Heary

Top 5 most valuable skills for security pre-sales engineers

jheary — Mon, 30 Jun 2008 23:35:51 -0400

Are you thinking of changing careers to security sales engineering? Need some advice on what skills are most needed? Well, here are my top 5.

Read more

iPhone – The next platform for security tools?

jheary — Mon, 23 Jun 2008 11:39:57 -0400

With the soon to be released 2.0 software update all sort of applications will be ported to the iPhone platform. Security tools should be no exception. Here are some of the security tools that I’d like to see on the new iPhone 3G:

PuTTY – SSH client
netstumbler – wireless LAN detector with GPS support
KisMAC – Passive wireless scanner and cracker wit GPS support
Aircrack - A fast WEP/WPA cracking tool
metasploit – the best exploit tool out there. They’ve even added new exploits to hack the iPhone!
NMAP/Zenmap – Security scanner and exploit tool
Wireshark – The premier free Packet Sniffer
and of course Nessus – a comprehensive vulnerability assessment tool

Read more

Cisco wants your feedback on what new security features you need

jheary — Thu, 05 Jun 2008 22:16:56 -0400

I am a member of a field advisor board for security products at Cisco. One of the charters of this role is to provide the various security business units(BUs) with customer feedback on the feature and product requests they most desire. This process, among several others, helps ensure that the security product BUs at Cisco are developing features that customers are asking for. This input is used by the BU’s to help prioritize which features will be developed first. Otherwise known as the product feature roadmap.

Read more

Gain per-user control and auditing on who uses your Cisco site-site VPN tunnels

jheary — Tue, 27 May 2008 23:33:39 -0400

Wouldn’t it be nice to be able to control and audit access to your VPN tunnels using usernames and per-user security policies? Putting the typical tunnel Access-list protection in place is great 'an all but per user control is really where it’s at! To that end, Cisco has a nice feature that allows you to authenticate, authorize, and account any user who tries to access a site-site vpn tunnel. Most site-site VPNs rely on an access-list that determines what IPs and Ports can be used across a tunnel. But this feature, Authentication proxy, allows you to limit and audit the VPN tunnel access using usernames and passwords as well. Even OTP devices are supported. And yes, you can make authentication exceptions for non-authenticating devices like printers, servers, etc.

Read more

Quality weekly podcast security updates from Cisco IntelliShield

jheary — Fri, 23 May 2008 00:21:08 -0400

Need to get up-to-date on what’s happening in security. The Cisco IntelliShield Security Alert service offers free podcasts of it’s weekly Cyber Risk Reports. According to IntelliShield’s site, “The weekly Cyber Risk Reports provide strategic intelligence about current security activity in seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical.” Each report has a highlight/focus area that is listed, but the report also covers a broad range of security topics. I find them to be a quick way to get up to speed on security events from around the globe. These updates include political and legal updates that I don’t usually find on my typical security info sites.

Read more

Audit and lockdown your Cisco routers quickly using Router and Security Device Manager

jheary — Thu, 15 May 2008 18:53:41 -0400

90+% of Cisco Router administrators are CLI jockeys, myself included. However, there are several GUI tools that can help you manage and secure your Cisco routers very quickly. The one I want to focus on today is Cisco’s free Security Device Manager (SDM). Like most of Cisco’s device managers it allows you to manage one router at a time. Given some of the recent security news regarding Cisco routers I thought this topic might be timely in helping you lock down your Cisco routers. To quote from the Cisco SDM site, “Cisco Router and Security Device Manager (SDM) is an intuitive, Web-based device management tool supported on Cisco 830 series through Cisco 7301 routers.

Read more

Ease of Use comes in Cisco's IPS 6.1 release. Should Cisco competitors be afraid?

jheary — Tue, 06 May 2008 18:34:38 -0400

Cisco released the IPS 6.1 minor release upgrade early last week. It sports a newly minted GUI manager/monitor and has a couple new features worth noting. The new GUI manager/monitor called IPS Manager Express (IME) is leaps above the previous GUI.

