Network Response

Cisco IPS 6.1 and IME Released

2008-05-01T14:10:00.008+01:00

Cisco IPS Sensor Software 6.1 and the new Cisco IPS Manager Express software have been released. Thanks to Joe Harris` Blog for this.

IPS Sensor Software 6.1 now includes auto-update direct from Cisco.com, great about time!

And the free IPS Manager Express is a very welcome feature, that also includes many video trainings built-in, on how to use the product.

See a sample of screen shots below, if you manage under 5 sensors, i definitely recommend you take a look.

IPS Sensor Updates

Managing Upto 5 Sensors

Event Monitoring/Deny Attacker

IPS Policy/Risk Rating

Video Training

New Components of the Cisco Self Defending Network

2008-04-10T10:05:00.002+01:00

Joe Harris, on the 6200networks blog, has some great info on the next phase of the Cisco Self-Defending Network strategy.

One new component that caught my eye, is the Cisco IPS Manager Express (IME), a brand new all-in one application for IPS provisioning, monitorin and reporting, for upto 5 sensors.

You can find the data sheet HERE.

WAAS Mobile Released

2008-02-04T11:02:00.000+01:00

I noticed from the Cisco Networkers 2008 Blog, that WAAS Mobile was released.

You can find the VIDEO datasheet HERE, and also the product datasheet HERE.

EOL/EOS for the Cisco IDS 4215 Sensor

2008-01-31T10:33:00.000+01:00

Not being content enough with the EOL for the Cisco PIX, Cisco have now announced the end-of-sale and end-of life dates for the Cisco IDS 4215 Sensor!

The EOL notice can be found here.

"Customers with the Cisco IDS 4215 Sensor are encouraged to migrate to the Cisco ASA 5510 Adaptive Security Appliance Intrusion Prevention System (IPS) solution with Advanced Inspection and Prevention Security Services Module AIP-SSM-10. The Cisco ASA 5510 IPS solution with AIP-SSM-10 provides a higher IPS throughput of 150 Mbps plus industry-leading firewall protection. Customers with higher performance requirements can purchase the Cisco IPS 4240 Sensor or the Cisco ASA 5520 IPS solution with AIP-SSM-20. Supporting throughput of 250 Mbps, the Cisco IPS 4240 Sensor supports inline, promiscuous, and hybrid deployment modes. The Cisco ASA 5520 IPS solution with AIP-SSM-20 provides IPS throughput of 375 Mbps in addition to industry-leading firewall protection."

EOL for Cisco PIX!

2008-01-31T10:27:00.000+01:00

Well its been coming for ages, but Cisco have finally announced the EOL for the Cisco PIX.

The EOL and EOS Notices can be found HERE, but basically all models, 501,506,515E,525,535 are now effectively End of Life, along with the software versions 6.3, 7.0, 7.2 and 8.0!

"Cisco PIX Security Appliance customers are encouraged to migrate to Cisco ASA 5500 Series Adaptive Security Appliances. In addition to providing more firewall capabilities and the same IPsec VPN capabilities as Cisco PIX Security Appliances running version 8.0 software, the Cisco ASA 5500 Series offers significantly better performance and scalability, SSL VPN support, advanced Unified Communications (voice/video) security, and a modular design that allows customers to add features such as intrusion prevention (IPS), antivirus, antispam, antiphishing, URL filtering, and more. Migration to the Cisco ASA 5500 Series is straightforward, as consistent management and monitoring interfaces are provided, allowing customers to take advantage of their knowledge and investment in Cisco PIX Security Appliances."

ASA 5580

2008-01-23T12:21:00.000+01:00

The press release states.."Cisco today announced the availability of the Cisco ASA 5580 Series Adaptive Security Appliances, the company's highest-performing security appliance offering. The new Cisco ASA 5580 is a super-high-performance security platform equally well suited for deployment as a highly scalable firewall with up to 20 gigabits per second (Gbps) of throughput, as well as a 10,000 user remote-access concentrator for Secure Sockets Layer (SSL) and IP Security (IPsec)-based virtual private networks (VPN)."

For ASA model comparison click HERE.

ASA Threat Detection

2007-11-21T10:46:00.000+01:00

Joe Harris on his 6200networks blog, has done a great write up on the PIX/ASA feature - Threat Detection.

"Threat detection uses historical rates over various firewall operations to provide: * Basic threat detection reports of possible attacks detected by firewall * Scanning threat detection based on host, subnet, port and general threat detected by firewall or inspection engines * Statistics based on host, port, or protocol * Top 10 list for each statistics type"

Type 7 decryption in Cisco IOS

2007-11-14T10:12:00.000+01:00

Ivan Pepelnjak`s great blog IOS Hints and Tricks has a great tip for decoding type-7 passwords, on the router itself, rather than with a password cracking program.

You can see the article here.

Cisco NAC Demos

2007-11-02T17:13:00.000+01:00

Following on from the successful Cisco MARS demos, on Demolabs.co.uk, I thought i`d let you know about some new Cisco NAC Appliance Demos.

There are 2 Demos today, one is using Cisco NAC Appliance with WSUS (Windows Server Update Services), then second is a Demo of the new Cisco NAC Guest Server, integrated with Cisco NAC Appliance.

These can be found here.

Cisco IPS AIM for ISRs

2007-10-31T15:04:00.000+01:00

I noted from the 6200networks blog, that the new Cisco IPS Advanced Integration Module (IPS AIM), is now available.

The Cisco^® Intrusion Prevention System Advanced Integration Module (IPS AIM) brings integrated intrusion prevention to enterprise branch offices and expands network security to the edge. The Cisco IPS AIM for the Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers brings Cisco IPS to branch offices and small businesses.

More info on this can be found here

Cisco NAC Guest Server

2007-10-31T15:01:00.000+01:00

Cisco® NAC Guest Server is a new appliance that works with either Cisco NAC Appliance or Cisco Wireless LAN controllers to manage the entire life cycle of guest access, including:

Provisioning - Allows any internal sponsor to create accounts
Notification - Provides access details by print, email or sms
Management - Change and Suspend Accounts
Reporting - Full Reporting accounts and guest activity

A diagram on the integration with NAC Appliance is shown below..

Further info on this new device, can be found in the datasheet.

New Ask the Expert Forums

2007-10-26T12:00:00.000+01:00

Just a note on two new "Ask the Expert" Forums on the Cisco Website.

The first is discussing Network Admission Control in Branch Office, with Tips for deploying NAC network module for Cisco Integrated Services Router (ISR) to enforce security policies at the branch.

The second, is on how to have a good incident management process to prepare for security threats which have increased dramatically.

Cisco 4270 IPS Sensor

2007-10-10T10:39:00.000+01:00

There is a new model in the IPS Sensor family, the 4270.

Part of the Cisco Intrusion Prevention System family of products, this inline network security appliance provides up to 4 Gbps of intrusion prevention performance. With optional fiber or copper NIC cards for as many as 16 interfaces, you can monitor multiple segments for malicious traffic.

See a Video HERE, or datsheet HERE.

Cisco NAC Module for ISRs

2007-10-02T16:58:00.001+01:00

The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.

A new datasheet is now available HERE.

I have one of these new NAC modules in a demolab, so i`ll be doing a couple of articles soon.

Cisco IPS Engines - Normalizer Continued

2007-10-02T15:03:00.000+01:00

Carrying on with the Cisco IPS Normalizer Engine, and TCP Steam Reassembly. Part One of the article can be found here.

You can configure the sensor to monitor only TCP sessions that have been established by a complete three-way handshake. You can also configure how long to wait for the handshake to complete, and how long to keep monitoring a connection where no more packets have been seen.

The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established. There are known attacks against sensors that try to get the sensor to generate alerts by simply replaying pieces of an attack. The TCP session reassembly feature helps to mitigate these types of attacks against the sensor.

You first choose the method the sensor will use to perform TCP stream reassembly, then you can tune TCP stream reassembly signatures, which are part of the Normalizer engine.

Stream Reassembly—Lets you configure TCP stream reassembly.

TCP Handshake Required—Specifies that the sensor should only track sessions for which the three-way handshake is completed. (The default is Yes)

TCP Reassembly Mode—Specifies the mode the sensor should use to reassemble TCP sessions with the following options:

Asymmetric—Can only see one direction of bidirectional traffic flow.

Asymmetric mode lets the sensor synchronize state with the flow and maintain inspection for those engines that do not require both directions. Asymmetric mode lowers security because full protection requires both sides of traffic to be seen. The asymmetric option disables TCP window evasion checking.

Strict—If a packet is missed for any reason, all packets after the missed packet are not processed. (This is the default mode)

Loose—Allows gaps in the sequence.

Different TCP Stream Reassembly Signatures have different parameters that can be modified.

Next up will be the Services Engines, and more specifically the Service - DNS.

Cisco Applied Intelligence Response: Microsoft Security Bulletin for September 2007

2007-09-25T12:27:00.001+01:00

Microsoft announced four security bulletins containing four vulnerabilities as part of the monthly Security Bulletin release on September 11, 2007.

This Cisco Applied Intelligence Response document highlights the vulnerabilities that can be effectively identified and/or mitigated using Cisco network devices, including PIX/ASA, IPS, MARS and Cisco Security Agent.

OnPodcasts

2007-09-20T09:06:00.000+01:00

I came across this new Podcast service the other day.

http://www.onpodcastweekly.com/

OnSecurity—will talk to some of the security industry's leading experts about a wide range of network, system, and software security issues. Our interviews include talks with Software Security author Gary McGraw, Security Metrics author Andrew Jaquith, and Firewall Fundamentals author Wes Noonan to name just three. With discussions on topics ranging from rootkits and exploiting online games to Java security and firewall basics, we have something for security professionals working in every part of the industry.

OnNetworking, the OnPodcast Network's newly introduced service, features video and audio conversations with the most influential networking professionals and best-selling authors in the networking technology space.

There are a few other categorys too, OnMicrosoft, OnNetworking plus a few more.

Techwise TV - Email Show

2007-09-20T08:56:00.000+01:00

Techwise TV will be hosting a show on Email Threats and how to deal with them. This looks to be an interesting show, as it will feature the recently acquired IronPort.

Check it out here, on Today.

Great Cisco Icons

2007-09-11T12:12:00.000+01:00

If your always producing Cisco network diagrams for yourself or Customers, then heres a handy set of powerpoint slides for you.

This set of Cisco ICONS has been put together by Jeremy Cioara, who you may know from the CBT Nuggets series, and published on his Cisco Blog.

