Cisco Blogs


Cisco Blog > Security

Foundational Network Traffic Collection and Analysis Setup

This introductory post explains how one of Cisco’s security research groups established a network data collection capability for large amounts of network traffic. This capability was necessary to support research into selected aspects of the Domain Name Service (DNS), but it can be adapted for other purposes.

DNS exploitation is frequently the means by which malicious actors seek to disrupt the normal operation of networks. This can include DNS Cache Poisoning, DNS Amplification Attacks and many others. A quick search at cisco.com/security yields a lot of content published, indicating both the criticality and exposures associated with DNS.

Our research required the ability to collect DNS data and extract DNS attributes for various analytical purposes. For this post, I’ll focus on collection capabilities regarding DNS data. Read More »

Tags: , , , ,

MDM and Cisco’s ISE?

May 7, 2013 at 10:03 am PST

Mobile Device Management or MDM is ideal for addressing many challenges inherent to our ‘Bring your own Device’ culture. MDM can help enforce policy for mobile devices but when you look closer, you begin to realize it does not solve everything. The challenge is when we ask our MDM technology to make policy decisions out of context.

Cisco’s Identity Services Engine (ISE) offers centralized policy and network intelligence as an MDM compliment for a complete security solution

This is where Cisco comes in with ISE or the Identity Services Engine. We did a Fundamentals of ISE awhile back that still serves as a great backdrop for getting your head around it. ISE is frequently lauded for its ability to provide a single repository for all the potentially complex rules and regulations we need on our network. The point right now however is ensuring we know where ISE begins/ends in reference to MDM. Neither can act completely alone and accomplish everything most customers are hoping for in a BYOD solution especially. But where do we begin and end?

Read More »

Tags: , , , , , , ,

Shedding More Light on MDM

May 7, 2013 at 5:00 am PST

My friends at Cisco’s TechWiseTV have taken MDM to heart and have offered some keen insight from a geek’s POV (point of view) into MDM. Starting with a primer on MDM, Networking 101: MDM, Jimmy Ray answers the questions on what is MDM and what can it do for my organization in his entertaining and educational white board approach.

Read More »

Tags: , , ,

Security Logging in an Enterprise, Part 2 of 2

This is the second and final part of my series about security logging in an enterprise.

We first logged IDS, some syslog from some UNIX hosts, and firewall logs (circa 1999). We went from there to dropping firewall logging as it introduced some overhead and we didn’t have any really good uses for it. (We still don’t.) Where did we go next? Read on.

Read More »

Tags: , ,

Department of Labor Watering Hole Attack Confirmed to be 0-Day with Possible Advanced Reconnaissance Capabilities

May 4, 2013 at 2:56 pm PST

Update 2 5/9/2013:

Microsoft has released a “Microsoft fix it” as a temporary mitigation for this issue on systems which require IE8. At this time, multiple sites have been observed hosting pages which exploit this vulnerability. Users of IE8 who cannot update to IE9+ are urged to apply the Fix It immediately.

Update 5/6/2013:

An exploit for this bug is now publicly available within the metasploit framework. Users of the affected browser should consider updating to IE9+ or using a different browser until a patch is released. Given the nature of this vulnerability additional exploitation is likely.

At the end of April a Watering Hole–style attack was launched from a United States Department of Labor website. Many are theorizing that this attack may have been an attempt to use one compromised organization to target another. Visitors to specific pages hosting nuclear-related content at the Department of Labor website were also receiving malicious content loaded from the domain dol.ns01.us. Initially it appeared that this attack used CVE-2012-4792 to compromise vulnerable machines; however, Microsoft is now confirming that this is indeed a new issue. This issue is being designated CVE-2013-1347 and is reported to affect all versions of Internet Explorer 8.

Read More »

Tags: , , , , , , ,