Cisco Identity Services Engine: What it Means To You

The recent introduction of Cisco’s next generation network access control system (ISE) raises the bar for internal network security controls and should make you examine whether this system is appropriate for your organization.

ISE is an integrated network access control system. The system is designed to restrict network access based on criteria defined by the organization. These criteria typically includes any combination of the following:

· Correct user ID & password authentication

· Windows group membership

· Up-to-date operating system patches

· Antivirus software functioning & up-to-date

· Machine owned and managed by the organization

· Operating system and/or browser

Based on these criteria, the level of network access is defined commensurate with risk. For example, machines that do not have updated patches might be permitted to only “talk” to the patch server so that updates can be installed. Further, network access can be defined dynamically based on the users role (i.e., only Human Resources users are permitted access to the servers containing personnel data.) Restricted network access for guest users is a natural extension of this technology, allowing visitors to access the Internet using existing infrastructure while protecting internal resources.

In legacy NAC systems, this control is implemented through dynamic VLAN assignment in conjunction with a separate control point, typically a dedicated firewall or NAC appliance acting as a primitive firewall. More modern 802.1x NAC systems control access at the switch-port level, but have proven difficult to implement and maintain, requiring multiple disparate systems to manage.

Cisco ISE is innovative in that it implements everything mentioned above in a single integrated platform with a rich, flexible set of policy controls. ISE has broad hardware support, including the most common Cisco switches & wireless devices. Further, tools to accommodate non-NAC and/or non-802.1x compatible devices, such as printers, IP phones, or CCTV systems, are cohesive and mature, requiring minimal effort to maintain.

Employing security consultants and engineers with broad cross-functional experience, NWN STAR is uniquely qualified to design and implement Cisco ISE systems. Our engineers have implemented NAC systems across a variety of industries, including government, education, banking, retail, and healthcare environments. NWN recently became one of the first Cisco partners to be trained and certified to implement these systems for both small- and large-scale environments.

Gmail Users Beware

Recently I discovered that a Gmail account I use for subscriptions to newsletters and similar non-critical content had been hacked by someone in China. That, by itself, isn't that interesting but there were some interesting aspects of the "attack".

I would like to think that I am fairly security savvy, given that is what I do for a living but this event has opened my eyes to how vigilant we must be as defenders and the true advantage attacker have over us.

I first discovered that this Gmail account had been compromised when I started receiving bounce-back messages from a strange email address - 451231738@qq.com. I know I didn't send any email address so I did some digging. It turns out that QQ is a popular instant messaging site in China. Hmmmm, that's not good. I then checked out the setting on my Gmail account and discovered what actually happened.

Typically, I view the email from this particular Gmail account on any of various other devices (iPad, laptop, etc.). As a result, I don't usually log in to Gmail itself. When I did, I was presented with a big, red flashy sign that said, basically, Danger Will Robinson, someone has recently logged into your account from China - click here to see what happened. I clicked there and found that my account had been accessed at least 3 times from China starting around 10 days before I detected the problem. That, of course, prompted additional investigation.

I looked in the setting of my Gmail account and found a lot of bad things. I first noticed that someone had set up the QQ email address as an address that mail sent to the Gmail account could be forwarded to. Next, I discovered that the password recovery email address was also set to the QQ email address. Finally, I found a number of filters set up to forward any email containing the words "password", "info", "account" and "paypal" would be sent automatically to the QQ account. Also, any email from @blizzard.com or @battle.net would be forwarded.

Given that I don't use this Gmail account for anything critical, I'm not terribly concerned about the impact of this hack. I suppose someone in China could steal my subscription to a newsletter or discussion group but that's not that big of a deal. There are a couple of things that really do have me concerned.

First, how did the attacker manage to compromise my account without me knowing about it? Perhaps my password could have been better but doesn't Google have a setting to prevent brute force attacks?

Second, it scares me that the attacker was able to modify the settings of my Gmail account such that I would not have found out about the attack if the QQ address hadn't been shut down. How many others don't log into the Gmail web site but rely on Mail.app, phone mail clients, Outlook or similar mail clients to get their mail?

Third, how many people use their Gmail accounts to conduct real business (either professional or personal)? How many people use Gmail to reset the passwords on their bank accounts, to pay bills, etc. This type of attack had little real negative impact on me but that we partially dumb luck in that I don't use Gmail for anything really important.

Finally, is this problem specific to Gmail? Are other web-based mail services less vulnerable? Equally vulnerable? More vulnerable?

To wrap things up, if you are reading this and use a web-based email service like Gmail, check you settings as soon as you can. I'm not saying you've been hacked but it is better to be safe than sorry. Remember to check the settings and change your password to these sites regularly.

And Google, if you are by any chance listening, please include an account lockout function (if you don't already have one) and please allow me to include a setting that alerts me if settings are changed. It doesn't have to be fancy - just a quick email stating that "we just wanted to let you know that your settings have been changed - if you didn't do this, you've been hacked!".

Nessus Parser V0.10

Cody Dumont from the NWN STAR team just release the latest version of his Nessus Parser. The parser can be found at www.melcara.com. Here is an expert from his blog posting.

Nessus Parser v0.10 – This is a program to parse a series of Nessus XMLv2 files into a XLSX file. The data from the XML file is placed into a series of tabs to for easier review and reporting. New features with this edition are better reporting of policy plugin families, user account reporting, summary graphs, and a home page with summary data. For more information and questions please contact Cody Dumont from the NWN STAR team.
Email – cdumont”AT”nwnit.com