Book Review: Cisco NAC Appliance: Enforcing Host Security with Clean Access

2007-09-04T14:59:00.000+01:00

Title: Cisco NAC Appliance: Enforcing Host Security with Clean Access
Authors: Jamey Heary, Jerry Lin, Chad Sullivan, Alok Agrawal
Publisher: Cisco Press

Quote "Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection, enforcement, and remediation solution that is designed to meet these new challenges. Cisco NAC Appliance allows you to enforce host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point."

This was a long awaited book for me, and i`ve been installing NAC Appliance for a while now.

Inband, Out-of-Band, L2 vs L3, Central and Edge Deployments, SSO, CAM, CAS its very easy to get lost in all the NAC Appliance Jargon, especially when reading the NAC documentation for the first, second or third time!

The Chalk-Talk series on Cisco.com is good, but the book is much, much better, at understanding the Cisco NAC Appliance Solution, and its a whopping 576 pages too.

Its a great resource to have on your desk, that explains the product in detail, potential gotchas, and many helpful hints to aid you in a successfull NAC Appliance Implentation.

There are 15 chapters covering the basis of the solution, the building blocks, the Roles, Traffic Policies, Posture Rules, Remedaition, Single Sign On, Troubleshooting with many examples and switch configs steps along the way.

If your have just implemented a Cisco NAC Appliance solution or are considering doing so, then this book is a definate buy for you.

NME-NAC-K9 module now available

2007-09-03T16:37:00.000+01:00

The new Cisco NAC Module for the ISR, is available now, with the images on CCO.

Quote from Jamie R. Sanbower`s NAC Appliance Blog, "The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers.

The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code."

The release notes for these modules are available HERE.

Cisco IPS Auto Update

2007-08-12T21:11:00.000+01:00

How can you schedule Service Packs and Signature updates for your Cisco IPS Sensor? Well this can be done with the Auto Update feature.

Now before i go into the configuration, there is an important point to note. The sensor cannot automatically download service pack and signature updates from Cisco.com. You must first download the updates with your own CCO account, and save these on your FTP or SCP server. This is where we define the location of the files in the Auto Update feature.

Below, i have used 3CDaemon, but any FTP Server should befine, except a known problem with Microsoft FTP server using MS-DOS style-paths.

You simply define the IP address of the FTP or SCP Server, and a username, password plus directory. Then specify a start time, and frequency.

Hey presto, thats it. If there is an available update, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.

A hint on troubleshooting this feature. There is an event generated, if you specify an incorrect username or password for the FTP/SCP Server...

Lastly, bear in mind there is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow but not inspected if you have auto bypass enabled.

New NAC Book Available on Safari

2007-08-06T09:30:00.000+01:00

The new Cisco NAC Appliance Book: Enforcing Host Security with Clean Access, is now available on Safari BooksOnline, for those people with a subscription.

Look out soon for a review.

NAC Appliance 4.1.2

2007-07-30T13:54:00.000+01:00

NAC Appliance version 4.1.2 should be available very soon, according to the NAC Appliance Blog.

An interesting note from the release notes, is the support for the new NAC appliance module....

"Release 4.1(2) introduces support for the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs)."

More info on this new module soon.

Cisco IP Signature Engines - Normalizer Engine

2007-07-10T15:14:00.000+01:00

Carrying on with the Cisco IPS Signature Engines, comes the Normalizer Engine.

This article will be in 2 parts.

This signature engine deals with IP Fragment Reassembly and TCP Stream Reassembly.

So what is IP Fragmentation?

Every transmission medium has a limit on the maximum size of a frame (MTU) it can transmit. As IP datagrams are encapsulated in frames, the size of IP datagram is also restricted. If the size of An IP datagram is greater than this limit, then it must be fragmented. The breaking up of a single IP datagram into two or more IP datagrams of smaller size is called IP fragmentation.

And what is Reassembly?

Each fragment becomes its own datagram and is routed independently of any other datagrams. This makes it possible for the fragments of the original datagram to arrive at the final destination out of order. At the final destination, the process of re-constructing the original datagram is called reassembly

On the way to this particular link, packets 3 and 4 have been misordered, and packet 2 has been lost. To solve this, within TCP a sequence number is attached to each packet so the destination machine can re-assemble the data in order. An error detection mechanism is also implemented so any packets that have become corrupted can be identified.

Which RFCs discuss IP fragmentation?

RFC 791 (Internet Protocol) & RFC 815 (IP datagram reassembly algorithms) discusses about IP datagrams, fragmentation and reassembly.

Back to the Signature Engine!

With the Normalizer engine you can set limits on system resource usage, for example, the maximum number of fragments the sensor tries to track at the same time.

NB - You cannot add custom signatures to the Normalizer engine. You can tune the existing ones.

Intentional or unintentional fragmentation of IP datagrams can hide exploits making them difficult or impossible to detect. An old article for reference is good here.

Reassembling all fragmented datagrams inline and only forwarding completed datagrams, refragmenting the datagram if necessary, prevents this.

The IP Fragmentation Normalization unit performs this function.

IP Fragmentation Normalization

You can configure the sensor to reassemble a datagram that has been fragmented over multiple packets. You can specify boundaries that the sensor uses to determine how many datagram fragments it reassembles and how long to wait for more fragments of a datagram.

The goal is to ensure that the sensor does not allocate all its resources to datagrams that cannot be completely reassembled, either because the sensor missed some frame transmissions or because an attack has been launched that is based on generating random fragmented datagrams.

