This is the Forth part in the series “Missives from the Trenches.” (Here are the (first), (second), and(third) parts of the series.) In today’s blog post we will be discussing Cisco IOS Netflow. Netflow has an interesting position as being both the most useful and least used tool. When meeting with other companies I often ask them “do you use Netflow?” By asking this question I am actually asking several different questions--Do you care about the security of your site? Or do you have any hopes in managing/responding to events at your site? Answers to these questions unfortunately tend to be as follows: What is Netflow? The network guys use it but we don’t. I think we capture it somewhere but not really sure where -- and so on. I then mention that Netflow is free, they don’t have to buy anything to start using it, and it’s used for every large case we do. At that point they start looking angrily at the sales engineer asking why this is the first they are hearing about it. So what is Netflow and why does Cisco CSIRT say its critical to daily event management? Read on to find out!
Cisco has had a long history of supporting the Forum of Incident Response Teams (FIRST), as members in the organization, as chairs of various programs, steering committee members, and conference organizers. Cisco has also been providing the network for the global conference for many years. This year I am chairing the conference that will be held in Vienna on June 12-17, 2011. To that end, I am asking for some good security presentations for this year’s conference. We already have some great submissions from Interpol, Kapersky ENISA, etc. As chair I would really like to differentiate the conference with presentations based on real-world cybercrime defense. As we look back we see how rapidly the environment has changed over the past 10 years, starting to bring focus on upcoming changes on the horizon with things like borderless networks, externalization of services, and cloud. And then, further, combine that with the increasing monetization and militarization of cyber threats. FIRST would like to take a close look at the protections and responses of the past, and whether they will be up to the challenge or part of the problem. I talk more about the theme and the conference in this short podcast.
If you have something you would like to share with the security community please read below and contact us using the Speakers Submission Form.
How does Cisco deal with cyber threats from the web? How does Cisco protect any device on a network? The following video will give you an update from Cisco CSIRT’s Gavin Reid on how Cisco is combating this increasing threat.
This is the third post in a series that focuses on a view from the trenches. In this post I will examine inline and passive intrusion prevention/detection installations. Although the industry trend is that the automation aspects of inline IPS make it more useful, does that mean that passive intrusion detection as a technology is obsolete? While the benefits of inline IPS are easy to see, I want to point out a few situations where it may still be useful to use passive intrusion detection.
There is a debate today on the value of IDS/IPS and whether IDS has to be inline to be valuable. (See my previous posts for more background on the merits of IPS.) At first, all intrusion detection was passive, looking for attack signatures on the wire. Of course predictively analyzing and detecting all attacks has an inherent conflict: if we can predict it enough to analyze it with a high degree of fidelity, we could just prevent it. This set the stage for an inline preventative IDS (IPS). The intrusion detection market has been progressively moving in this direction. One of the business influences leading to that trend could be described as follows:
A company has a small security team, they purchase and deploy IDS for $1000 and get many alerts; their security posture remains static. The company purchases SIM for $1000 to help manage alerts and their security posture remains static. The company then hires more people to tune, manage, and respond to their IDS deployment and, a year or two down the road and $100,000 later, they start to identify and reduce issues.
In today’s fast-changing world, the return on investment (ROI) is hard to justify and is a long time coming. Switch to IPS and that same small security team buys and deploy something inline for $1000 and their security posture starts to improve immediately. Is IDS dead? Is IPS the only way to go? Read on to find out.
In this post we will be building on the ideas covered in my previous post, Whales and IDS, and discussing how striving for the possible, not the perfect, is a valuable direction to take; not just with IPS, but with management and monitoring alerts from IDS too.
At Cisco, my team (Cisco CSIRT) is responsible for investigations into any cyber attacks against Cisco.com. Back when we first deployed IDS, we found that hundreds of IPs from all over the world were attacking us all the time. Right now there are probably 100 different sources port-scanning, probing our web infrastructure, looking for a way in. An IPS would detect these attacks, but we have a relatively small team and we can’t act on everything, so we really have to make sure we DO act on the important stuff. In the Cisco.com environment, we get over a million inbound attacks every day. Very rarely do the attacks have any level of success, and no one can physically examine that many legitimate (but unsuccessful) attacks. Yes, examining each and every one of those attempts would be perfect, just not feasible. But we haven’t let the ideal get in the way of the possible. I’ll give you an example of how we used this line of thinking to improve the security of the site.