Corporate security teams around the world are seeing their budgets get hacked and slashed down to the bare bones (just like every other dept). Many of those that are tasked with the protection of their company’s digital data are frustrated and concerned. Without those dollars they will struggle to keep the shields up and perimeter secured. That’s when we need to turn to the old adage use what you have for support. But you are using what you have already you might say. True enough. However, ask yourself if you are using what you already have to the fullest extent of its capabilities. In many cases you might not be able to give a direct answer because you’ve not had time to explore all of the features a particular security widget has. You are not alone in this; in fact you’re in the majority (myself included). The biggest reason for this is that we are all to busy to go much beyond the original scope of what we bought the product to do. Sure we know it has lots more knobs and levers but we just don’t have time to explore them. So, if you’ve lost security budget dollars you requested, use that opportunity to go back to management and sell them on your new plan. Here’s your new backup plan. Draw up a formal project plan with the goal of obtaining the dedicated time, away from your day job, necessary to properly explore new ways to use what you already have. The fact that you are submitting it as new formal project means that it will be treated and prioritized against all your other projects. This protects your new goal from becoming an after thought or viewed as a pet project. A project plan will force timelines, have an actionable plan developed, enforce accountability, demand documentation, and generally just put structure around what sometimes becomes just tinkering in the lab for a few hours. Part of the project plan will be to write down all of your identified security gaps and new gaps caused by the loss of budget. Then brainstorm what products you have that could potentially close these security gaps if you took the time to learn all their features and capabilities. Once the project plan is finished present it to management for their support. Be sure to request dedicated man-hours and a priority level you deem this project will warrant versus other projects you have going. Without a formal, approved project wrapped around this goal it is supremely hard to dedicate time ad-hoc and make any real progress. Here are just a few Cisco security products that might just have some obscure features you haven’t explored yet but will help close some security gaps. I’ve listed the product and the lesser known features it has. Sure these features might not be exactly what you wanted but that’s not the point right. The point is can you increase your security with no new budget using more of what you already have. Cisco ASA – Layer 7 Application firewalling. Gives the ability to monitor and stop some instant messaging, peer-to-peer, and port 80 tunneling applications. Can be used to cover a few of the OWASP top 10 vulnerabilities using custom regex layer 7 http inspection rules. See my previous blog for other features. http://www.networkworld.com/community/node/36089 and http://www.networkworld.com/community/node/18845 Cisco ASA AIP-SSM card – Some customers have an IPS module in their ASA. Are you using it to its full potential? Do you have it in IPS prevention mode? If not, then work towards that goal to increase security. Here is a guide to help get you rolling http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/ips.html Network IDS/IPS appliances – If these are only running in Intrusion Detection Mode and not Intrusion Prevention Mode then work up a plan to move to IPS mode. This can substantially increase your security when done properly. VPN appliances – Many of these, the ASA included, have tons of advanced features you can use. Things like NAC to check host posture before allowing the tunnel is one. Another is the ability to use an embedded certificate authority that can be used to issue user based certs for two-factor authentication without having to buy tokens. See here for more info on using certificates as a second factor. http://www.networkworld.com/community/node/31124 Netflow – This can be used as a day zero network behavior-monitoring solution or as a poor mans IDS. It can detect port sweeps, network sweeps, and other reconnaissance type activity. You can use one of any number of free Netflow analyzer tools out there to get this working. Cisco switch security features – known as the catalyst security toolkit is full of useful features that are free. Some examples are DHCP snooping, IP Source Guard, ARP inspection, 802.1x, port and vlan access-lists, VRF lite to segment traffic (guest traffic perhaps), GRE tunneling, and traffic policing and rate-limiting to name a few. For more info see here http://www.networkworld.com/community/node/20209 Cisco Router security features – if you have the security feature-set then you can use your router as a powerful firewall with layer 7 capabilities, IOS IPS, VPN, policing, Denial of Service protection, authentication proxy, and several others. Just spend some quality time with the IOS security guide and your bound to find features you never new existed. For more new router security features see here http://www.networkworld.com/community/node/30102 Cisco ACS/802.1x – If you have ACS and 802.1x capable switches then you are all set. 802.1x has come a long way in the last few years. It is getting to the point now where it is actually usable for simple tasks like authentication at a per port level. See my previous blog on cool new dot1x features http://www.networkworld.com/community/node/35621 Protect your routers from attack – Cisco routers have a cli command called auto-secure and a GUI called router and security device manager. These two tools will run you through a wizard to increase the security posture of your routers. The tools are free, see here for more detail. http://www.networkworld.com/community/node/27851 If you’ve lost much of your security dollars lately and are wondering how you are going to get by, see what you already have that may be able to help. Any other ideas on features you found and others might appreciate?
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco’s new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google’s Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*




