Priveon Labs Security Blog

Cisco has released the following updates for the MARS appliances:

For Gen2 Mars devices: 5.2.7 is the upgrade from 5.2.4 (Release Notes)
For Gen1 Mars devices: 4.2.7 is the upgrade from 4.2.6 (Release Notes)

It is extremely important that you only load the associated upgrade for your supported hardware.

This release includes updates to vendors signatures, added support for Oracle 10g and Snort 2.6 and any associated hotfixes.

With the updated signatures and added device support it is recommended that you upgrade all MARS devices.

As with any new software update, you should make sure you have a valid backup before upgrading. You should also review the product documentation, upgrade instructions and release notes to fully understand the impact of the new version.

The judges of eWEEK's 7th Annual Excellence Awards just named the BigFix Enterprise Suite the winner of the "Vulnerability Assessment & Remediation" category.

With the amount of functionality, flexibility and power provided by the product and being able to wield that power using a single-agent/single-console architecture, it was easy to see how the judges came to their decision.

To find out more about how implementing the BigFix Enterprise Suite can bring real-time visibility, management, and control to your environment please contact us at http://www.priveon.com.

One of the new features in CSA 5.2 is the ability to use a new wildcard symbol, @(csanode) in the place of an IP address or range. The @(csanode) attribute is a collection of IP addresses for systems known to have CSA active, via their IP addresses, on the MC. Using this attribute will allow you to create rules specifically to allow/deny/monitor resources based on systems that have CSA active or do not.

The configuration is rather simple. To start you create a SET rule to enable the "Discovery" of a CSA agent running on the remote systems. If you will be using this feature often you may want to set the discovery for a common event when the systems start. Such as HTTP access to a Intranet page or something similar. This will help lower the waiting period if it is a new client that is not already populated in the list on client systems.

Now you can use the @(csanode) symbol to populate the communicating with field in a network access control rule as shown below.

At this time the @(csanode) symbol may only be used in connection rate limit, data access, network access and network shield rules. The network access control rule is what I used to verify the feature operates as advertised.

There are countless uses for this added layer of security. You can limit SMB connectivity between hosts to those that are known to have CSA active. On a web server you may want to only allow connections to systems who have CSA active. You could also limit file server connectivity to known protected hosts for sensitive communications when required; as in PCI 1.1 Compliance Requirements.

Cisco has announced that FWSM version 3.1 (4) now meets the Safe Harbor (SH) Certification standard. In order to reach this level of certification the FWSM had to pass stringent testing in both lab and live environments.

Those companies limited to SH Certified code can now start using the added features in 3.1.

Visit Cisco's website for additional information on the SH initiative and corresponding certified software.

http://www.cisco.com/en/US/netsol/ns504/networking_solutions_program_category_home.html

This is the first part of a 10 part series on using SNARE to build a monitoring infrastructure. I will start with a brief overview of SNARE, then cover the PDIOO methodology that Cisco Systems recommends for network designs.

Part 1: SNARE Overview
SNARE is an open source monitoring tool provided by the Intersect Alliance. It provides additional functionality above and beyond the default event log that Windows provides, and is capable of reporting from multiple operating systems.
SNARE stands for System Intrusion Analysis and Reporting Environment.

Why use SNARE?
• Because you can be very granular in the types of events that you report on and improve your security posture by looking for specific security related events
• You can use the data collected to meet compliance reporting requirements such as SOX, HIPAA, and PCI
• It provides a necessary collection mechanism to report events back to a full featured Security Event Management [SEM] or Security Threat Management [STM] like Cisco CS-MARS

SNARE supports the following operating systems:
Linux, IRIX, AIX, Solaris, Tru64 and Windows (All Versions). See http://www.intersectalliance.com/.

I recommend that customers use SNARE because it allows for more granularity of reporting than most applications and because the processing occurs on the host rather than the collection system. Many security event management systems collect every event from Windows hosts when a centralized collection process runs, and I do not think that the majority of events received in the event logs are relevant for security purposes.
Distributed processing allows your centralized management system to handles more incoming events per second (eps) and processes them closer to real time.

PDIOO
Cisco encourages all partners to become familiar with [indeed, requires partners to pass an exam on this topic] the PDIOO model – Plan, Design, Implement, Operate, and Optimize. I first came across the model in Priscilla Oppenheimer’s Top Down Network Design book (see http://www.amazon.com/Top-Down-Network-Design-Priscilla-Oppenheimer/dp/1578700698 ). I have found it to be an extremely useful paradigm in implementing security and network technologies. Keep in mind that this article is an overview. There is literally enough detail around the subject to fill a book.

I believe most, if not all, implementation projects can benefit from a well thought out plan and using the PDIOO model can improve your uptime and stability if you do not currently have solid processes in place. Having said that, it does not always make sense to spend an inordinate amount of hours planning if you are deploying a single firewall or if the environment is extremely small. Use common sense when deciding how to invest a limited amount of time resources.

Read more »