http://www.delaat.net/rp/2015-2016/p87/report.pdf
Reading through this now, it's worth it if you do NAC stuff.
thanks, interesting read.
so basically you can passively MITM snoop but any active traffic needs a SNAT / mac SNAT and you need to be physically in-line?
Correct. I knew about the IPv4 devices, interesting to see that a bit of modification can get us to IPv6 compromises, as well.
This kind of penetration would not go with some guy trying to spread ransomware or other bogeymen like that. This sort of penetration would go with an organized outfit, looking to harvest data like trade secrets or stuff like that. The researchers asked the question if 4G could be used to talk to the inline box and the answer is yes. That would enable data exfiltration as well as the injection of malware to attempt to compromise other points on the network.
This is where NAC endpoint interrogation becomes important. Also application whitelisting.
The researcher talks about some difficult to implement countermeasures. One that I'm aware of - because I use the product - is ForeScout CounterACT's ability to use a SPAN port both for monitoring and injection. If it picks up scanning activity from an unauthorized host, it can block that traffic through several different responses, like an ACL on the port or MAC address, VLAN switching, virtual firewall, or flat-out port block.
If the hacker is scanning from a device that is authorized to do port scans, well, you're hosed. Better have some more defenses in that case...
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.
Of its software defined access then yeah. Ise for everything. There's your contracts a la ACI. Except LISP not the internal database for location.
Quote from: Dieselboy on July 24, 2017, 02:56:21 AM
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.
It's a critical component, from the Cisco point of view. That's what ISE rides on for endpoint detection and admission security. ISE is itself the means by which enforcement of policies is handled on the endpoint level.
Cisco's strategy is to get wall-to-wall Cisco, but in the security sphere, I've questioned that strategy. Granted, I'm partial to ForeScout CounterACT over Cisco ISE, but that's a partiality that's borne out in the test of time. Everything that Cisco talks about in the security sphere can be replicated with other vendors' gear. The question then comes up about what is it the other vendors provide that keeps them in business, even when they go head to head with Cisco in all-Cisco shops? For some it's price or that they've scaled to target a particular market, for others, it's quality. Cisco's response to both is to get very aggressive on price and get the product in the door as a loss leader, knowing it will generate further business in the implementation and maturation process.
When I say "generate more business", it's not a mustache-twirling muhuhahaha sort of thing, but requisite modernization of the switching enterprise to support the latest code from Cisco. More like accelerating the EoL replacement cycle.
Quote from: deanwebb on July 24, 2017, 10:31:35 AM
Quote from: Dieselboy on July 24, 2017, 02:56:21 AM
I have a meeting at Cisco's office tomorrow to learn and gather info about their new product "DNA". I *think* .1X is one component of this.
It's a critical component, from the Cisco point of view. That's what ISE rides on for endpoint detection and admission security. ISE is itself the means by which enforcement of policies is handled on the endpoint level.
Cisco's strategy is to get wall-to-wall Cisco, but in the security sphere, I've questioned that strategy. Granted, I'm partial to ForeScout CounterACT over Cisco ISE, but that's a partiality that's borne out in the test of time. Everything that Cisco talks about in the security sphere can be replicated with other vendors' gear. The question then comes up about what is it the other vendors provide that keeps them in business, even when they go head to head with Cisco in all-Cisco shops? For some it's price or that they've scaled to target a particular market, for others, it's quality. Cisco's response to both is to get very aggressive on price and get the product in the door as a loss leader, knowing it will generate further business in the implementation and maturation process.
When I say "generate more business", it's not a mustache-twirling muhuhahaha sort of thing, but requisite modernization of the switching enterprise to support the latest code from Cisco. More like accelerating the EoL replacement cycle.
it's all a question of security, take the OPENSSL vulnerabilites of last/this year, put all your eggs in one basket and yer asking for trouble. back at the secure place I last worked, multi vendor was very important so that if one vendor has a known vulnerability. one of the others may not. Hopefully you've built enough layers around your critical infrastructure that if 2 or 3 vendors have the same or similar vulnerability that it doesn't leave you vulnerable.