with a limited presence of remote users the location of both side were quite easy understandable. The introduction of vlan technologies, stateful inspection firewall, the use of L3\L4 switches, the pervasive use of access lists were addressing (at least apparently) most of the issues.
image
The virtualization opened a break into this structure introducing a first layer of indetermination, virtual servers and services where not physically defined by the IP, since the could share the same physical location.
image
while adding complexity from “server” side, also the client side were expanding with an higher presence of remote users and the introduction of new services on the network (who does not have an IP phone nowadays?)
image
more devices means more network requirements, and so datacenter complexity, thanks to the virtual technology, expanded beyond the physical constrain of a single physical location. as we discussed before this lead to a series of problems that were paired with the expansion form the client side of remote and local  users using different devices.
image
And then comes the cloud, and the final vanishing of any physical predetermined location for our client and our services.
image
Client and server side so evolved in an interconnect way, but network components and design were not always following this thread.
Using old fashion access lists, IP based network policies, Static VLan Assignment to manage this situation create a level of complexity that makes things unmanageable. nowadays firewalls require thousands of rules to accomplish every dingle special need, alas we have all a lot of special needs.
It’s clear to me in this situation that we need to shift from a static design to a dynamic one, able to accomplish the different needs of this evolving environment. A technology like Cisco Trustsec address those kind of requests, using SGT (Secure Group Tagging) basically dynamically assign vlan membership upon user identity, regardless IP or location, driving the packets to destination accordingly to the needs, and encrypting the network communication. To drive correctly the traffic regardless the IP is a mandatory requirement in a dynamic Cloud or SOA environment.
As important as driving correctly the network traffic there is also the need to determine witch kind of access we want to assign, we have plenty of devices like tablets, smartphones, laptop, ip phones, printers, scanners, physical security devices, medical equipment that need to access somehow our services and need to be authorized on the network. Using a Network Access service is mandatory as well to be able to correctly filter the devices, both on wireless and wired networks (think of what happened recently in Seattle to understand this kind of need). Again we can think of a cisco product like ISEto accomplish this.

End of part 1
Related articles
http://feeds.feedburner.com/portadiferro
Categories: CiscoSystems, Cloud computing, Domain Name System, IP address, IPv6, Security, Virtual reality, VMware Tags: , , , , , , , , , , , ,

Anonymous vs BART (Simpson?) part2

August 24, 2011 Leave a comment

Still I read a lot on Anonymous hacking group, even that they threaten children or declare war against UK for expenditure cuts, also Strauss khan seems to be threatened by Anonymous.

Reading news seems that they’re an unstoppable force of nature…
I left my thoughts last time on why internet and why now, and why  they’re so (in)famous.
So about the first point: why internet? 
If they’re a unstructured movement is natural that they choose, grow and move onto the media that makes communication most easier.
The relatively growing of importance of social media, messenger and other communication systems made very easy recruitment and association on the met.
We saw tons of example in our recent history, think about the spontaneous protest that have strike country with despotic government, but also the recent riots in UK where social network apparently played a major role into spreading voices (it’s a viral marketing technique at the end, sin’t it?)
Another aspect of internet is that it’s quite easy to make a lot of damage with a relatively low technical knowledge. I’m not saying that into the anonymous galaxy there are not real hackers, but mostly looks act and attack like script kiddies. alas on the internet security is still far away to be a solid reality, and most of the site and service that offer service are not design and protected (think about the Sony hacking affair).
We should also consider that we knows what happen only after the hacks, this means that could have been several try before a successful hack. And if the number of attacker grows it amplify the chance to obtain a result.
The second questions is why now?
Well this is the time of the internet, where media amplify every thing happened, and sometimes with a little dramatization instead of a serious analysis :)
So the great exposition, the easy of communication and aggregation, the poor status of security and the relatively anonymity that internet offer makes this time the perfect time for anonymous like activities.
The question so is how we manage something like this?
to be continued…
Related articles
Enhanced by Zemanta
http://feeds.feedburner.com/portadiferro
Categories: anonymous, BART Police, Bay Area Rapid Transit, Hack, Hacker, Hacktivism, http://schemas.google.com/blogger/2008/kind#post, Internet security, PlayStation Network, Social media, Sony, United States

Anonymous vs BART (Simpson?)

August 20, 2011 Leave a comment

Bay Area Rapid Transit (BART) logoImage via WikipediaOK the latest are that group anonymous is attacking BART system in San Francisco. It’s a very funny target from my point of view, probably because thinking of an hacking attack to our Italian subway system would be ridiculous. Just because nobody would notice it of course :)

But the last Anonymous attack make me wonder what is really anonymous, and similar group like lulzsec or web-ninja and so on.

Are those a real groups? And what are the reasons behind their moves? Do they really have a defined  agenda? and a boss or a hierarchy?

Usually press and police try to consider those groups as organized crime or terrorist.  so we can read news on a new hacking group leader arrested, and even if this could sound a good info the truth is that those act does not stop, “ou contraire”, they rise up.

Like the Hydra once you cut a head other two grown up? Or this is a highly structured and efficient organization, able to act and replace the troops with military precision?

Alas I do not think they’re right. Considering the way they act and the target they choose it looks more like social networking environment.

It looks like more as an unstructured group, leader does not means boss, and links and groups does not identify a hierarchy. If we do not put this in mind we will have a few chance to understand this phenomena. With this in mind it’s easier to understand the aggregation model of those groups, underground culture, acktivism, emulation are all drivers. Of course in such environment is quite easy to have criminal infiltration and manipulation but those are not the main drivers.

A diffuse sense of eager for justice is the main vector, also a sense of revenge against official institutions. If we analyze the first targets, big corporations, police enforcement agencies, governments who are fighting civil rights looks like we have a sort of new “68″.

But why now and why internet? There are several good reason that are joining all together.

I will talk about this next time :)

Related articles
Enhanced by Zemanta
http://feeds.feedburner.com/portadiferro
Categories: anonymous, BART, BART Police, Bay Area Rapid Transit, Hacker, hackers, Hackers (film), Hacktivism, Organized crime, San Francisco, United States
Follow

Get every new post delivered to your Inbox.

Join 447 other followers