Read more

Cisco Security refresh: Cisco Security Manager 3.2

jheary — Wed, 30 Apr 2008 00:00:27 -0400

This Month Cisco added some blockbuster features to its GUI security software, Cisco Security Manager (CSM). In fact, a recent Network World test rated a previous version of Cisco Security Manager higher than Checkpoint for UTM management (a 4.0 vs. a 3.75 score). That's right Cisco security management beat out Checkpoints security management in an independant review. Now that’s a first! If you haven’t heard of CSM yet or had played with an early release of CSM it might be a good time to take a look at it.

Read more

Are YouTube, Bittorrent, and Skype chewing up your bandwidth and productivity? The Cisco Cat6K Sup32-PISA can help!

jheary — Tue, 22 Apr 2008 12:31:53 -0400

The Cisco Catalyst 6500 supervisor engine 32-PISA is the fastest and most feature rich access layer sup engine Cisco has ever produced. The PISA is the result of years of R&D research and testing. For the first time ever, Cisco has added a special Network processing unit (NPU) daughter card to the sup32 engine. It is called the programmable IP Services Accelerator or PISA for short. The PISA NPU consists of 16 micro engines and a hardware crypto card. The big advantage of the PISA architecture is that, unlike asic technology, you can re-program the PISA micro engines whenever the need arises. This means the shelf life and flexibility of the PISA will be longer than an equivalent asic based solution. Not even Cisco’s sup720 has this kind of technology.

Read more

Insurance broker for Hannaford provides insider view on data theft insurance

jheary — Fri, 21 Mar 2008 01:41:44 -0400

I have been exchanging emails off-line with Kevin P. Kalinich, J.D. Kevin is the Co- National Managing Director of the Financial Services Group at Professional Risk Solutions. A couple days ago Kevin emailed me a response to my blog on the Hannaford credit card theft and state of privacy breach insurance. Kevin is a pioneer in this emerging insurance space and I found his insight and experience very valuable. He sent me an excellent (30+ page) whitepaper he authored on the current state of the privacy breach insurance marketplace. You can get a copy of Legal Exposures to the Maxx here. It is a must read for any company considering a privacy breach insurance policy.

Read more

Privacy Breach Insurance; new solution for mitigating the risk of credit card and identity breaches

jheary — Tue, 18 Mar 2008 23:41:54 -0400

Yesterday’s announcement by the retailer Hannaford looks to be the second largest credit card security breach in history. It is reported that some 4.2 million credit card numbers and expiration dates have been stolen. With unfortunate regularity companies are disclosing they are the latest victims of massive credit card or Personally Identifiable Information (PII) theft. This has gotten the attention of a few Insurance companies who, in response, have created a new insurance product called Privacy Breach Insurance. Companies like Chubb, AIG, and Executive Risk are betting that as the information theft problem continues to escalate, companies will increasingly turn to privacy insurance as a way to stave off the risk and reduce the financial impact of a privacy breach.

Read more

Why an economic recession could leave companies wide open to cyber attacks

jheary — Fri, 07 Mar 2008 22:41:06 -0500

It seems that everyone and their brother are now saying that the U.S. is in the midst of a recession. The market analysts are predicting that the U.S. GDP will actually go negative this year. It must be official now that even the White House has acknowledged it. This got me to thinking about the effect a recession might have on my industry (IT security). My first thought was that if the profits of companies start dwindling then their IT budgets will predictably follow suit. If IT budgets dwindle then my experience tells me that the security budgets will take an even larger percentage hit than IT overall. When fighting for IT dollars in many cases security gets lost, put on hold, and brushed under the carpet.

Read more

Apple integrates Cisco’s VPN Client into the iPhone

jheary — Thu, 06 Mar 2008 23:18:26 -0500

Today Apple announced the details of the iPhone 2.0 software beta. Many new features are coming to the coolest gadget on the planet. Of particular interest to me is the integration of Cisco’s VPN client software into the iPhone. This will be a full blown IPSEC client that will even support the use of certificates or password based multi-factor authentication. Very nice! The iPhone VPN client will be able to connect to Cisco VPN gateway devices, like the Cisco ASA and older Cisco PIX. Apple also announced support for WPA enterprise with 802.1x authentication coming in the 2.0 code. This will enable more enterprises to allow the iPhone to connect securely to their wireless infrastructure.

