09-13-2011 01:35 PM - edited 03-09-2019 11:40 PM
With Jazib Frahim
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco subject matter expert Jazib Frahim why enterprise network segments get compromised despite their state-of-the-art network security technologies and products that are deployed. Do they get compromised because of product or technology limitations or are there other factors that cause the network infrastructure to be exposed to attackers? Jazib (CCIE 5459) is a technical leader in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He was previously a technical leader for Cisco's Technical Assistance Center (TAC) Security team, leading engineers in resolving complicated security and VPN technologies. He holds two CCIE certifications, one in routing and switching and the other in security. He has presented at Cisco Live on multiple occasions and has written numerous technical documents and books, including Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd editions);Cisco Network Admission Control, Volume II; and Cisco SSL VPN Solutions.
Jazib holds a bachelor's degree in computer engineering from the Illinois Institute of Technology and a master of business administration (MBA) degree from North Carolina State University.
Remember to use the rating system to let Jazib know if you have received an adequate response.
You can also read the questions he answered during the live event in this FAQ Document. You can also review the Live Webcast video with Jazib gave a presentation on this topic.
Jazib might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the, discussion forum shortly after the event. This event lasts through September 23, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
09-15-2011 01:27 AM
Hello Jazib Frahim,
you are wellcome in CSC and we are honored to have you in an Ask the Expert Session.
I would like to put some questions related to technologies that may improve security even if not directly tailored for security needs.
a) netflow or other similars like sflow ( or jflow) are still considered a good network wide IDS?
b) when combined with netflow and given current high perforrmance routing engine in border routers it would be wise to accept a BGP full table even if not stricly needed for routing purposes but just to give netflow the capabilities to classify observed traffic flows. This was my position for a customer some years ago. What is your opinion?
c) combiining netflow using as origin with MAC accounting allows for measuring traffic volumes exchanged with peers in an internet exchange point. without losing the information of the true origin AS that has published the prefix. Do you see this type of solution deployed in US?
d) over the years you and your colleagues have provided wonderful network hardening guides in cisco live events. Do you feel this has helped in improving adoption of recommended security guidelines? or in small enviroments SDM is enough for newbies? (it is not just see at how many people has troubles with SDM and they open thresd
e) IDS IPS and FWs are the highest producers of log messages have you deployed or heard of clusteing for syslog servers in order to deal with expected very high rate of syslo messages sent devices?
f) do you agree that SSL VPN is getting momentum over IPSec VPN?
g) would you recommend to keep the same firmware version of FWSM or ASMin in all the network
h) do you agree that for high performance is better to take the dedicated applicanes like ASA 5580
i) is Cisco Mars widely adopted?
ll) given that all guidelines have to be adapted to the specific scenario, have you seen cases where people having troubles just turned off all security features in an attempt to recover?
sorry for the long post
Best Regards
Giuseppe
09-21-2011 01:53 PM
Any taker ?
sorry too many questions ...
I apologize I didn't wnqt to show my knowdledge of security, actually I'm a newbie of security I'm a little better in MPLS, Netflow, MP BGP that is my core business
Best Regards
CCIE SP#14802, CCNP, CCNA Voice, ITILv3 SMF, JNCIS-M, ..... what next ?
any suggestions, I know it is the wrong place I apologize
I don't know
09-23-2011 11:49 AM
Hi Giuseppe,
Thanks for posting all those good/useful questions. Let me try to address them one at a time
regards,
Jazib
a) Each monitoring mechnism helps in providing a layered security protection. For example, NF, or similar mechanisms, are useful to detect traffic based (or zero-day) anomalies. However, IDS based mechanisms are typically good in detecting signature/packet level anomalies. So each mechanism provides some additional layer of defence.
b) I am not sure what else it buys you (other than AS origin etc) to have the full BGP table from the NetFlow perspective. Many enterprises (unless they are extremely huge) do not really care about the bgp info in NetFlow. They are however, interested in knowing the Flow info( src/dst IP/port, protocol etc)
c) I havent really seen too many customers doing that in the US. Like I said most of them are interested in knowing the flow info (from an attack and security perspective)
d) I personally think it has helped to a certain degree, but not all enterprises follow those guides or recommendations. Thats why when we do asessments on their networks, we see their networks wide open from inside/outside attacks. It really goes back to what I mentiponed earlier. They really need to have the right processes/procedures in place and that they are dollowing those processes very closely. The process/procedures may include the device templates based around the hardening guides
e) I have seen a number of customers deploying multiple SIEM engines to handle their syslog load.
f) Yes, thats certainly true. Even in Cisco, the focus is on SSL VPN
g) Yes, so that you can do a quick analysis of your environment in case of a vulnerability announcement. Plus you only need to certify one code vs certifying multiple images
h) 5580 is already EoS. So either 5585s or ASASM depending on what requirements you are trying to meet
i) I do not have any stats, but I know a lot of our customer are/were using it.
