Many compliance efforts include a firewall review and doing it effectively will have cost and risk at odds. Reviewing each rule entry by verifying and justifying the “actual” business purpose/requirement can be a mind numbing experience since most IT and/or Security teams don’t own, validate/test (during SDLC phases), nor responsible for port/services usage …
As a result, allocate a FTE (Full-time employee) to chase down the culprit or just understanding of the ports and services open for any given interfaces/segments. Then, you’ll probably need to perform some level of remediation or at least negotiation of what to allow and how (i.e. in an acceptable DMZ or tier-architecture model).
So, the alternate becomes outsourced services provider and the cost will be a chunk though they are more inapt to solve the understanding of why ports/services are allowed to being with (and were not reference just port 23 or FTP scenarios). Perhaps the happy median is to utilize tools that allow you certain advantages…
The list is long but the three models that serve this discussion I will reference is Athena, Tufin and Algosec…in order of capability/feature and in increasing price. Athena will by you the raw analysis and output needed to make actionable decisions rule-sets that pose risks and correction recommendations. A step above is the proliferation of Tufin appliances to give you more granular analysis, reporting, and customizations. This solution will also encompass start of a correlational approach/model…leading to Algosec. With a full package for optimized management of firewall as well also other network devices. Alogsec rounds out the solution for device and event management capability with a twist of notification and proactive management.
Monday, November 9, 2009
Tuesday, October 6, 2009
New wireless security recipe
Anti-wireless signal:
1/2 aluminum-iron oxide chopped into very small particles
1/2 paint brand/color of your liking
Mix; and paint your walls and ceiling, and apply outdoor as well to seal your entire house
It's that easy...the metal works on the same radio frequency (and upwards to 100GHz) as your Wi-Fi so signals aren't allowed to pass through the pigments. A passive approach to wireless security or at least an avenue for leakage protection--being considered/used in the UK and Asia. The rub is in the actual cost of this type of paint versus actual leakage protection as well as actual implementation of Wi-Fi built in security funtionality.
1/2 aluminum-iron oxide chopped into very small particles
1/2 paint brand/color of your liking
Mix; and paint your walls and ceiling, and apply outdoor as well to seal your entire house
It's that easy...the metal works on the same radio frequency (and upwards to 100GHz) as your Wi-Fi so signals aren't allowed to pass through the pigments. A passive approach to wireless security or at least an avenue for leakage protection--being considered/used in the UK and Asia. The rub is in the actual cost of this type of paint versus actual leakage protection as well as actual implementation of Wi-Fi built in security funtionality.
Wednesday, September 2, 2009
Security tools are cool.
Yes, there isn’t a problem that you can’t solve with a tool…at least from a Pre-Sale’s point of view. But you always hear about the decision dilemma and analysis that goes into purchasing a tool—and yes you’ll need to consider the IT/Business strategic, vendor longevity, supportability and manageability, and of course integration factor. Enough said, let’s just look at a cool solution as it stands today (because tomorrow, technology would have already changed)
Content and URL filtering: Go with Websense as the overall leader in this space and add a little BlueCoat for enforcement and you can’t go wrong (or just pure BlueCoat as competing best overall solution). Then, round out the top in this space with IronPort solution
Cloud did you say…go with Zscaler, they just seem to be everywhere
Firewall: Stick with Cisco overall but better trend setter is Juniper as well as CheckPoint R70—for creativity/vision (over Cisco).
And, related subset of tool check out Algosec then Tufin for management/audit
DLP: [industry beloved term -of-the-year] you’ll need to check out Websense again with Port Authority and joust with Symantec’s Vontu. But perhaps also a little HP if they can make Fortify work (or just buy them, right)
WAF: [another watercooler conversation] web and XML firewalls and for this go with Imperva or Breach but no strong push here….any thoughts here
IDS/IPS: [ever say die] Snort equals SourceFire so go with what works but if you believe the hype then go with Tipping Point and have it manage itself…hummmm
SIM/SEM/SIEM: [not forgotten] ArcSight because you have the $$$ to do so; followed by RSA because everyone has an RSA component otherwise look into LogLogic (proven) and Splunk (cheap/ease of use)
and yes the infamous NAC solution, I covered in a prior post
Content and URL filtering: Go with Websense as the overall leader in this space and add a little BlueCoat for enforcement and you can’t go wrong (or just pure BlueCoat as competing best overall solution). Then, round out the top in this space with IronPort solution
Cloud did you say…go with Zscaler, they just seem to be everywhere
Firewall: Stick with Cisco overall but better trend setter is Juniper as well as CheckPoint R70—for creativity/vision (over Cisco).