The tables below show the IP fragment reassembly signatures with the parameters that you can configure for IP fragment reassembly.

We can configure the mode the sensor uses for IP fragment reassembly, by setting the IP Ressembly Mode. This Identifies the method the sensor uses to reassemble the fragments, based on the operating system.

Note: You can configure this option if your sensor is operating in promiscuous mode. If your sensor is operating in line mode, the method is NT only.

Sensors in promiscuous mode report alerts on violations. Sensors in inline mode perform the actionspecified in the event action parameter, such as produce alert, deny packet inline, and modify packet inline.

If we look at Signature 1200 subsig 0 (IP Fragmentation Buffer Full), its default is to Deny Packet Inline, and produce an Alert, plus we can modify a couple of the Engine Parameters above...

In the next part we will look at reassembly, or more specifically TCP Stream Reassembly. We can monitor only TCP sessions that have been established by a complete three-way handshake.The goal is to prevent the sensor from creating alerts where a valid TCP session has not been established.

Techwise TV - IPv6 Show

2007-07-09T16:05:00.000+01:00

Cisco Techwise TV are going to be running a "viewers choice" edition, on IPv6, on Thursday July 19th. A PDF Flyer can be obtained here.

Quote, "You are invited to join us for a deep technical exploration of IPv6. We will go beyond the simple alarmist coverage of this topic and reveal its very positive benefits. Our Cisco technology experts will show you how IPv6 will dramatically simplify your network management with built-in security, automatic mobility, autoconfiguration, improved performance, and much more.

• The enhanced capabilities of IPv6 and how to take advantage of them
• How to develop a plan for migrating from IPv4
• Basic before and after network configurations
• Routing issues and security traps to avoid
• How to run IPv6 in an IPv4 environment
• What Cisco is doing to enable a smooth transition."

Cisco IPS Service Pack 6.0-3.E1 Now Available

2007-07-03T11:07:00.000+01:00

The 6.0(3)E1 and 5.1(6)E1 Service Packs for Cisco IPS Version 6.0 and 5.1 sensors are now available for download. These releases contain bug-fixes, the E1 engine update, and the S291 signature update release.

The main fix for me, in this Service Pack is the resolution of the U.S. Computer Emergency Response Team (US-CERT) alert on network evasion technique using full-width and half-width unicode characters.

You may recall the alert in early May, which affected multiple vendors, not just Cisco. The Cisco Response was posted here.

Quote"By encoding attacks using a full-width or half-width unicode character set, an attacker can exploit this vulnerability to evade detection by an Intrusion Prevention System (IPS) or firewall. This may allow the attacker to covertly scan and attack systems normally protected by an IPS or firewall."

Incidently this was fixed in ASA code versions 7.0(6.35), 7.1(2.56), 8.0(1.47), 7.2(2.25)

Techwise TV - Safeguarding the Mobile Knowledge Worker

2007-06-28T10:39:00.000+01:00

Ok, this is a bit of an experimental post, as Blogger now gives the option to upload video!

As you may of seen on my Cisco MARS Blog, Cisco Techwise TV, is a series of Technical TV shows produced by Cisco.

Coming up soon, is a new show entitled: Safeguarding the Mobile Knowledge Worker.

Topic: Safeguarding the Mobile Knowledge Worker
Date: Thursday, July 12, 2007
Time: 10–11 a.m. Pacific Time, 1–2 p.m. Eastern Time

Quote from Techwise TV....
"Watch episode 22 of TechWiseTV and see how easy it is to steal valuable data using the latest wireless impersonation attacks.
More important, learn how you can protect information on laptops and other mobile devices from this and other emerging threats."

Download the flyer for the show here.

Cisco IPS Signature Engines - Multi String

2007-06-25T10:17:00.000+01:00

What does the Multi String Signature Engine do? Well the name "String" gives it away.

This engine searches traffic for certain regex-string strings. If you are a MARS user, and you create your own Custom Parsers you`ll know all about regex.

The Multi String engine lets you define signatures that inspect Layer 4 transport protocol (ICMP, TCP, and UDP) payloads using multiple string matches for one signature.

With this engine you can specify not just a single pattern to look for, but a series of regular expression patterns that must be matched to fire the signature.

For example, you can define a signature that looks for a certain string, followed by a different string on a UDP service. Or a sequence of strings on a TCP service.

Looking over the Multi-String Parameters...

We can set the inspect length , the protocol. For both UDP and TCP you can specify port numbers and direction. You can specify a single source port, a single destination port, or both ports. The string matching takes place in both directions.

Lets go over an example, Cisco IPS Signature 5801 subsig 1 - The Quicktime JPEG Code Execution Overflow.

Intellishield tells us its a potential code execution via a buffer overflow.

Basically a Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field.

Looking at the actual signature configuration...

We can see we are looking at TCP traffic on source ports #WEBPORTS, which is a configurable Signature Variable.

And the important function for this signature - the Regex Component, which is the lists of regex we will be looking for..

So for this particular signature, there are 2 strings of regex.

The first which is obviously looking a content type, and the second string, which both have to match to fire the signature.

Now we only use the Multi String engine when you need to specify more than one regex pattern.

Otherwise, you can use the String ICMP, String TCP, or String UDP engine to specify a single Regex pattern for one of those protocols.