-Jazib
09-15-2011 02:44 PM
Jazib,
Can defining a metric-based system really help in securing my network infrastructure?
Thanks John V.
09-16-2011 09:57 AM
Good afternnon John,
Defining a metric-based system is a step in the right direction. Like I mentioned in my Webcast, you can not have a 100% sure infratructure no matter what you do. But with layered security, you can minimize the risk of a network anomaly.
Hope that helps
-Jazib
09-16-2011 12:12 AM
I had done a webinar on current network security issues recently. My points were
1. Malwares getting complex and today is the era of non signature network malware
2. Erosion of network perimeter with the advent of telecommuting - results in malwares being carried into the network
3. The increasing speed - 10G to 100G networks transition may soon happen.
4. Complex meshed networks, more applications and more network services
Considering these factors, will a security system based on IDS, firewall and NetFlow based anomaly detection alone be sufficient to stop threats?
Are there alternates to these systems for network security purposes?
I believe most of networks today have IDS and firewalls. Why do anomalies still come beyond these systems?
Regards,
Don Thomas Jacob
09-16-2011 12:09 PM
Hi Don,
As the environments are getting complex, the traditional security technological mechanisms are not enough. Thats why we need to be creative in our preventive solutions. What we have seen is:
1) Network/Security devices deployed but not configured based on the leading security practices
2) Network/Security devices deployed and configured but no proper operations defined to manage them
3) Network/Security devices deployed/configured with proper procedures defined to manage them but those are not followed.
Thats why operational security is critical even if you have millions of $$$$ worth of network gear (in the form of FWs, IDS and other security products/technologies
regards,
Jazib
09-19-2011 12:35 AM
Hi Jazib,
In wireless networks we can configure PSPF (Public Secure Packet Forwarding) or P2P blocking to prevent clients talking one another in the same vlan. How can we extent this feature to the wired ports? So the clients have access to corporate and internet resources but they can't not attack another clients in the same vlan
Do I need to configure PVLANs or is there a simpler feature?
Thanks
09-20-2011 12:27 PM
Hi there,
PVLAN is certainly one option. If you have identity based solutions (around 802.1x), you can even apply ACLs per host behind the shared port to achieve something similar
regards,
Jazib
09-19-2011 03:26 AM
Hi Jazib.
I missed the webcast, where can I view or download the video?
Thanks
Zubair
09-20-2011 12:28 PM
Hi Zubair,
I am not 100% sure. Let me check with the Cisco team and find out
-Jazib
09-20-2011 04:21 PM
Hello Zubair,
The recording of the webcast will be posted here
https://supportforums.cisco.com/community/netpro/ask-the-expert/webcasts
at the end of this week.
Thank you,
Cisco Support Community Moderator
09-20-2011 07:34 AM
Hi Jazib.
Thank you for letting us pick your brain (so to speak).
I have a couple of questions regarding amongst other things VPN.
1) The flooding of different types of licenses for the ASA.
Today the ASA can be found in almost any flavor or variation there of when it comes to the VPN options.
This makes it quite difficult for us out in the field to know what each firewall can do or what licenses to aquire.
Ad to that a ca 5 day delivery period for the software license to be delivered after ordering, it becomes cumbersome for us out in the field.
What are your thoughts about this topic ?
2) Anyconnect vs IPSEC client.
Personally I do not like the anyconnect and do not want to leave the IPSEC Client.
What can you tell me to change my mind. Please change my mind !
3) One of the big things of security are to know what is happening and where, ie logging.
Today we have the CS-MARS.
But that is about to be discontinued.
Any ideas about what is to replace the CS-MARS ?
4) One of the big things of security is how to check and double check your configuration and that it does what you think it should do.
Are there any good best practices on how to configure and check your configuration on the network level in different types of network. something like general rules and guidelines ?
Thank you very much for your time.
Regards
Hobbe
09-20-2011 12:38 PM
Hi Hobbe,
Let me see if I can answer some of your queries here:
1) I understand the complexities around the ASA licenses. I know for some of the products we are trying to come out with simpler options (Cisco ISE is one example). I can certainly forward your comment to the ASA product team but I am not sure if I could do anything to simply it for you
2) I know the IPSec client is great, I still use it for accessing the VPN network. I dont want to give you all the technical/marketing/sales advantages of AnyConnect over the IPSec client. However, Cisco's direction is with the AnyConnect client, so you just need to prepare yourself for that in case we dont invest too many reousrces into developing the IPSec client
3) I am sure you know we have an ecosystem of SIEM partners. At this point, I can only point you to the following link:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/ns1090/landing_siem.html
4) You need a better configuration management platform to help you with that. One big thing that I preach is the use of automated intelligence whenever configureations are being modified. Cisco enterprise orchestrator is one example, but I am sure there are other options available as well
Hope that helps
-Jazib
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: