With Jazib Frahim
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco subject matter expert Jazib Frahim why enterprise network segments get compromised despite their state-of-the-art network security technologies and products that are deployed. Do they get compromised because of product or technology limitations or are there other factors that cause the network infrastructure to be exposed to attackers? Jazib (CCIE 5459) is a technical leader in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He was previously a technical leader for Cisco's Technical Assistance Center (TAC) Security team, leading engineers in resolving complicated security and VPN technologies. He holds two CCIE certifications, one in routing and switching and the other in security. He has presented at Cisco Live on multiple occasions and has written numerous technical documents and books, including Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd editions);Cisco Network Admission Control, Volume II; and Cisco SSL VPN Solutions.
Jazib holds a bachelor's degree in computer engineering from the Illinois Institute of Technology and a master of business administration (MBA) degree from North Carolina State University.
Remember to use the rating system to let Jazib know if you have received an adequate response.
Jazib might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the, discussion forum shortly after the event. This event lasts through September 23, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Hello Jazib Frahim,
you are wellcome in CSC and we are honored to have you in an Ask the Expert Session.
I would like to put some questions related to technologies that may improve security even if not directly tailored for security needs.
a) netflow or other similars like sflow ( or jflow) are still considered a good network wide IDS?
b) when combined with netflow and given current high perforrmance routing engine in border routers it would be wise to accept a BGP full table even if not stricly needed for routing purposes but just to give netflow the capabilities to classify observed traffic flows. This was my position for a customer some years ago. What is your opinion?
c) combiining netflow using as origin with MAC accounting allows for measuring traffic volumes exchanged with peers in an internet exchange point. without losing the information of the true origin AS that has published the prefix. Do you see this type of solution deployed in US?
d) over the years you and your colleagues have provided wonderful network hardening guides in cisco live events. Do you feel this has helped in improving adoption of recommended security guidelines? or in small enviroments SDM is enough for newbies? (it is not just see at how many people has troubles with SDM and they open thresd
e) IDS IPS and FWs are the highest producers of log messages have you deployed or heard of clusteing for syslog servers in order to deal with expected very high rate of syslo messages sent devices?
f) do you agree that SSL VPN is getting momentum over IPSec VPN?
g) would you recommend to keep the same firmware version of FWSM or ASMin in all the network
h) do you agree that for high performance is better to take the dedicated applicanes like ASA 5580
i) is Cisco Mars widely adopted?
ll) given that all guidelines have to be adapted to the specific scenario, have you seen cases where people having troubles just turned off all security features in an attempt to recover?
sorry for the long post
Any taker ?
sorry too many questions ...
I apologize I didn't wnqt to show my knowdledge of security, actually I'm a newbie of security I'm a little better in MPLS, Netflow, MP BGP that is my core business
CCIE SP#14802, CCNP, CCNA Voice, ITILv3 SMF, JNCIS-M, ..... what next ?
any suggestions, I know it is the wrong place I apologize
I don't know
Thanks for posting all those good/useful questions. Let me try to address them one at a time
a) Each monitoring mechnism helps in providing a layered security protection. For example, NF, or similar mechanisms, are useful to detect traffic based (or zero-day) anomalies. However, IDS based mechanisms are typically good in detecting signature/packet level anomalies. So each mechanism provides some additional layer of defence.
b) I am not sure what else it buys you (other than AS origin etc) to have the full BGP table from the NetFlow perspective. Many enterprises (unless they are extremely huge) do not really care about the bgp info in NetFlow. They are however, interested in knowing the Flow info( src/dst IP/port, protocol etc)
Good afternnon John,
Defining a metric-based system is a step in the right direction. Like I mentioned in my Webcast, you can not have a 100% sure infratructure no matter what you do. But with layered security, you can minimize the risk of a network anomaly.
Hope that helps
I had done a webinar on current network security issues recently. My points were
1. Malwares getting complex and today is the era of non signature network malware
2. Erosion of network perimeter with the advent of telecommuting - results in malwares being carried into the network
3. The increasing speed - 10G to 100G networks transition may soon happen.
4. Complex meshed networks, more applications and more network services
Considering these factors, will a security system based on IDS, firewall and NetFlow based anomaly detection alone be sufficient to stop threats?
Are there alternates to these systems for network security purposes?
I believe most of networks today have IDS and firewalls. Why do anomalies still come beyond these systems?
Don Thomas Jacob
In wireless networks we can configure PSPF (Public Secure Packet Forwarding) or P2P blocking to prevent clients talking one another in the same vlan. How can we extent this feature to the wired ports? So the clients have access to corporate and internet resources but they can't not attack another clients in the same vlan
Do I need to configure PVLANs or is there a simpler feature?
PVLAN is certainly one option. If you have identity based solutions (around 802.1x), you can even apply ACLs per host behind the shared port to achieve something similar
The recording of the webcast will be posted here
at the end of this week.
Cisco Support Community Moderator
Thank you for letting us pick your brain (so to speak).
I have a couple of questions regarding amongst other things VPN.
1) The flooding of different types of licenses for the ASA.
Today the ASA can be found in almost any flavor or variation there of when it comes to the VPN options.
This makes it quite difficult for us out in the field to know what each firewall can do or what licenses to aquire.
Ad to that a ca 5 day delivery period for the software license to be delivered after ordering, it becomes cumbersome for us out in the field.
What are your thoughts about this topic ?
2) Anyconnect vs IPSEC client.
Personally I do not like the anyconnect and do not want to leave the IPSEC Client.
What can you tell me to change my mind. Please change my mind !
3) One of the big things of security are to know what is happening and where, ie logging.
Today we have the CS-MARS.
But that is about to be discontinued.
Any ideas about what is to replace the CS-MARS ?
4) One of the big things of security is how to check and double check your configuration and that it does what you think it should do.
Are there any good best practices on how to configure and check your configuration on the network level in different types of network. something like general rules and guidelines ?
Thank you very much for your time.
Let me see if I can answer some of your queries here:
1) I understand the complexities around the ASA licenses. I know for some of the products we are trying to come out with simpler options (Cisco ISE is one example). I can certainly forward your comment to the ASA product team but I am not sure if I could do anything to simply it for you
2) I know the IPSec client is great, I still use it for accessing the VPN network. I dont want to give you all the technical/marketing/sales advantages of AnyConnect over the IPSec client. However, Cisco's direction is with the AnyConnect client, so you just need to prepare yourself for that in case we dont invest too many reousrces into developing the IPSec client
3) I am sure you know we have an ecosystem of SIEM partners. At this point, I can only point you to the following link:
4) You need a better configuration management platform to help you with that. One big thing that I preach is the use of automated intelligence whenever configureations are being modified. Cisco enterprise orchestrator is one example, but I am sure there are other options available as well
Hope that helps