Thursday, September 01, 2005

Thoughts on Cisco Packet Magazine

I like to read Cisco's quarterly Packet magazine. It's free, and it provides insight into developments by the world's networking (and one day, security) juggernaut. While waiting for car maintenance this morning, I managed to read much of the Quarter 2 2005 issue, devoted to Self-Defending Networks.

According to Cisco, they have been releasing Self-Defending Network components every few years. In 2000 they offered integrated security, followed by collaborative security in 2003. Now, in 2005, we have adaptive threat defense. The first term means security is part of Cisco products, such as routers and switches. The second term means these products should work together. Let's look closer at the third term, which Cisco claims will "protect every packet and every packet flow on a network."

I was skeptical when I saw the cover text. The phrase "eliminating the source of attacks" and the sentence "network security grows adaptive, reaching inside Web applications and excising attacks at their source" also worried me. When I read words like that, I imagine Cisco police forces banging down doors of attacker apartments in Bucharest or Beijing. That's how one really "excises" a threat!

As I read more about Cisco's plans, however, I realized they refer to containing malicious systems that connect to protected networks. For example, one article described how the CS-MARS [Security Monitoring, Analysis and Response System], developed by the former Protego Networks, "will send the network administrator the appropriate command to execute an action to excise the problem from the network at its source." In other words, Cisco gear will help identify and disable misbehaving network assets (or rogue visitors).

I found this article on wireless defenses interesting. It describes Cisco's approach to handling rogue wireless access points:

"With rogue access point suppression, the sensors detect wireless-device information, aggregate it, and pass it up to elements in the network that can correlate it and act upon it. When a wireless access point is detected on the network, the WLAN intrusion prevention system sends RF management frames that disassociate any clients that connect to it and attempt to trace and shut down the switch port to which the rogue is connected."

That seems cool. Only a few years ago I remember Mike Schiffman demonstrating libradiate at Black Hat by disassociating wireless clients. Now he works at Cisco!

I also learned a little about virtual routing and forwarding, which acts like "multiple routers within a single chassis."

Overall, I found Cisco's magazine very useful. I also subscribe to the free IP Journal, which I recommend. Whenever I read articles by Cisco, it reminds me I am not currently a networking engineer. That would require far more protocol and algorithm knowledge than I currently possess!

Speaking of Cisco, I will be speaking on 10 October 2005 to the Cisco Fall 2005 System Engineering Security Virtual Team Meeting in San Jose, CA. I will probably discuss network security monitoring and give a Sguil demo.


Bernhard Albler said...

Disclaimer: I work for a cisco partner.
Regarding MARS:
We have been using and testing PN/CS-Mars quite a lot recently. TO put it short:
The box is awesome. While the interface is a little clunky at times, the correlation is excellent. For example with one box we have deployed for demo purposes, we have been constantly discovered infected / compromised hosts.
Most interesting: this included hosts, which actually were in front of firewalls and the ids. Mars also analyses netflow and flags suspicious activity (traffic levels to a port increases suddenly after having been constant for some time) Also very few false positives and a very good tuning workflow.

Anonymous said...

Hi, congrats on the informative blog.

I have a blog dedicated to Cisco MARS, as its a great product.

For more info check it out...