On Security Field Day 7 #XFD7 I saw a presentation from Craig Lurey CTO & Co-founder of Keeper security. I would like to focus here on one aspect that seems to me the most important factor in selecting a Passwordmanager , the 0 Trust model.
For more information check out the full Security Field Day recording
In the IoT space it is still common when you ask about security that the resposnse is something that is referring to safety and not cybersecurity. That is kind of on indicator how low the awareness of Cybersecurity Threads in the OT space is today.
It is still common that all industrial OT devices are just connected to one flat L2 network, without any segmentation. Obviously that has not been build with security in mind. Often you hear that we air gapped the OT network so we are safe against any attacks. Of course the reality is looking quite different , sometimes there are forgotten connections to the public internet, remote access for support vendors or attacks via devices that are connecting locally like e.g. USB sticks and Laptops that have been infected earlier.
The Thread landscape is real, recently an US port was shut down after an infection of the port industrial OT network. At the same time more cyber attacks are targeted against industrial facilities. For ATP crews this is a low hanging fruit target. The other problem is that we have devices that are more than a decade old and have of course a large list of vulnerabilities.
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
If you accept this notice, your choice will be saved and the page will refresh.
Tim Szigeti presented at Cisco Live Europe 2020 on his Tech Field Day Extra presentation how the Cisco IoT Group is addressing these security challenges. The new announced Cyber Vision is providing the missing visibility into IoT Networks. It understands all the industrial protocols and builds a complete inventory of devices and Software Releases that are active in the network. Based on that it builds a topology that shows who is communicating to who and the used protocols. That all forms up a baseline to get the full picture. And that is exactly what is needed to craft policies and migrate from a flat network to Macro and later to Micro segmentation. Of course this is a journey and can not be done over night.
Network Autobahn View
The Cyber Vision product provides exactly what is needed to start the conversation between Cyber Security and OT people. It is helpful if you can directly show what is ongoing right now and not assuming something that looks very different in the reality. There will be a long learning curve in the OT space similar to the migration from traditional telephony to VoIP based communication. But this needs to happen now. There will be an increase of targeted attacks against IoT networks and you are lost if you do not change your mind-set and tool set to address that.
Who wants to dig deeper into that topic should also look at the CiscoPress Book Digital Network Architecture from Tim Szegeti, David Zacks, Matthias Falkner and Simone Arena.
At Cisco Live EUROPE 2019 Victor Moreno and Mike Herbert presented Cisco´s Application End to End Policy strategy. Often Policy enforment is just a check box features that is added to a product. To integrate the capability for one product to enforce polcies based on some kind of TAG is the easy part. Much harder it is to integrate that across multiple platforms and products. I appreciate that Cisco is making huge efforts to develop a consistant policy strategy across their portfolio to make it a solution and not just another feature.
To make it end to end the second chellange is to keep the policy frame work User based. IP based access list are not flexible enough to meet the modern dynamic enviromonts. That was the reason why a lot of previous approaches have been failed to address the end to end scenario. Here the User Identity is capture on the Login and the corosponding policies for that particular User will applied to the Infrastructure danamically.
Cisco is using the 16bit Header that was also used for the Secure Group Tag (SGT). In this case the same field is embedded into VXLAN where it is called Class ID. The benefit in that implementation is that this is not bound to L2 and can be carried across L3.
To keep the Tags consitant across multiple Controller domains a sync needs to happen between the different controllers. In this scenrio ACI APIC and Vipetella SDWAN vManage Controller are both synconized via API with the DNA Center. That decentrelized approach looks scalable enough and does not need an “Uber Master Conroller”.
Network Autobahn View
Good that Cisco is making this effort to bring a solution that is really solving end to end problems. Manually Security TAG Translation is not scalebale nor manageable. For me this is going in the right direction and looks like a solution that is usable in real world scenrios. Looking forward to see this and the Firepower integration in action.
At Cisco Live Jonny Noble presented a session at the Tech Field Day Extra Event.
It was covereing the Umbreall and AMP for Endpoints from Ciscos Security group.
I will focus here on the updates of AMP for Endpoints and what has changed in
the product. AMP for Endpoints has been around for quite some time and was in the
past mainly focussed on File Protection and EDR usecases.Cisco has put a lot of development into the product and is fast moving forward with it.
From a more nish targeted product it has now grown to a fully featured Endpoint protection solution that is now also covering classic Anti Virus endpoint protection. Besides that Cisco has One-to-one signature, fuzzy fingerprinting , Machine Learning, rootkit scanning and Sandboxing capabilities built into AMP for Endpoints.
The management componenet is mainly deployed as a cloud solution. Cisco is also offering an on prem variant for those customers that do not want to go to the cloud.
