Cisco Blogs

Cisco Blog > Security

The Three Pillars to Cisco’s Secure Data Center Strategy: Part 2 Threat Defense

In part one of our series on Cisco’s Secure Data Center Strategy, we did a deeper dive on segmentation.  As a refresh, segmentation can be broke into three key areas. The first, the need to create boundaries is caused because perimeters are beginning to dissolve and many environments are no longer trusted forcing us to segment compute resources, the network and virtualized attributes and environments. Along with segmenting physical components, policies must be segmented by function, device, and organizational division. Lastly, segmenting access control around networks and resources whether they are compute, network, or applications offers a higher level of granularity and control. This includes role-based access and context based access.  Ensuring policy transition across the boundaries is of primary concern. To learn more on segmentation go here.

Today we will dive deeper into Cisco’s security value-add of threat defense.

Technology trends such as cloud computing, proliferation of personal devices, and collaboration are enabling more efficient business practices, but they are also putting a strain on the data center and adding new security risks.  As technology becomes more sophisticated, so are targeted attacks, and these security breaches, as a result, are far more costly.  The next figure is from Information Weeks 2012 Strategic Security Survey and illustrates top security breaches over the previous year.

Read More »

Tags: , , , , , , , , , , , , , , , , , , ,

The Three Pillars to Cisco’s Secure Data Center Strategy: Part 1 Segmentation

Last week Cisco announced several new products in it’s Defending the Data Center launch. These included the Cisco Adaptive Security Appliance Software Release 9.0, Cisco IPS 4500 Series Sensors, Cisco Security Manager 4.3, and the Cisco ASA 1000V Cloud Firewall, adding enhanced performance, management, and threat defense capabilities. Core to this launch was also Cisco’s new strategy for developing Secure Data Center Solutions, a holistic approach similar to what Cisco previously did with Secure BYOD. This new strategy integrates Cisco security products into Cisco’s networking and data center portfolio to create validated designs and smart solutions. Organizations that lack bandwidth and resources or the know how to test and validate holistic designs can simply deploy template configurations based on pre-tested environments that cover complete data center infrastructures. These designs enable predictable, reliable deployment of solutions and business services and allow customers infrastructures to evolve as their data center needs change.

In developing this strategy we interviewed numerous customers, partners and field-sales reps to formulate the role of security in the data center and how to effectively get to the next step in the data center evolution or journey, whether you are just beginning to virtualize or have already advanced to exploring various cloud models. Three security priorities consistently came up and became the core of our strategy of delivering the security added value. They are Segmentation, Threat-Defense and Visibility.  This blog series, beginning with segmentation, will provide a deeper dive into these three pillars.

Segmentation itself can be broken into three key areas. Perimeters are beginning to dissolve and many environments are no longer trusted, forcing us to segment compute resources, the network, and virtualized environments to create new boundaries, or zones. Along with segmenting physical components, policies must include segmentation of virtual networks and virtual machines, as well as by function, device, and logical association. Lastly, segmenting access control around networks and resources whether they are compute, network or applications offers a higher level of granularity and control. This includes role-based access and context based access.  Let’s discuss even deeper.

Read More »

Tags: , , , , , , , , , , , , , , , , ,

6.5 million password hashes suggest a possible breach at LinkedIn

LinkedIn is believed to have suffered a password hash breach (updated: LinkedIn has confirmed the breach), thanks to a forum post that quickly caught the attention of security researchers on Twitter and other social outlets. The posted archive contained a 270+ MB text file of SHA-1 hashes, and forum discussions suggested that it was related to the popular business-centric social site.

At the moment, little is known and speculation is running wild. LinkedIn has not finished investigating whether they have been breached, however many security pros are confirming for the media that the SHA-1 hashes of their passwords are found in the file. The file is constructed in a hash-per-line fashion, with no evident plaintext that suggests it is anything other than passwords (such as usernames, etc.). However, it’s possible that anyone gaining the original access to hashes had or has access to additional details.

I obtained a copy of the hash list, produced a SHA-1 hash of my old LinkedIn password, and did indeed find it in the list. I have also spot-checked several other hashes posted by security pros on Twitter, and have found them as well. Given the nature of my own password (16 random characters comprised of A-Z, a-z, and 0-9) the likelihood that my SHA-1 hash of my password (that was unique to LinkedIn) would be present in a file that did NOT come (at least in part) from a source that had access to hashes of LinkedIn passwords is statistically impossible.

Read More »

Tags: , , , , , , , , ,

CSIRT Monitoring for Cisco House at the London 2012 Olympic Games

As part of CSIRT’s mobile monitoring offering for special events, we undertook monitoring of the corporate and customer traffic of the Cisco House at the London 2012 Olympics. This engagement presents us with an excellent opportunity to showcase Cisco technology, while keeping a close watch on potential network security threats. CSIRT monitoring for this event will be active for the entire life-span of the Cisco House, from two months before the Olympics, until two months after.

For the London 2012 engagement, we shipped our gear in a 14RU military-grade rack that is containerized: made for shipping. Inside the mobile monitoring rack we have an assortment of Cisco kit and third-party kit that mirrors the monitoring we do internally:

  • Catalyst 3750 to fan out traffic to all the other devices
  • FireEye for advanced malware detection
  • Two Cisco IronPort WSA devices for web traffic filtering based on reputation
  • Cisco UCS box where we run multiple VMs
  • Lancope StealthWatch collector for NetFlow data
  • and a Cisco 4255 IDS for intrusion detection

We mirror the signatures that we have deployed internally at Cisco out to these remote locations. Depending on the environment where the mobile monitoring rack is deployed, we may also do some custom tuning. The kit in the mobile monitoring rack can do intrusion detection, advanced malware detection, and collect and parse NetFlow and log data for investigation purposes. The Cisco UCS rack server also helps us have several VMs,  allowing us to run multiple tools that complement the other devices in the rack. For example, we run a Splunk instance on a VM to collect the logs generated by all the services. The data from the gear in the mobile monitoring rack is analyzed by our team of analysts and investigators, to eliminate false positives, conduct mitigation and remediation, and finally produce an incident report if required.

Read More »

Tags: , , , , , , , , , ,