09/08/10

Permalink 03:26:04 pm, by Larry Boggis, 20 words
Categories: Priveon News

We're Hiring!

Priveon has an immediate opening for a Systems Consultant in North Carolina.   Additional details are posted on our careers page.

08/13/10

Permalink 09:20:22 am, by Zach Brewer, 805 words
Categories: Cisco NAC, Cisco Security

Cisco NAC 4.8 New Feature Overview

As Larry posted previously, NAC 4.8 was released on 07/08/2010. This entry will highlight a few of the enhancements and changes added in NAC release 4.8.

New Reports

Reporting features in NAC 4.8 have been greatly enhanced including:

  • New dashboard view
  • The option to create canned reports
  • Compliant vs. noncompliant systems report
  • AV and OS reporting

Reports can now be scheduled (daily/hourly/monthly) and can be saved as PDF or HTML. In addition, reports exist as XML files on disk (NAC appliance) and external reporting tools can be utilized to pull reports.

User activity logging is now in XML format and includes: Username, Hostname, MAC, IP, Role, OS, VLAN, Session Length, Activity Time, Login Failure/Success).

In addition, log files are now held historically for 90 days.

The dashboard view includes licensing, CPU/Memory load, server # of users, auto servers, OOB switches, Top Ten non-compliant hosts, and more.

NAC 4.8 Dashboard

Note: Syslog SYSTEM level messages can now be sent to a syslog server (in addition to NAC events). Syslog messages are located in /var/log/messages on the CAM.

VLAN Detect Enhancements

The VLAN Detect feature introduced in NAC 4.6 was added to determine when a PC had the wrong IP address for the current VLAN. The feature initiates an IP DHCP refresh if the IP does not match the current VLAN.

Prior to NAC 4.8, this was a user level process; occurring only after the user logged in to Windows. As a user process, If the user logged off of Windows, the agent could not detect the IP VLAN mismatch and the DHCP refresh would not occur.

In NAC 4.8, the VLAN detect is now a service-level process. As a result, a user logout no longer prevents the detection of VLAN-IP mismatch.

VLAN detect is enabled by setting the appropriate configuration options in NACAgentCFG.xml.

Note: All NAC 4.8 NACAgentCFG.xml options can be viewed here.

Out of Band (OOB) Logoff

A common occurrence with previous NAC versions occurred when users behind IP phones would remain in the active users list. This is caused when the CAM doesn't receive a SNMP link down trap.

The OOB logoff feature now uses a heartbeat timer to send messages over to the Auth VLAN when there are no linkdown SNMP traps set.

The OOB logoff feature is initiated by the agent in the access VLAN. The agent uses UDP 8906 or TCP 89056 to communicate with the CAS.

Note that that the VLAN detect feature (discussed above) must be enabled in order for the NAC agent to detect the appropriate VLAN (auth/access/etc).

Out of Band (OOB) On-Line User Enhancements

The access VLAN IP address for OOB users is now tracked in the OOB online users list in addition to auth VLAN IP address. Note that the Agent is required for this feature.

Passive Reassessment

In NAC 4.8, users that have already passed NAC posture assessment can now be forced back through posture assessment. The posture reassessment policy is received from the NAC server by the agent. Posture reassessment is assigned by NAC user role and NAC 4.8 can now remediate, continue, or log off users when reassessment is failed.

Note that the minimum reassessment period is 1 hour.

Agent Customization

NAC agent installs now have a look and feel and NACAgentCFG.xml files can be edited and added to the NAC manager. In addition, the agent can now be customized with a custom company name and logo.

New OOB Switch Support

New switches supported in NAC 4.8 include:

  • Cat 2960
  • 2960s
  • 2975
  • 3560X
  • 3750X

For all NAC 4.8 supported switches, please see here.

Authorized Admin IPs

In NAC 4.8, you can block unauthorized IPs from both web admin and SSH access.

AD SSO support without KTPASS

A common issue in previous version of NAC occurred when administrators would mistype the many command line options involved in running the KTPASS tool used for NAC/AD SSO.

NAC 4.8 now supports the GUI-based Microsoft Resource Kit (ResKit) tool known as LDP.exe. For more information on LDP.exe, please see the LDP.exe Technet page.