On the OS side they support Windows, MAC OS, Linux (RHEL/CENTOS) and Android nativly.
Cisco now added an intergration for Apples IOS based IPhone devices with a new Client called Clarity. Will take a deeper look what is possible with this client and how deep the client is intergerated into Apples mobile device OS.
There are a lot of Endpoint Protection / AV products on the market, what is unique to Cisco AMP for Endpoints is the integration with the other AMP solutions.
This integration is from my point of view one of the key differentiators. Cisco has also integrated AMP for Meraki MX, Firepower, WSA, ESA and Threat Grid.
A good example is a retroperspective event and how you can investigate these. In case
a file was downloaded to a Client PC in a corporate network, it can pass multiple devices that are running AMP like the Web proxy / WSA or Firepower based NGFW. Maybe at the first day AMP was not able to detect that this file was malicious. In the moment the automated Threat feeds have been updated it can detect this malicious file. In the mangement console it will mark based on the logs the hash of this file and present it as a retroperspective event. Now you are able to detect where this File has been shown up in your enviroment. After AMP is aware that this file is malicoius it will start blocking the file. It is now easy to pin point where the file has been showing up in your infrastructure with the file trajectory and to track the potentially latural movement of it.
For more details check out the recorded Session:
Cisco Cloud Protect: A Quick Dive Into Cisco Cloud Security with Jonny Noble
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
On Networking Field Day 17 VeloCloud by VMWARE presented at the VMWARE HQ.
After the aquisition of VMWARE the VeloCloud Team put together an interesting overview on their SD-WAN solution and the features and capabilities it has.
I will focus on one point that to me is especially interesting:
“The Elephant flow problem”
All SDWAN vendors can use multiple WAN uplinks to load balance traffic across these connections. But that is in most cases only per session based load balancing. Works in most cases fine when we have a lot of sessions that can simply be destributed across multiple links.
It becomes more difficult when it comes to “Elephant Flows”. A typical example is backup traffic or large file transfers. I have seen more than one time that a backup wasn´t finished over night and at the next morning when the first useres are showing up everything was terrible slow and the WAN uplink was still at 100% utilization.
In the past we normally solved the problem with more bandwidth. If you have just one big pipe your heavy elephant can run faster across the big road with more lanes. When you have multiple WAN Uplinks there are some challenges that need to be adressed.
Will use here the Autobahn as comparison to descripe the Problem. It helps for your heavy transport vehicle to have more lanes on the Autobahn. But if you have only 3 roads to transport one big load you need to disassemble it into multiple smaller packets that than can be loaded into smaller Trucks and transported to the destination.
Now comes the challenging part. Before the packet can be send out to the LAN Interface it needs to be reassembled.
Out of order packets: some packets will arrive not in the right order, so they need to be buffered until all Parts have arrived before they can be reassembled.
Packet Loss: Maybe some of the packets will need to be retransmitted
Track the Link Quality: during the hole process the link characteristics may change regarding to latency and throughput
Packet Size: On the internet uplinks the maximum MTU can be smaller than on a private WAN. For the IPSEC encryption and additional internal headers the maximum payload that can be forwarded needs also to be reduced. VeloCloud has also a feature that addresses this problem and can provide a virtual MSS Maximum Segmant Size for TCP packets.
The Networkautobahn View
Amazing Feature. The elephant Flow problem was not solved by L2 Link aggregation in the LAN or L3 Routing in the WAN. One Flow was forwarded only over one Link and that was all we got. To get it done right is quite challenging and maybe one of the reasons why it wasn’t available sooner.
I still can remember some Netscreen devices that melt down when they had to do some packet dis/reassembleing over IPSEC tunnels. The CPU was at 100% load and you had nearly no throughput.
Also to get Jumbo Frames transferred accross WAN Links makes me excited. That is in particular interesting if you like to run NSX across your SDWAN infrastructure.
I would like to see that in action and also curious about how much impact that will have on the CPU of the VeloCloud Edge devices.
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
If you are on a long roadtrip to the next Datacenter to fix some networking problems you need the right soundtrack.
The Soundtrack Networking:
Number 1: My favorite Net Thing, the maximum amount of possible network acronyms in one song.
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
If you accept this notice, your choice will be saved and the page will refresh.
Number 2: You down with BGP ? Some Network Protocols are celebrated like rockstarts.
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
If you accept this notice, your choice will be saved and the page will refresh.
Number 3: The Spanning Tree Song . The Song is performed by Radia Pearlman (piano) the author of the Spanning Tree and her daughter Dawn Perlner (voice).
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.
If you accept this notice, your choice will be saved and the page will refresh.
Number 4: The day the routers died…. my Cisco Shares are completely worthless
Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.