And, related subset of tool check out Algosec then Tufin for management/audit
DLP: [industry beloved term -of-the-year] you’ll need to check out Websense again with Port Authority and joust with Symantec’s Vontu. But perhaps also a little HP if they can make Fortify work (or just buy them, right)
WAF: [another watercooler conversation] web and XML firewalls and for this go with Imperva or Breach but no strong push here….any thoughts here
IDS/IPS: [ever say die] Snort equals SourceFire so go with what works but if you believe the hype then go with Tipping Point and have it manage itself…hummmm
SIM/SEM/SIEM: [not forgotten] ArcSight because you have the $$$ to do so; followed by RSA because everyone has an RSA component otherwise look into LogLogic (proven) and Splunk (cheap/ease of use)
and yes the infamous NAC solution, I covered in a prior post
Tuesday, August 11, 2009
Endpoint protection - which to select
While MSFT and CSCO duke it out in many sections, what about the other giants, McAfee and Symantec?
Pick your flavor or realistically what your real business requirements are and you can find a vendor that is most suited to your needs or at least how much you’re willing to pay. But it comes to control at the host themselves, the once anti-virus contender have much more to offer. Through scientific research (which really means experiences in the industry) the challenge appears to be with reporting and this is more prevalent with Symantec SEPM vs. McAfee’s ePO product line. While third-party products can supplement and off-set SEP 11, ePolicy Orchestrator serves up better reporting and flexibility as well as better supportability of OS X and Linux hosts. Sorry, you’ll have to wait till Q1 2010 for SEPM.
The larger the deployment it would seem that additional reporting and tracking is necessary to the point that separate SQL databases are being installed to track and report on specific client criteria, agentless host and specific/immediate malware notifications.
You pick the flavor but at the time of this writing, advantage McAfee. So, that mean advantage Cisco too, then?
Pick your flavor or realistically what your real business requirements are and you can find a vendor that is most suited to your needs or at least how much you’re willing to pay. But it comes to control at the host themselves, the once anti-virus contender have much more to offer. Through scientific research (which really means experiences in the industry) the challenge appears to be with reporting and this is more prevalent with Symantec SEPM vs. McAfee’s ePO product line. While third-party products can supplement and off-set SEP 11, ePolicy Orchestrator serves up better reporting and flexibility as well as better supportability of OS X and Linux hosts. Sorry, you’ll have to wait till Q1 2010 for SEPM.
The larger the deployment it would seem that additional reporting and tracking is necessary to the point that separate SQL databases are being installed to track and report on specific client criteria, agentless host and specific/immediate malware notifications.
You pick the flavor but at the time of this writing, advantage McAfee. So, that mean advantage Cisco too, then?
- Symantec Endpoint Protection Support for Microsoft® Windows® Small Business Server &Microsoft Windows Essential Business Server
- Harnessing the Power of McAfee and Cisco for Enterprise-Ready Network Admissions and Access Control
Thursday, July 30, 2009
NAC landscape: tech pros and cons snapshot
Many organizations have failed…implementing a full NAC solution because of its oversimplification by the market space. As a result, poor deployment has been experienced; but that should stop you. Recognize your organization’s true needs and implement in a phased adaptation model where technology is optimized and not the silver bullet.
NAC (Network Access Control) is by its very nature (or initial) is a restrictive control at the network layer based on the identity or credentials of the to-be identified host. Some key points to consider when investigating NAC solutions:
Scope of coverage, scalability, degree of protection and control, interoperability, and $$$ (licensing and resources).
Standards that fit best—Microsoft NAP, Cisco NAC, Network Access Control (TNG), or IETF NEA Working Group (NEA).
Model approach—client-based, network from 802.1x to DHCP and inline, or hybid.
-Client-based NAC important considerations: best visibility of logs yet more difficult to rollout and manage; thin client best but still requiring a client and so rollout diversity can be an issue (yet control is closest to the user)
-NAP-based provides strong pre-admission and standards embraced, though endpoint client policy may be lacking in comparison—with limited O/S support; and overall third-party integration is a must.
-802.1x NAC is the most vendor agnostic although prepare for infrastructure upgrades, link-level authorization but limited endpoint posture assessment/comprehensiveness of identity
-In-line Network based can be a VLAN/VACL rollout road-block but strong pre-admission check and can be application aware
-In-line NAC has no agent component but inline scanning intensive, VLAN nightmare but transparent to users with threat control
-Hybid, well if you haven’t noticed some of the overlap…then not sure how to make the water even more murky
With all the combination blending together the future is bright. At least we should expect vendors to integrate solution particularly since wireless networks (and mobile devices) are becoming the normal….so implement NAC in some faction and throw in 2-factor authentication to make things more interesting/secure. When in doubt just turn to DLP solution, right.
