Cisco released the IPS 6.1 minor release upgrade early last week. It sports a newly minted GUI manager/monitor and has a couple new features worth noting. The new GUI manager/monitor called IPS Manager Express (IME) is leaps above the previous GUI.
Read more
This Month Cisco added some blockbuster features to its GUI security software, Cisco Security Manager (CSM). In fact, a recent Network World test rated a previous version of Cisco Security Manager higher than Checkpoint for UTM management (a 4.0 vs. a 3.75 score). That's right Cisco security management beat out Checkpoints security management in an independant review. Now that’s a first! If you haven’t heard of CSM yet or had played with an early release of CSM it might be a good time to take a look at it.
Read more
The Cisco Catalyst 6500 supervisor engine 32-PISA is the fastest and most feature rich access layer sup engine Cisco has ever produced. The PISA is the result of years of R&D research and testing. For the first time ever, Cisco has added a special Network processing unit (NPU) daughter card to the sup32 engine. It is called the programmable IP Services Accelerator or PISA for short. The PISA NPU consists of 16 micro engines and a hardware crypto card. The big advantage of the PISA architecture is that, unlike asic technology, you can re-program the PISA micro engines whenever the need arises. This means the shelf life and flexibility of the PISA will be longer than an equivalent asic based solution. Not even Cisco’s sup720 has this kind of technology.
Read more
I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. You can get a copy of Legal Exposures to the Maxx here. It is a must read for any company considering a privacy breach insurance policy.
Read more
Yesterday’s announcement by the retailer Hannaford looks to be the second largest credit card security breach in history. It is reported that some 4.2 million credit card numbers and expiration dates have been stolen. With unfortunate regularity companies are disclosing they are the latest victims of massive credit card or Personally Identifiable Information (PII) theft. This has gotten the attention of a few Insurance companies who, in response, have created a new insurance product called Privacy Breach Insurance. Companies like Chubb, AIG, and Executive Risk are betting that as the information theft problem continues to escalate, companies will increasingly turn to privacy insurance as a way to stave off the risk and reduce the financial impact of a privacy breach.
Read more
It seems that everyone and their brother are now saying that the U.S. is in the midst of a recession. The market analysts are predicting that the U.S. GDP will actually go negative this year. It must be official now that even the White House has acknowledged it. This got me to thinking about the effect a recession might have on my industry (IT security). My first thought was that if the profits of companies start dwindling then their IT budgets will predictably follow suit. If IT budgets dwindle then my experience tells me that the security budgets will take an even larger percentage hit than IT overall. When fighting for IT dollars in many cases security gets lost, put on hold, and brushed under the carpet.
Read more
Today Apple announced the details of the iPhone 2.0 software beta. Many new features are coming to the coolest gadget on the planet. Of particular interest to me is the integration of Cisco’s VPN client software into the iPhone. This will be a full blown IPSEC client that will even support the use of certificates or password based multi-factor authentication. Very nice! The iPhone VPN client will be able to connect to Cisco VPN gateway devices, like the Cisco ASA and older Cisco PIX.
Apple also announced support for WPA enterprise with 802.1x authentication coming in the 2.0 code. This will enable more enterprises to allow the iPhone to connect securely to their wireless infrastructure.
Read more
Yesterday, Cisco officially announced its next generation, frontline, cyber superiority Battlestar, known as the Cisco ASR 1000 series routers. This new edge router series offers a 10 fold+ increase in routing, IPSEC, and Firewall performance versus previous midrange aggregation routers with these services enabled. Much has already been reported on it, but I wanted to focus on security. Is the new Cisco ASR 1000 Series unmatched in the raw combat power it is capable of unleashing on its enemies in cyberspace? Let’s dig into the performance characteristics and combat power of this next-gen edge router to see. And keeping in mind that raw combat power per se cannot guarantee cyber combat success, we’ll also look into the technological advances that it offers.
Read more
Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend.
Read more
Following closely on the heals of the release of the 4Gbps IPS appliance, Cisco released the ASA5580 Firewall. It comes in two models, a 5Gbps (ASA5580-20) and a 10 Gbps model (ASA5580-40).
