Posts for: ##security

Five Functional Facts about TACACS+ in ISE 2.0

The oft-requested and long awaited arrival of TACACS+ support in Cisco's Identity Services Engine (ISE) is finally here starting in version 2.0. I've been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco's Access Control Server, the long-time defacto TACACS+ server) users know what to expect.

Below are five facts about how TACACS+ works in ISE 2.0.

Read more β†’

Packets of Interest (2015-06-19)

It's been a while since I've done a POI so here we go. The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them. Diffie-Hellman Key Exchange Diffie-Hellman (DH) is the world's first public key crypto system.
Read more β†’

Role Based Access Control in IOS

I don't believe this is well known: Cisco IOS has Role Based Access Control (RBAC) which can be used to create and assign different levels of privileged access to the device. Without RBAC there are two access levels in IOS: a read-only mode with limited access to commands and no ability to modify the running config (also called privilege level 1) and enable mode with full administrative access. There is no middle ground; it's all or nothing. RBAC allows creation of access levels somewhere between nothing and everything. A common use case is creating a role for the first line NOC analyst which might allow them to view the running config, configure interfaces, and configure named access-lists.

Read more β†’

Who? What? When? Wired? Wireless? With Cisco ISE

Cisco's Identity Services Engine (ISE) is a powerful rule-based engine for enabling policy-based network access to users and devices. ISE allows policy enforcement around the Who?, What?, and When? of network access.

  • Who is this user? A guest? An internal user? A member of the Finance department?
  • What device is the user bringing onto the network? A corporate PC? A Mac? A mobile device?
  • When are they connecting? Are they connecting to the secure network during regular business hours or at 02:00 in the morning?

These questions can all be answered easily within ISE and are all standard policy conditions that are relatively easy to implement. In the post below I'm going to focus on the How? β€” How is the user or device connecting to the network? Asked another way, the question is Wired? or Wireless?

Read more β†’

VPN Host Checker vs. AD Group Policy

This post is for anyone who administers a Juniper SSL VPN. I saw an issue in our environment recently that was created by an unexpected interaction between two different systems that were working to enforce our computer security policy. Because the way the systems were configured is pretty common and because the issue is not specifically warned against by Juniper, I'm going to share it here.

Read more β†’