Today, there are many strong cryptographic algorithms and protocols, standards for their use at every layer of the network, and interoperable implementations in many products and in open source. When used appropriately, they provide strong safeguards against attacks that target our networks. Unfortunately, none of this good cryptography will protect anybody if it is used with secrets that are guessable.
Humorist Gene Weingarten claims he knows the secrets that protect the U.S. nuclear launch codes: 070494, which happens to be the date of Obama’s daughter’s birthday. No doubt the secrets are actually better chosen than that, but the joke conveys an important truth: you can’t expect everyone to choose passwords well. You should regard passwords that are human-generated or human-memorable as being guessable. A cryptographic system is only as strong as its weakest element. When human-generated keys are used in cryptography, the system should not be expected to resist a knowledgeable attacker.
The most secure key management technology is digital certificates; you should use them when you can. If for some reason you can’t, and you need to use shared secret keys, then you should make sure that those keys are generated by a uniform random process, and not by an administrator in a hurry. I will get to advice on certificates and key generation later, but first, I would like to explain why passwords and cryptography don’t mix well.
One of the key tools in the cybercrime toolbox is the drive by web exploit. Simply put, a drive by exploit is when a website is somehow violated such that it later causes the download of software, often from a different server and typically malicious in nature, without the knowledge of the end user. This software may be later used for a variety of things. It may be a key logger, recording keystrokes to capture things like passwords and credit card data, it could be a botnet client, turning the victim PC into a zombie used for spam, DDoS or even Bitcoin Mining. Regardless, the fundamentals remain the same. Do something bad to a website and then that website causes a silent install of malware on visitor machines.
OK, so we all know that mobility has become an absolute necessity in business. How many of us can honestly say that we could last even a day without our smart phone or tablet? We check our email, run enterprise apps, access the ERP, and conduct a host of other activities that require secure VPN access. But just like anything else, there’s a big difference between what we want and what we can (or should) have! After all, enterprise strength mobility requires enterprise strength security – something that’s been sorely lacking in all but a few mobile devices.
The much anticipated World IPv6 Day is now behind us. Almost 400 vendors came together on June 8, 2011 by enabling IPv6 for their content and services for 24 hours. Cisco was one of them. The goal of the test was to demonstrate the viability and potential caveats of a large-scale IPv6 deployment in the real world, as IPv6 has been steadily gaining more and more traction and interest recently due to the gradual IPv4 address exhaustion.
Internally, Cisco, as most organizations, was preparing for the 24 hours to go smoothly for its own IPv6-served content. At the same time, considering the large deployment of Cisco devices throughout networks everywhere, precautions were taken to address any issues that could arise during the dry run. Fortunately, activities concluded successfully with no major issues, showing that an IPv6 future could be closer than initially thought.
There already are and will be many reports created on results, statistics and lessons learned during testing. Among those, we would like to stress a few key-points taken from Cisco Distinguished and Support Engineers Carlos Pignataro, Salman Asadullah, Phil Remaker and Andrew Yourtchenko, who were all engaged in the project, which give a general feel on how the day went:
Vendor coordination was made possible, showing that even competitors can work together when it comes to a common goal that will benefit everyone.
There were no support cases related to the World IPv6 Day activities, which indicated a good level of both IPv6 preparedness and product readiness.
IPv6 adoption could happen smoothly, avoiding major technical issues when done methodically.
AAAA DNS records that are used for IPv6 do not automatically “break” the Internet, as it was often argued. There are certain challenges with providing an IPv6-enabled DNS infrastructure, but these can be addressed.
User experience feedback was positive. That was based on an IPv6-only approach. Due to the implementations in a dual-stack environment, user experience could deteriorate based on IPv6 and/or IPv4 performance. In such environments, solutions that track IPv6 and IPv4 performance can alleviate help. As the transition is taking place for years to come, dual-stacked environments will be the way to go, and solutions like Happy Eyeballs can certainly make the experience more transparent for users. The Chrome browser already implements a similar fall-back mechanism, which had documented benefits for some of its users.
Concluding, it is important to note that the successful World IPv6 Day exercise proved that transition to IPv6 would probably not be nearly as scary as many had originally thought some time ago. Careful and gradual adoption is easier than it was believed, and it is already happening. Product concerns, improvements and caveats here at Cisco are aggressively being worked on, and the future will only include positive developments.
In my last post on this topic, I highlighted just how true the words “Work is no longer a place you go, but what you do” really are. We now have the ability to work anytime, anywhere, using any device. As easy as this has made the lives of workers all over the world, it’s made the lives of security administrators immensely difficult. Providing secure access to the corporate network in a borderless world, while still somehow keeping out the bad stuff, has caused traditional security policies to become increasingly difficult to configure, manage, and troubleshoot – the source of inordinate amounts of pain for security administrators.
That’s why Cisco has introduced identity-based firewall security as a new capability of the ASA platform. As the first installation of what will soon become full context-aware security, identity-based firewall security enables security administrators to utilize the plain language names of users and groups in policy definitions. Rather than authoring and managing the growing list of IP addresses to cover every possible location, device, or protocol that may be required for secure access to the network, identity-based firewall security enables security administrators to grant access to “Jeff.” Regardless of where I am or what I’m using for access, I’m still Jeff… so in the simplest case, my administrator can literally write one policy to provide “Jeff” access to the corporate network, rather than six different IP addresses for all the instantiations of Jeff.