I`ve been following the engines alphabetically, so next up will be the Normalizer Signature Engine.

ASDM v6

2007-06-21T10:50:00.000+01:00

Well as mentioned the other day ASA v8 has been released, and the accompanying ASDM v6.

Now i must admit the ASDM is getting better and better with every release. I`ll hold my hands up, when Cisco first had a stab at a GUI for the PIX (Cisco PIX Device Manager) i wouldnt touch it, as it had too many restrictions, so i preferred CLI.

But now a days its a great addition, check out some of the screen shots below..

The Device Dashboard..

And the Firewall Dashboard...

With the new "Top Status Usage" Graphs which are pretty neat..

Another couple of great new features are support for EIGRP...

And the ability to add virtual sensors on the AIP-SSM Module...

Cisco ASA5500 Series Version 8.0 Now Available

2007-06-18T22:17:00.000+01:00

Yep, after months of waiting, ASA v8.0 has finally been released, and also an updated version of the Cisco Adaptive Security Device Manager (ASDM) v6.0.2

Check out the Release Notes.

Cisco IPS Signature Engines - Meta

2007-06-13T10:40:00.000+01:00

What is the Meta Signature Engine?

Well the Meta engine is different from other engines in that it takes alerts as its input, where as most engines take packets as input.

What does this mean? The Meta engine defines events that occur in a related manner within a sliding time interval. As signature events are generated, the Meta engine inspects them to determine if they match any or several Meta definitions.

See the Meta Parameters below (Taken from the IPS v6 Documentation)

If we take a look at a META signature, you`ll get a better understanding.

For example Cisco IPS Signature 3338, Subsig 1, which is the signature for Windows LSASS RPC Overflow.

And if we right click on the Signature, and click the NSDB Link, we can read more info on what the signature if for...

If we edit this signature, we can see the parameters. Make a note of the Component-List and Component-List-In-Order fields.

We can see from the above, that within 5 seconds, if the Same Attacker fires the Component-List in the correct Component-List Order, then an Alert will be produced.

Lets look at the Component List...

There are 4 components in this list, in a specific order. Lets look at these, with references from the Cisco NSDB Database.

Component 1 - Signature ID: 3308/0 - SMB Remote Lsarpc Service Access Attempt

Signature Description

This signature indicates that an attempt has been made to access the LSARPC service on a Windows system. This service may be used to gain system information that would be useful in launching subsequent attacks. Access and browsing via this service is an integral portion of the so called Red Button attack.

This signature is a component of meta signature 3338.1, as a result there is no alarm event associated with it by default.

Component 2 - Signature ID: 3317/0 - LSASS DCE RPC Request

Signature Description

This signature fires upon detecting an RPC bind request for the LSASS service.

Since this signature is a component of meta signature 3338.1 there is no alarm event associated with it by default.

Component 3 - Signature ID: 3318/0 - DsRolerUpgradeDownlevelServer Request

Signature Description

This signature fires upon detecting an RPC request using the DsRolerUpgradeDownlevelServer function.

Since this signature is a component of meta signature 3338.1 there is no alarm event associated with it by default.

Component 4 - Signature ID: 3319/0 - DCE RPC Request

Signature Description

This signature fires upon detecting a DCE RPC operation 9 request.

Since this signature is a component of meta signature 3338.1 there is no alarm event associated with it by default.

So for this particular META signature, if all the requirements are met, the signature fires, and produces an Event, which in this case is Produce an Alert.

Before we finish a little warning - A large number of Meta signatures could adversely affect overall sensor performance.

I hope that gives you a better understanding of the Meta Signature engine, next up will be the Multi-String Signature Engine.

Cisco Security Manager 3.1 - Reposted

2007-06-06T12:08:00.000+01:00

You may recall, when the first build of Cisco Security Manager 3.1 was released, there was the possibility of database corruption, if you did an upgrade from v3.01 and activities were pending in the Cisco Security Manager version 3.0.1 database.

This has now been resolved, and the software is back up for download, build 482.

See here for a flash demo of Cisco Security Manager

Cisco IPS Signature Engines - Flood

2007-06-05T09:36:00.000+01:00

Ok carrying on with the IPS theme, this time we are going to look at the Flood Signature Engines.

Flood Signature Engines

Unlike the Atomic Signature engines, The Flood engine defines signatures that watch for any host or network sending multiple packets (rather than a single packet) to a single host or network.

All these packets have similar characteristics, such as packets with the SYN flag set, or a particular ICMP type.

For example, you can create a signature that fires when 200 or more packets per second (of the specific type) are found going to the victim host, ie is 200 x ICMP Type 8 (Echo Request) to a single host, in a second, normal network behaviour?

There are two types of Flood engines

FLOOD.HOST
FLOOD.NET

The Flood.Host Signature Engine, detects ICMP and UDP floods directed at hosts.

When creating or tuning signature using the Flood.Host engine, we can modify certain Parameters, configuring the type of packets that you consider interesting. Also you also need to specify the rate (using the rate engine-specific parameter) at which the packets must arrive to trigger the alarm. These parameters are shown below, taken from the IPS documentation....

The Flood.Net Signature Engine, Detects ICMP, TCP and UDP floods directed at networks.

Again we can modify certain Parameters relevant to this engine, shown below...

In the next Article, we`ll look at the Meta Signature Engine.