Read more

Cyber Warfare: Frontline combat power gets a boost with the new Cisco ASR 1000 Router Series

jheary — Wed, 05 Mar 2008 15:51:12 -0500

Yesterday, Cisco officially announced its next generation, frontline, cyber superiority Battlestar, known as the Cisco ASR 1000 series routers. This new edge router series offers a 10 fold+ increase in routing, IPSEC, and Firewall performance versus previous midrange aggregation routers with these services enabled. Much has already been reported on it, but I wanted to focus on security. Is the new Cisco ASR 1000 Series unmatched in the raw combat power it is capable of unleashing on its enemies in cyberspace? Let’s dig into the performance characteristics and combat power of this next-gen edge router to see. And keeping in mind that raw combat power per se cannot guarantee cyber combat success, we’ll also look into the technological advances that it offers.

Read more

Cisco Security Conversion Tool (SCT) -- Easing the pain of a Check Point to Cisco firewall migration

jheary — Fri, 22 Feb 2008 14:08:58 -0500

Migrating from one firewall vendor to another can be a huge undertaking requiring hours of tedious access and NAT rule rewriting. Wouldn’t it be nice if someone came up with a FREE tool that converted one vendor’s firewall configuration files into another vendor’s format? Think of the tens or hundreds of man hours that it could save you. Well you’re in luck. That is exactly what Cisco has created with its free SCT tool. The bummer is it only works for converting Check Point firewall configs to Cisco ASA, PIX or FWSM configs. It currently works with Check Point 4.x, NG, UTM, and NGX. It won’t work with any other vendors yet. But if you’re doing a Check Point to Cisco firewall conversion, the SCT tool is a godsend.

Read more

Cisco releases new Firewalls, the ASA 5580

jheary — Thu, 14 Feb 2008 23:26:24 -0500

Following closely on the heals of the release of the 4Gbps IPS appliance, Cisco released the ASA5580 Firewall. It comes in two models, a 5Gbps (ASA5580-20) and a 10 Gbps model (ASA5580-40). Now those aren't backplane speeds or pie in the sky, UDP 1500 byte packet throughput numbers with protection turned off either. Vendors marketing teams love to quote us numbers that are meaningless in the real world. The performance numbers Cisco is quoting are real world performance numbers based on a mix of various rich media traffic samples with recommended firewall protection features turned on. More performance numbers:

It can process up to 4Mpps!
It can sustain up to 2 Million concurrent connections

Read more

Cisco NAC Appliance gets some new features

jheary — Wed, 06 Feb 2008 17:35:44 -0500

Cisco recently released version 4.1(3) of their NAC Appliance product line. 4.1(3) has a slew of new features in it that I thought you might be interested in. The most noteworthy, to me anyway, is the addition of a web agent client delivered via java or activeX. This web agent client does not require admin privileges to run, unlike the traditional clean access agent.

Read more

Achieving two-factor authentication with digital certificates. Are costly OTP token solutions dead?

jheary — Wed, 23 Jan 2008 22:48:33 -0500

It is widely accepted that one of the best things you can do to secure your sslvpn infrastructure is implementing a two-factor authentication scheme. Typically, this has been accomplished using a one-time password token technology. But what about using digital certificates that are tied to usernames instead of an OTP token approach? The idea being that the certificate is the something you have and the username/pwd is the something you know. This is a newly supported feature on the Cisco ASA, but not new to the industry, so I thought it might be interesting to examine it.

Read more

Insider view on finding stuff fast on www.cisco.com

jheary — Tue, 15 Jan 2008 23:43:40 -0500

It can be frustrating at times when trying to find what you’re looking for on Cisco’s cisco.com website. It’s on the website they say. Sure but where!!! To help you become more efficient in navigating the juggernaut of Cisco.com I’ve compiled some of my favorite tips and pages. Some of these are hidden gems, others are time tested favorites. If you have some of your own to recommend please share.

Using the go sites. Did you know that you can find things by typing www.cisco.com/go/ followed by whatever it is your interested in. For example, http://www.cisco.com/go/asa or go/vpn or go/security, etc etc.

Read more

Cisco VPN gateways support the iPhone

jheary — Thu, 13 Dec 2007 15:55:59 -0500

So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.

Read more