Outside of the dominate MS and Cisco, ever heard of Bradford Networks?
NAC (Network Access Control) is by its very nature (or initial) is a restrictive control at the network layer based on the identity or credentials of the to-be identified host. Some key points to consider when investigating NAC solutions:
Scope of coverage, scalability, degree of protection and control, interoperability, and $$$ (licensing and resources).
Standards that fit best—Microsoft NAP, Cisco NAC, Network Access Control (TNG), or IETF NEA Working Group (NEA).
Model approach—client-based, network from 802.1x to DHCP and inline, or hybid.
-Client-based NAC important considerations: best visibility of logs yet more difficult to rollout and manage; thin client best but still requiring a client and so rollout diversity can be an issue (yet control is closest to the user)
-NAP-based provides strong pre-admission and standards embraced, though endpoint client policy may be lacking in comparison—with limited O/S support; and overall third-party integration is a must.
-802.1x NAC is the most vendor agnostic although prepare for infrastructure upgrades, link-level authorization but limited endpoint posture assessment/comprehensiveness of identity
-In-line Network based can be a VLAN/VACL rollout road-block but strong pre-admission check and can be application aware
-In-line NAC has no agent component but inline scanning intensive, VLAN nightmare but transparent to users with threat control
-Hybid, well if you haven’t noticed some of the overlap…then not sure how to make the water even more murky
With all the combination blending together the future is bright. At least we should expect vendors to integrate solution particularly since wireless networks (and mobile devices) are becoming the normal….so implement NAC in some faction and throw in 2-factor authentication to make things more interesting/secure. When in doubt just turn to DLP solution, right.
Outside of the dominate MS and Cisco, ever heard of Bradford Networks?
Thursday, July 9, 2009
Security Management of end-points tool
End-point security solution comes in many flavors and every vendor has its spin. But how’s one that you can drop in relatively cheap (at least as cheap I’ve seen lately) and get cool reports on the health [anti-virus, firewall, patch] of your Windows PCs/Laptops? Of course they support MAC and UNIX flavors but just didn’t have enough time…they should extended the meeting into (a free) lunch ;)
So, here’s the sales pitch and you tell me if it gets any cooler. Scan all your hosts (totals reaching in the 50K neighborhood) within in minutes (provided a light scan is done vs. full throttle) and get instantaneous results/graphs based exceptions or host list of non-compliance. The claim is low level scans at the API level so quick and dirty yet anything from registry setting and software/hardware inventory is acquire from a client-less based solution. The scan scheduling can be configured to your hearts content and appears to work off of either a pre-populated IP pool, input from DNS, or a ping sweep. What happens if you go stealth including disabling ICMP reply…hummm?
Included in the package is even a remediation module which allows you to enforce, for example, registry settings that your GPO would otherwise do a so-so job of enforcement—though it seems customizable enough such that Windows users can manually change the setting (but enough to create havoc when the scan/enforcement cycle s through again). Thus, user-defined configuration assurance--with blacklisting for those disruptive/unapproved (Corporate) software packages and collaboration tools like Instant Messaging, LimeWare, Kazaa...
A solution customizable to report on compliance with your company polices, O/S standards, and regulatory standards. Point-and-click as one said….for the most part. Oh, and it has a energy management component that will save you $$$. All this for a price of approx. $20 per host…shamWOW
So, here’s the sales pitch and you tell me if it gets any cooler. Scan all your hosts (totals reaching in the 50K neighborhood) within in minutes (provided a light scan is done vs. full throttle) and get instantaneous results/graphs based exceptions or host list of non-compliance. The claim is low level scans at the API level so quick and dirty yet anything from registry setting and software/hardware inventory is acquire from a client-less based solution. The scan scheduling can be configured to your hearts content and appears to work off of either a pre-populated IP pool, input from DNS, or a ping sweep. What happens if you go stealth including disabling ICMP reply…hummm?
Included in the package is even a remediation module which allows you to enforce, for example, registry settings that your GPO would otherwise do a so-so job of enforcement—though it seems customizable enough such that Windows users can manually change the setting (but enough to create havoc when the scan/enforcement cycle s through again). Thus, user-defined configuration assurance--with blacklisting for those disruptive/unapproved (Corporate) software packages and collaboration tools like Instant Messaging, LimeWare, Kazaa...
A solution customizable to report on compliance with your company polices, O/S standards, and regulatory standards. Point-and-click as one said….for the most part. Oh, and it has a energy management component that will save you $$$. All this for a price of approx. $20 per host…shamWOW
Tuesday, June 23, 2009
INFOSEC Program - My academia overview presentation
Information Security Program high-level slidesA repeatable process and customizable/adaptable for any organization.
Subscribe to:
Posts (Atom)