NAC Appliance Book

2007-06-04T09:15:00.000+01:00

A little note on a new Cisco NAC Appliance Book, that will be coming out in August, according to Jamie Sanbowers Cisco NAC Appliance Blog.

You can pre order this at Amazon,

Paperback: 550 pages
Publisher: Cisco Press; 1 edition (August 8, 2007)
Language: English
ISBN-10: 1587053063
ISBN-13: 978-1587053061

Cisco IPS Signature Engines

2007-06-01T15:08:00.000+01:00

The next following articles are going to covers Cisco IPS, and more specifically first, the Signature Engines.

IPS 6.0 contains over 1000 built-in default signatures. You cannot rename or delete signatures from the list of built-in signatures, but you can retire signatures to remove them from the sensing engine, and later if required activate retired signatures.

Signatures can also be adjusted, by changing several signature parameters. Built-in signatures that have been modified are called tuned signatures. Signatures that are created from scratch by the user are known as Custom signatures.

A signature engine is a component of the Cisco IPS that is designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of parameters that have allowable ranges or sets of values.

Atomic Signature Engines

The Atomic Signature Engines are designed to be triggered from a Single Packet.

There are 3 Atomic Signature Engines..

Atomic ARP—Inspects Layer-2 ARP protocol.
Atomic IP—Inspects IP protocol packets and associated Layer-4 transport protocols.
Atomic IPv6—Detects IOS vulnerabilities that are stimulated by malformed IPv6 traffic.

The major difference between the different ATOMIC signature engines is that each engine has engine-specific parameters that are customized on protocol-specific characteristics.

Atomic ARP—Inspects Layer 2 ARP protocol. The Atomic ARP engine is different because most engines are based on Layer 3 IP protocol.

Atomic IP— This engine lets you specify values to match for fields in the IP and Layer 4 headers, and lets you use Regex to inspect Layer 4 payloads.

Note that All IP packets are inspected by the Atomic IP engine. This engine replaces the IDS 4.x
Atomic ICMP, Atomic IP Options, Atomic L3 IP, Atomic TCP, and Atomic UDP engines.

Atomic IPv6—Detects two IOS vulnerabilities that are stimulated by malformed IPv6 traffic.

Next up, we`ll take a look at the Flood Signature Engines.

Cisco ASA and SSM-10 IPS Management

2007-05-30T13:21:00.001+01:00

Ok, you`ve just purchased an ASA Firewall with an Advanced Inspection and Prevention Security Services Module (AIP), and you now want to manage both of these though the Cisco Adaptive Security Device Manager (ASDM).

You`ll probably find that your AIP module, comes shipped with IPS v5. I dont believe this is supported in ASDM, so upgrading your AIP module to IPS v6, is the way to start...

In this example i`ve upgraded a module from v5 to v6 using FTP.

So if we create a login session to the AIP module

ciscoasa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

And do a show version

sensor# show version
Application Partition:

Cisco Intrusion Prevention System, Version 5.1(1)S205.0

This sensor is out of date, so we need to download the latest code from Cisco.com, assuming you have a valid SMARTnet.

Once you`ve done this, we need to get a management IP on the Sensor, and place the downloaded files on an FTP Server.

Next run through the Setup, and once done check we can ping the FTP server.

Once ok, go into Configuration mode, and run the upgrade command, specifying the FTP user, ip address and file...

ASA_IPS6#conf t
ASA_IPS6(config)#upgrade ftp://anonymous@192.16.2.109/IPS-K9-6.0-2-E1.pkg
Password: **

This kicks off the Install script. You will get an error message saying the upgrade is of unknown type. You can ignore this message.

The filename IPS-K9-6.0-2-E1.pkg is not a valid upgrade file type.
Continue with upgrade? []: yes

Broadcast Message from root@ASA_IPS6
(somewhere) at 9:14 ...

Applying update IPS-K9-6.0-2-E1.pkg. IPS applications will be stopped and system will be rebooted after upgrade completes .

Broadcast Message from root@ASA_IPS6
(somewhere) at 9:14 ...

Shutting down IPS applications. Applications will be restarted when update is complete..

Command session with slot 1 terminated.
Remote card closed command session. Press any key to continue.

Once the Module has rebooted, and you can succesfully ping the Management IP again, we are safe to log back in.

ciscoasa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.

And a Show Version, displays that we are now upgraded.

ASA_IPS6# show ver
Application Partition:

Cisco Intrusion Prevention System, Version 6.0(2)E1

You are now ready to connect to your ASA management IP, and run ASDM, and configure your AIP module in the same GUI.

UnAuthorized FTP Login Protection with Cisco IPS

2007-05-24T14:12:00.000+01:00

I was at a customer site the other day, working on something completely unrelated to MARS or IPS, when we got talking about people trying to hack into one of the companies FTP servers.

This particular customer has a few FTP servers for it clients, that are used on a daily basis, but they have been having recent problems, with people/automated scripts attempting to login.

You`ll have seen this on your own FTP sites....

#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
11:56:31 200.42.224.29 [2]USER abby 331 0
11:56:31 200.42.224.29 [2]PASS - 530 1326
11:56:33 200.42.224.29 [2]USER abby 331 0
11:56:55 200.42.224.29 [2]PASS - 530 1326

Etc,Etc... some attacks upto 1 hour in length....

Now the customer had a Cisco IPS device installed, but it was in what i`d term IDS mode. A case of an ex employee installed it 12 months ago, and we havent looked at it since. (yep seen that too many times!)