Now those aren't backplane speeds or pie in the sky, UDP 1500 byte packet throughput numbers with protection turned off either. Vendors marketing teams love to quote us numbers that are meaningless in the real world. The performance numbers Cisco is quoting are real world performance numbers based on a mix of various rich media traffic samples with recommended firewall protection features turned on.
More performance numbers:
Read more
Cisco recently released version 4.1(3) of their NAC Appliance product line. 4.1(3) has a slew of new features in it that I thought you might be interested in. The most noteworthy, to me anyway, is the addition of a web agent client delivered via java or activeX. This web agent client does not require admin privileges to run, unlike the traditional clean access agent.
Read more
It is widely accepted that one of the best things you can do to secure your sslvpn infrastructure is implementing a two-factor authentication scheme. Typically, this has been accomplished using a one-time password token technology. But what about using digital certificates that are tied to usernames instead of an OTP token approach? The idea being that the certificate is the something you have and the username/pwd is the something you know. This is a newly supported feature on the Cisco ASA, but not new to the industry, so I thought it might be interesting to examine it.
Read more
It can be frustrating at times when trying to find what you’re looking for on Cisco’s cisco.com website. It’s on the website they say. Sure but where!!!
To help you become more efficient in navigating the juggernaut of Cisco.com I’ve compiled some of my favorite tips and pages. Some of these are hidden gems, others are time tested favorites. If you have some of your own to recommend please share.
Read more
So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.
Read more
WoW 2007 is almost over! It seems like it has flown by. Cisco security has made some great strides over the year. Let’s take a look back at some of the most interesting, useful, and/or innovative security related features & products that Cisco released in 2007. I’d also like to hear from you what ones you’ve been most impressed with this year.
Read more
Cisco has finally entering the high speed IPS market segment! Cisco’s is shipping the IPS 4270 IPS Appliance which can deliver up to 4Gbps of real-world media-rich traffic inspection. Cisco is proud of the fact that this benchmark number was achieved with the Cisco recommended IPS protection settings enabled on the 4270. They used real-world, stateful traffic flows in their testing. Cisco has not released the best case, pie in the sky, UDP performance numbers of the 4270 yet. But it has released expected real-world performance numbers if you deploy the 4270 in a highly transactional environment like e-commerce or IP Voice. This type of environment will drop performance down to 2Gbps of IPS inspection.
Read more
If your company stores, processes, or transmits the primary account number on a credit card then you are required to meet, or exceed, the data security standards set forth in the PCI security standards. These security requirements apply to all network components that forward or have access to card holder data. This would include switches, routers, firewalls, IPS, Servers, workstations, wireless, storage, etc. So basically, if the device is IP (Internet Protocol) reachable to cardholder data then it is in scope for the PCI requirements.
Read more
Christmas ’07 is fast approaching and my kids already have their Christmas lists done. So, I thought I’d do a Christmas list of my own, with a twist. If I could get Santa’s elves to build me a shiny new piece of network security hardware what would I want? We’ll I’d ask for a reputation based firewall that’s what!
I’ve seen the ultimate power that reputation databases, like IronPort’s SenderBase, can add to email anti-spam products and URL Web Security products. So I made the not so giant leap that adding reputation to firewalls makes sense. So how would my new reputation based firewall work you ask, well check this out:
Read more
Trying to figure out how to easily and securely deploy a few hundred VPN routers for your home office or small office users? Cisco’s ECT solution might be for you.
Read more
The Common Vulnerability Scoring System, or CVSS for short, is the first and only open framework for scoring the risk associated with vulnerabilities. CVSS is designed to rank information system vulnerabilities and provide an end user with a composite score representing the overall severity and risk the vulnerability presents. CVSS was created by The National Infrastructure Advisory Council (NIAC). Over the years it has become a very widely adopted scoring system and is used by such heavy hitters as the Department of Homeland Security, CERT, Cisco, Union Pacific, and Symantec to name but a few. CVSS is currently maintained by the Forum of Incident Response and Security Teams (FIRST), http://www.first.org, and was a combined effort involving many companies, including:
Read more
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
