Things move fast in cybersecurity, and it’s always worth investing time to stay up-to-date on the state of the field. I’ve gathered 15 articles all about cybersecurity news and insights to provide some food for thought.
In my last post, titled Network Visibility: Using Dashboards to Tell a Deeper Story, we discussed how the dashboard feature of Scrutinizer can be an asset to multiple departments. I’ve had the opportunity to work with clients who had a one- or two-person shop and some who had multiple departments. There has been one common thing across all these deployments: by employing the features of the dashboard engine, they were able to reduce the time it takes to find what they are looking for. In this section, we will explore the network security department.
Enterprises are seeking a secure monitoring solution that performs encapsulation. Encapsulated Remote SPAN (ERSPAN) identifies visibility gaps and vulnerabilities, but using it enables flow data to passively monitor on one or more ports or VLANs, and then sends traffic to the target destination. ERSPAN transports mirrored traffic over an IP network and ensures better network reliability and availability.
DDoS attacks have plagued the network security space for almost 20 years. In that time, we have seen a lot of changes. In just 2018 alone, we saw the first multi-terabyte/s DDoS attacks, which have been bringing large organizations to their knees. If you aren’t prepared to quickly and effectively analyze DDoS attacks in real time, are you even prepared at all?
If you are ever out to dinner with friends talking about which network devices have the strangest exports, the Cisco ASA will certainly be near the top of the list. The ASA is truly unlike any other firewall in what it can export in its NetFlow Secure Event Logging (NSEL) format. When gathering ASA flows, you will get most of what you are used to with standard version 5 or 9 of NetFlow (minus DSCP Marking and TCP Flags). The interesting bit is its unique elements:
Elements Unique to Cisco ASA NSEL Data
- Firewall Event:
- ID 1 – Flow Created: Flow added to cache (conversation starts)
- ID 2 – Flow Deleted: Flow deleted from cache (conversation ends)
- ID 3 – Flow Denied: (conversation was blocked)
- ID 5 – Flow Updated: In the cache as an active flow (conversation is ongoing)
- Firewall Extended Events:
- Flow Denied:
- ID 1001: Flow was denied by an ingress ACL
- ID 1002: Flow was denied by an egress ACL
- ID 1003: Typically, ICMP to the ASA being denied, but could be other reasons.
- ID 1004: The first packet on the TCP connection wasn’t a SYN packet
- Flow Deleted: These IDs will be somewhere in the 2000s
- Flow Denied:
- Ingress Access List: What ingress ACL was in play during a flow
- Egress Access list: What egress ACL was in play during a flow
- Username: Interestingly, the Cisco ASA includes VPN Username in the flow records. So if your ASA is a VPN appliance, you can gain some valuable insight into what users are doing during VPN sessions. I have worked with customers to set up custom alerts to let them know if VPN connections are being established from outside of the USA or other approved regions.
- NAT Information: ASA keeps track of and exports information regarding how IPs and ports are translated by the firewall. Useful for gaining visibility into internal users when investigating traffic entering the firewall.
As you can see, there is a wide variety of elements that are specific to the ASA. By harnessing these data elements, you can get historical reports on all of the ACL activity the firewall has seen.
For example, let’s say there is an overly permissive policy that allows any host to communicate to a disaster recovery provider off prem. A firewall admin may want to lock this policy down to the IP addresses he believes should be making this communication. But prior to making this change on the firewall, we could look back over a couple months of data and make sure we aren’t going to be inadvertently blocking any IP addresses we didn’t think of. Furthermore, we could check to see if any hosts are communicating with the disaster recovery site that we wouldn’t expect.
Taking a look at an example from Scrutinizer, we can see some peculiar activity from our marketing team. As a firewall administrator, I could investigate who from marketing was attempting to connect to the AWS Backup Servers and what time of day it’s occurring. Then I can determine if this communication should be allowed or investigated further.
These type of reports nicely complement companies’ compliance initiatives. Being able to prove that ACLs are doing their job over extended periods of time tells a great story during an audit. That said, when considering where to store this NSEL data, if compliance is a priority, make sure the solution you choose has customizable data retention settings to ensure the data is there when you need it.
When it comes to reporting on ACLs within a flow collection system, powerful filtering mechanics will be crucial to this endeavor. To get started collecting these, you can either use ASDM or the CLI to configure the Cisco ASA. Once the data is flowing into Scrutinizer, you would simply be running reports specific to those events.
Contact our support team if you want to learn more about these integrations, or need help with configurations.
After you celebrate New Year’s Eve, it is time to get to work on those New Year’s resolutions! It is also a good time to reflect, prepare for new challenges, and brush up on security threats to watch out for. In 2019, we expect new technologies and channels to open up additional threat vectors for hackers. As businesses prepare for a new year, I did some research and compiled the list of the top 7 network security predictions.
I want to introduce you to a very cool, very powerful search function for investigating IP Addresses.
We talk all the time about how NetFlow and IPFIX technologies fit very well in the behavior analysis side of a layered security solution.
NetFlow is a feature that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination of traffic, class of service, and causes of congestion (if any).
It’s that time of year again. Employees have gone away from the office to spend time with friends and family. They will, of course, return shortly in the new year, many of whom will have new devices that they will want to join the corporate network to stay connected. Many of these devices include smartphones, televisions, watches, phones, tablets, etc. The technology provides an exceptional level of convenience for the user, but it means that more information is being shared with third-parties, and new threat surfaces are being created as more devices are added. With these new devices, the security of the information they collect (and in fact the security of the devices) is not perfect. So, what can you do to make sure you secure your devices, data, and network? Let’s take a look! Read more
NetFlow can give us all kinds of rich information about our network infrastructure. You’ll find standard fields with information like source and destination and routing details along with advanced fields which give you information like network communication delay, RTP metrics, or DPI application labels. Exported as a standard field from most devices, TCP Flag aggregates can provide more insight into what your flow data is telling you about network activity. Read more
One of the most common cases we get up here in support is helping customers with their SSL certificates (or TLS or HTTPS domain, depending on your verbiage of choice). This is an easy task to perform.