So i suggested we put a segment of the network in IPS mode, and configured the relevant signatures.

Lucky for this article, we had such an attack about 10 minutes later, and heres a snippet below...

In the IPS Event viewer, a couple of interesting alerts were noticed

Now this company, has not followed good practice, and allows some clients to login to the FTP server with the Administrator account. Doh! Hence the first alert generated.

The second alert, FTP Authorization Failure, is the key.

Looking on the actual FTP Server logs, we saw

#Fields: time c-ip cs-method cs-uri-stem sc-status sc-win32-status
10:06:05 125.215.134.11 [14]USER Administrator 331 0
10:06:05 125.215.134.11 [14]PASS - 530 1326
10:06:05 125.215.134.11 [14]USER Administrator 331 0
10:06:05 125.215.134.11 [14]PASS - 530 1326
10:06:06 125.215.134.11 [14]USER Administrator 331 0
10:06:06 125.215.134.11 [14]PASS - 530 1326

If we look at the Signature Configuration...

Signature 6250 was configured to Deny the Attacker Inline, produce an Alert, and Log the IP Packets.

After seeing 3 failed FTP Authorization events.

Looking at the actual Alert, we can see the Signature description, id and version, plus a MARS category for future use.

More importantly the attacker and target, the context of the event and the IP Log ID

Now in the Cisco IPS Device Manager, if we switch to the IP Logs

We can download the packets logged for this particular event, and display in Wireshark

We can look further into this by following the TCP stream...

And see clearly, this time, the hacker was unsuccessfully. Switching over to the IPS Monitoring we can see that the device has applied an IP Block for a configurable time.

Hence this particular customer has now restricted use to that Administrator account!

Cisco IPS - Support of 'minreq-' Style Signature Updates has Ended

2007-05-23T09:03:00.000+01:00

Well Cisco have been warning you for a while, so if you are not upto date, you will be able to apply the new signature updates until you have updated the engine......

Beginning with S288, customers must be running IPS version 5.1-5-E1 or later to install signature updates. Signature updates on sensors running IPS versions older than 5.1-5-E1 (i.e. sensors using the nomenclature 'IPS-sig-S2XX-minreq-5.1-4') are no longer supported.

The E1 Engine update for IPS Version 5.1(5) is available for download on Cisco.com. This release includes the E1 engine update package and the 5.1(5)E1 Service Pack and System/Recovery images which replace the 5.1(5) Service Pack and System/Recovery images.

Also note, beginning with the S288 signature update, both IPS versions 5.1 and 6.x will utilize the same signature update package. As such, signature update files for both IPS 5.1 and 6.x will be posted to the following URLs:

Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup
CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup

Note: Beginning with S288, signature update files will no longer be posted to:
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-sigup.

Engine updates are not supported on IPS versions 5.1(4) and older. Customers on IPS versions 5.1(4) and older must upgrade to 5.1(5)E1 to ensure full signature coverage.

With the release of the E1 engine update, the IPS Signature nomenclature has changed from IPS-sig-S2XX-minreq-5.1-4.pkg to IPS-sig-S2XX-req-E1.pkg to reflect the new Engine requirements (In this case, E1).

For details regarding Cisco's End-of-Sale policy for signature updates, refer to the "End-of-Sale Policy for Signature File Release on Intrusion Detection and Prevention (IDS/IPS) Sensors" Product Bulletin available at the following URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_bulletin0900aecd80358daa.html

The 5.1(5) E1 engine update and associated service packs and system/recovery images can be downloaded from Cisco.com at the URLs listed below. You must be logged on to Cisco.com using an account with cryptographic privileges to access the download site and have an active Cisco Service for IPS maintenance contract to request software upgrades from Cisco.com.

Engine Update Files
Sensor (IPS-K9-engine-E1-req-5.1-5.pkg):
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
CSM/ IPS MC (IPS-CS-MGR-engine-E1-req-5.1-5.zip):
http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates

Service Pack Files
Sensor (IPS-K9-5.1-5-E1.pkg or IPS-4260-K9-5.1-5-E1.pkg):
http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
CSM/ IPS MC (IPS-CS-MGR-K9-5.1-5-E1.zip or IPS-CS-MGR-4260-K9-5.1-5-E1.zip):
http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ips-51updates

System and Recovery Image Files
Appliance Sensors: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system
ASA-SSM: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-asa-aip
IDSM2: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-cat6500-idsm2-sys
NM-CIDS: http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-nm-image-files

Signature Updates
Sensor: http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup
CSM/ IPS MC: http://www.cisco.com/cgi-bin/tablebuild.pl/ipsmc-ips5-sigup

Additional Information:

Customers on IPS 5.1(4) or older:
- Upgrade to IPS 5.1(5)E1 using the 5.1(5)E1 Service Pack File
- Upon upgrading to 5.1(5)E1, begin using the engine style signature updates available on Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup

Customers on IPS 5.1(5):
- Install the E1 engine update.
- Begin using the engine style signature updates available on Cisco.com at the following URL:
http://www.cisco.com/cgi-bin/tablebuild.pl/ips6-sigup

Customers using VMS 2.3 w/IPS MC 2.2:
- The Engine updates will require the customer to verify and/or install Service Pack 2 for the IPS MC 2.2
- The following link will take you to the Service Pack 2 download http://www.cisco.com/cgi-bin/tablebuild.pl/mgmt-ctr-ids

Customers using CSM 3.0.1:
- The Engine updates will require the customer to verify and/or install the IPS Patch.
- The following link will take you to the IPS Patch: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app

Customers using CSM 3.1:
- No action required, engine updates are supported

New Priveon CSA Publication on CSA 5.2

2007-05-22T14:20:00.001+01:00

My good friends over at Priveon, without a doubt the leaders in Cisco Security Agent knowledge, have released another fine article on a new CSA 5.2 Feature Interface Identification and Control.