NAC agent will only respond to specified servers

The NAC agent can now be configured to only trust certain NAC servers or domain names. Any server or domain name not specified will not cause the agent to pop up.

Faster AV/AS Support

AV/AS support turn around has been increased in NAC 4.8.

New RADIUS Enhancements

NAC 4.8 now supports additional RADIUS attributes including:

  • RADIUS session timeout support
  • NAC 4.8 now honors the RADIUS session-Timeout attribute
  • Per session attributes irrespective of role
  • Support for IETF RADIUS session-timeout (attribute type 27)
  • Support for advanced time profiles (time used, time from login when integrated w/ NAC guest Server)

While I've barely scratched the surface of NAC 4.8, you can see that a lot of work was put into this release. For a full list of enhancements, upgrade paths, and configuration options, please see the links in Larry's last entry.

08/03/10

Permalink 02:11:30 pm, by Zach Brewer, 41 words
Categories: Malware Analysis, Application Whitelisting, Bit9

Priveon Labs Publishes New White Paper: Using Application Whitelisting to Prevent Real-World Threats

Priveon Labs publishes new white paper: Using Application Whitelisting to Prevent Real-World Threats (Malware Prevention with Bit9: A Practical Example)

This white paper details the use and success of Application Whitelisting and the Bit9 Parity product against a real-world attack scenario.

 

07/28/10

Permalink 09:59:53 am, by Larry Boggis, 120 words
Categories: Cisco NAC, Cisco Security

Cisco NAC 4.8 Now Available

Cisco has announced the immediate availability of Network Admission Control (NAC) Release 4.8.0. This latest software release contains many new enhancements including:

  • Support for Cisco NME-NAC Platforms
  • Administrator Access Restriction
  • Out-of-Band Logoff
  • In-Band and Out-of-Band Filter Behavior Enhancements
  • Fast-OPSWAT
  • RADIUS Session Timeout
  • Passive Re-assessment
  • Reporting Enhancements
  • Agent Customization
  • Agent Authorizes CAS
  • Field-Replaceable FIPS Card for HP-Based Cisco NAC Appliances
  • ..plus others

To accompany the Cisco NAC Appliance Release 4.8, the following new documentation is also available on Cisco.com

Release Notes for Cisco NAC Appliance, Version 4.8

Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8

Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8

Cisco NAC Appliance Hardware Installation Guide, Release 4.8

Cisco NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide

06/23/10

Application Whitelisting and MS Authenticode

F-Secure has recently reported of "…tens of thousands of malware samples that have been signed (with MS Authenticode)."

MS Authenticode uses digital signatures (code signing) to authenticate software and inform the user of the fact that the software was digitally signed by a trusted issuer (CA).

Theoretically, when signed with digital signatures, authenticode signed, recently downloaded software are less likely to have been tampered with or to include malware. Depending upon the IE policy, some authenticode signed software can even bypass IE security zones (http://support.microsoft.com/kb/174360).

(For a detailed Technet article on Authenticode, please see here)

Once downloaded, some security software including HIDS, HIPS, and AV solutions may even ignore Authenticode signed software. At the very least, many of the aforementioned product types place less scrutiny on Authenticode signed software.

Priveon recommends the following for prevention of Authenticode signed malware:

1) Keep systems up to date. MS updates commonly include trusted IE and Windows Certificate Authority certs in hotfixes. (Priveon Recommends BigFix for endpoint management and automated patch deployment)

2) As seen with the F-Secure research, malware can use trusted Authenticode signed executables. In addition to keeping endpoints up to date on hotfixes, Priveon recommends a trusted endpoint security solution such as Bit9. When properly deployed, Bit9 application whitelisting protects systems against unknown and untrusted executables on an endpoint - including authenticode signed executables. In addition to preventing malware outbreaks, Bit9 allows for detailed reporting and alerts administrators to opportunities for application analysis and user education.

For more information on Application Whitelisting solutions and Bit9 or BigFix, please contact a Priveon representative.

F-Secure: http://www.f-secure.com/weblog/archives/00001973.html

F-Secure Research: http://www.f-secure.com/weblog/archives/Jarno_Niemela_its_signed.pdf

Authenticode Technet Article: http://technet.microsoft.com/en-us/library/cc750035.aspx

<< 1 2 3 4 5 6 7 8 9 10 11 ... 41 >>

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.

Search

XML Feeds

Archives