Posted by: Rob Chee
on Feb 9, 2010
The Cisco AnyConnect VPN client is Cisco’s SSL VPN client offering. Cisco currently supports this VPN client and the legacy IPSec VPN client, called the Cisco VPN Client. The Cisco VPN client will be phased out over time. This can be seen by the Cisco VPN Client FAQ explaining that 64 bit operating systems are not supported by the Cisco VPN client, but are supported by the Cisco AnyConnect VPN client.
Posted by: Rob Chee
on Jan 17, 2010
MARS and Cisco IPS are synchronized for the official IPS signatures created by Cisco. This is done through the automatic updates that occur on the IPS side and on the MARS side. On the IPS side, this done by configuring “Configuration > Sensor Management > Auto/Cisco.com Update” within IPS Manager Express (IME). This is shown below
Posted by: Rob Chee
on Nov 25, 2009
Cisco NAC appliance 4.7.1 was just recently released. The main new features are support for Windows 7 and Apple Macintosh OS 10.6 (Snow Leopard).
Posted by: Rob Chee
on Nov 25, 2009
Email security is an important facet of data protection, both for enterprises and individuals. Email security can be implemented to perform email authentication and/or email encryption. Both authentication and encryption are provided using Secure/Multipurpose Internet Mail Extensions (S/MIME) with public key cryptography (PKI). The basic requirements for PKI are a certificate authority (CA), a private key, and a public key. An example is shown later that explains how to set up PKI for email using Comodo as the CA and Mozilla Thunderbird as the email client.
Posted by: Rob Chee
on Nov 21, 2009
The Cisco Security team had started a podcast series through iTunes in 2008. They had 7 podcasts and then it died out. The podcasts are still available, on iTunes. Just search on Cisco and you'll see the Cisco security podcasts as well as other Cisco podcasts.
Posted by: Rob Chee
on Nov 8, 2009
SNMP is one of the key technologies used in out-of-band Cisco NAC Appliance deployments. The NAC Manager sends SNMP GET commands to the access switches to learn about the switch port configuration. The NAC Manager also sends SNMP SET commands to the access switches to change individual switch ports from the authentication VLAN to the access VLAN and vice versa. The access switches send SNMP traps to the NAC Manager to tell the NAC Manager about individual switch ports that go up or down and switch ports that have new MAC addresses connected to them. With that information, the NAC Manager can decide whether the switch port should be moved back to the authentication VLAN.
Posted by: Rob Chee
on Sep 24, 2009
With most network management systems and network security systems, SNMP is a critical component. One great tool for checking SNMP functionality is net-snmp. This tool works with Windows and Linux. From a security perspective, this net-snmp can be used as another troubleshooting tool to ensure that Cisco MARS and Cisco NCM are working correctly.
One basic tool, included with the toolset, is snmpwalk. This can be used to determine the OIDs used for a network device. Here's a partial execution of the command against a Cisco 2523 router.
Posted by: Rob Chee
on Sep 17, 2009
Do you have security policy requirements that need to be enforced on your routers and switches? One option to accomplish this task is to periodically check the configurations of all routers and switches. This approach is painful and time consuming. Another option is to use an application to automate this process. This is one of the areas where Cisco Network Compliance Manager (NCM) can assist. With NCM you can create policies that regularly check for elements of your security policy and alert you if they are not being met. NCM does this by first grabbing the router and switch configurations on a periodic basis. NCM then matches these configurations against the NCM policies that you create to meet your security policy. Here’s an example showing how this would be configured within NCM.
Posted by: Rob Chee
on Jul 25, 2009
When deploying Cisco NAC for desktop computers, it is imperative minimize the impact to the end user experience as much as possible. This helps to ensure that the NAC deployment does not get derailed by user complaints. One way to minimize the impact is to implement Active Directory Single Sign-On (AD SSO). With AD SSO, the user just has to complete their Microsoft logon. The NAC Appliance uses Kerberos to verify the user’s authenticity instead of prompting for a NAC logon. The NAC setup of AD SSO is easy to configure incorrectly even with the detailed steps in the Cisco NAC Server Configuration Guide. The basic steps are listed below.
Posted by: Rob Chee
on Jul 16, 2009
OMB has mandated the Federal Desktop Core Configuration (FDCC) security configuration. NIST has a detailed set of configuration settings in an Excel spreadsheet that can be downloaded from http://fdcc.nist.gov.