In 5.2, Cisco has added the ability to assign end-point security policies based on the network interface type in use. This new feature allows enterprises to secure their end-points via strict policies for systems both connected to the enterprise wireless network and when roaming.

In this new release you are able to set specific firewall policies based on what interface type is in use at any particular time. This also allows you to monitor what wireless network SSID’s are in use by your CSA protected systems, set that you require a wireless encryption method for all wireless connections or restrict all wireless traffic when a system is connected to the enterprise network via a wired interface.

Check it out HERE.

Intellishield Sample Reports

2007-05-16T17:12:00.000+01:00

The Cisco Security Center, has sample reports for the Intellishield Service.

Quick Reference links for a couple...

Microsoft Exchange Base64 MIME Message Decoding Code Execution Vulnerability

Check Point ZoneAlarm Pro vsdatant Driver Improper Input Validation Vulnerability

None of the current samples show the IPS Signature correlation, but i`m sure this will happen soon.

Cisco IPS Signature correlation now available in IntelliShield

2007-05-15T11:19:00.000+01:00

You learned about the Cisco Intellishield service yesterday. I will try to get permission to publish some sample alerts on the Blog in the future.

Now i know many people are using Cisco IPS/IDS with MARS, and that you must have a valid Cisco Service for IPS maintenance contract to get signature updates etc.

Cisco in Intellishield now have correlation of Cisco IPS Signature information within the IntelliShield Alert Manager Search Access Feature.

Cisco Services for IPS clients that subscribe to the service now have access to perform targeted searches to display Cisco IPS Signatures associated with different alerts to ensure they have the most up to date intelligence.

Subscribers can view a new IPS Signature list page that is searchable and will display Cisco IPS Signatures associated with IntelliShield Alerts. IntelliShield Alerts also contain the associated Cisco IPS Signature information within each alert.

And the best bit? If you have a valid IPS subscription, you can gain basic access for free.

Only one user account is permitted for each IPS License File or IPS Serial Number.

Proceed to the registration page at the following link to obtain your access:

https://intellishield.cisco.com/security/alertmanager/intelliShieldSearch

The free subscription doesn't give you all the customised alerting etc, that was mentioned yesterday in the Alert Manager, but its great for correlating your IPS signatures, and a good introduction to the service.

Cisco Intellishield

2007-05-15T10:40:00.000+01:00

Intellishield, I hear you say, whats that?

The Cisco Security IntelliShield Alert Manager Service is a threat and vulnerability alerting service that allows organizations to easily access timely, accurate information about potential vulnerabilities in their environment—without time-consuming research.

The Cisco IntelliShield Alert Manager Search Access Feature provides clients with access to one of the most extensive collections of vendor-neutral security intelligence alerts in the industry. Clients can access a fully indexed and searchable database that extends back over six years and contains more than 1700 vendors, 5500 products, and 20,000 distinct versions of applications.

So whats the value to me? Well you may be signed up to a handful of online security reporting databases, and receive 20 or 30 emails a day, for all products under the sun, 80% of products that you dont own, or the alerts are not relevant.

The Intellishield subscription service, allows you to tailor what alerts you want to receive that are relevant to your infrastructure. Information is pulled from its huge database of 1700 vendors, with the ability to customize at different levels of vendor, product, version, or service pack, plus customized notification via Email, Pager or SMS.

Scoring of the Vulnerabilities is done via The Common Vulnerability Scoring System (CVSS), an open standard for scoring vulnerabilities.

There is a demo available on the Cisco Website, and also a free 30 trial.

What does an Intellishield alert report contain?

Description of the Vulnerability
What impact it could have on your infrastructure
What products/versions are vulnerable
The vendor announcement
An Intellishield analysis, including Warnings, Technincal Info, Safeguards
What patches are available to remediate the problem
A history of the vulnerability
What Cisco IPS signatures are available

There is also a new alert offering, the Applied Intelligence Response. These responses are an important enabling resource to aid Cisco customers in understanding the latest security intelligence and how to apply that information to their existing Cisco infrastructure to protect their online business operations and resources.

The Applied Intelligence Response contains detailed, actionable information and recommendations for using the Cisco network infrastructure to protect customers in response to a network-based threat. These alerts are published in response to vulnerabilities that can be exploited via the network, and can be identified and mitigated through the use of Cisco network and security products.

Take a look at an example of an Applied Intelligence Repsonse article, Identifying and Mitigating Exploitation of the Crafted IP Option Vulnerability, using a variety of Cisco products including MARS and IPS.

More on this in future articles.

Welcome to Network Response

2007-05-09T10:45:00.000+01:00

This is the sister, to the Cisco MARS Blog site.

Basically this site will cover all the other Security products in the Cisco Security Portfolio.

So please check back for articles covering IPS, CSA, CSM, Intellishield, ASA etc......