Where Networking and Security Collide

Author: timroth51451 (Page 2 of 2)

OpenDNS…more than just a home internet filter

When Cisco first acquired OpenDNS I was indifferent.  I perceived their service to be free content filtering for home and SMB.  After hearing all the buzz, from co-workers, security market, customers etc. I knew there had to be more to OpenDNS.

I learned that it provides an advanced cloud security platform called Umbrella.  Umbrella can be used to protect any user or any device, from anywhere,  it doesn’t matter if I am sitting in Starbucks or on the corporate network.  If you give me a little room here…I like to classify OpenDNS Umbrella as a cloud firewall/gateway that can be used to prevent attacks before it hit your users or network.

The Umbrella Data Sheet states that with Umbrella you can:

  • “Reduce malware infections up to 98%”
  • “Cut the number of alerts from your IPS, AV, and SIEM by as much as 50%”
  • “Decrease remediation time by 20%”

Umbrella in action:

Take for example, I open my email and receive a message from USPSS (which looks like USPS), the title states “check the status of your package.” Knowing that Christmas is coming, I get excited thinking one of my friends sent me a gift.  Little do I know the link within my email takes me to a false page, USPSS look alike page, and in the background my computer is reaching out to a known malicious ransomware domain.

If I was using a traditional DNS service, like Google,  it wouldn’t block the lookup to the ransomware domain, instead it would provide the ip address for the ransomware domain.

umbrella1

OpenDNS umbrella will block the DNS request for the  malicious domain, stopping the attack before it hits my client or network.

umbrella2

OpenDNS has over 65 million users and roughly 80 billion internet request daily.  OpenDNS builds security intelligence from internet data, big data analytics, machine learning, and super smart security engineers.  With this threat intel, OpenDNS can understand which domains are malicious and block the attack via DNS before it hits your network.

https://umbrella.cisco.com/use-cases/threat-intelligence

https://blog.opendns.com/2015/11/19/opendns-cracks-predictive-security/

https://blog.opendns.com/2015/03/05/opendns-unveils-nlprank-a-new-model-for-advanced-threat-detection/

Umbrella components

1.Cloud Management – Umbrella provides a cloud dashboard…much like Meraki.  In this dashboard you can control and manage your security policies and gain visibility into your network traffic. “Umbrella provides visibility into internet activity across all devices, over all ports, even when users are off your corporate network. You can even retain the logs forever.” https://umbrella.cisco.com/products/features

2.Umbrella network protection- To protect your devices on your corporate network simply redirect your external DNS request to OpenDNS.  “To switch to Umbrella, you need to explicitly change the DNS settings in your operating system or hardware firewall/router to use IP addresses of the Umbrella name servers and turn off the automatic DNS servers provided by your ISP.”

3.Umbrella Client- To protect your clients off net, you can leverage a lightweight umbrella roaming client.  There is even a plugin for AnyConnect VPN, if you are disconnected from VPN your traffic will be protected by OpenDNS.

With Umbrella roaming client, you can also protect IP based traffic.  “Alternatively, OpenDNS’s IP layer enforcement provides protection over any port, and from any location through the use of the OpenDNS Roaming Client, an endpoint client that acts as a DNS request forwarder.”https://blog.opendns.com/2015/11/03/opendns-adds-ip-layer-enforcement-umbrella/

More Details AnyConnect Umbrella  client 

More Detail Umbrella Roaming client

OpenDNS Umbrella is very different from traditional proxy type services.  It  provides protection across all ports (not just 80/443) without proxying all your traffic to an on-prem device or somewhere in the cloud. “Instead of proxying all requests, Umbrella selectively routes suspicious URLs for deeper inspection. Effectively protect without delay or performance impact.” https://umbrella.cisco.com/products/features/intelligent-proxy

OpenDNS is not a silver bullet but it dramatically can increase security.  To me, that is very powerful.  The increased security helps to take the load off my firewall,  it adds an extra layer of  protection to any device anywhere and  gain visibility into network traffic.

Stay tuned for my future posts on security and OpenDNS.

Windows 10 Denial of Service Vulnerability

Good read from Cisco Talos on a recent Windows 10 Vulnerability. If you have Windows 10 make sure you apply the following security update.

“An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user.”

“Microsoft patched this vulnerability in security update 3178467 as described in Security Bulletin MS16-110. Talos has released rules that detect attempts to exploit this vulnerability to protect our customers.”

http://blog.talosintel.com/2016/11/vulnerability-spotlight-windows-10.html

http://blogs.cisco.com/security/talos/vulnerability-spotlight-windows-10

 

 

 

 

 

Optimize Internet Performance with OpenDNS

When looking at internet performance one critical component that can be overlooked is DNS.  It doesn’t matter how fast the internet pipe is, if you have slow DNS service it can impact overall performance.

I am a big user of Waze and before I get in my car I will plug in my destination, then Waze provides me with the fastest route. Think of OpenDNS as the Waze of the internet. They can ensure you take the most efficient path to OpenDNS services. This will ultimately provide a quicker DNS lookup and better end user experience.

If you want to go to google.com, you don’t have the ip addresses for Google memorized. Your device will call out to a DNS service and request the ip address for Google, and  from there, your host will communicate directly via IP.

I did a quick test on networkworld.com.  When I pulled up networkworld.com my host sent out 311 DNS request to OpenDNS. Most webpages have multiple objects, image, etc. and each one is typically tied to domain name.  Can you imagine the end user experience if you have slow DNS service?

http://info.opendns.com/rs/033-OMP-861/images/OpenDNS-Global-Network.pdf

OpenDNS has plugins with over 500 of the largest ISPs in the world and service integration with global CDNs (content delivery networks).                       OpenDNS is rated as the fastest DNS services in North America, and one of the fastest globally.

https://blog.thousandeyes.com/comparing-latency-top-public-dns-providers/

OpenDNS has plugins with over 500 of the largest ISPs in the world and service integration with global CDNs (content delivery networks)

“So now a user in Austin, Texas who types in the URL for a YouTube video will share part of his IP address as part of the DNS request. That way, the domain name system server can route the request to a Google data center in Dallas, as opposed to one in Ireland. This can substantially speed up access to content, which is what people hire Akamai for in the first place.”

Speeding up your DNS with OpenDNS is free.

http://info.opendns.com/rs/033-OMP-861/images/FB-PremiumDNS.pdf

Want to learn more about OpenDNS? More posts to come!

(site image from opendns.com)

OpenDNS SmartCache, what DDOS attack?

Did you have internet issues last Friday?    

Looks like OpenDNS customers didn’t notice a thing.

 

What is OpenDNS and how did they help these customers? 

OpenDNS is a Recursive DNS service that is security centric. OpenDNS will block malicious traffic before it hits your firewall or network.

Let me start with a quick 101 on DNS….

Almost all of today’s network/internet communication are tied to DNS (Domain Name Service).  If I want to call my wife and don’t know her phone number, I can ask Siri to call her and she will look up my wife’s phone number and then dial it for me.

DNS is the phonebook for the internet.  It connects domain names (google.com) to IP addresses.

There are two main DNS server types, Recursive and Authoritative.

Recursive DNS-is like a telephone operator; they will check multiple phone books to provide you the most accurate local phone number.

Authoritative DNS -will actually create the phonebooks based on data provided from name registrars.

The issues the Internet experienced last week were due to a DDOS attack against an Authoritative DNS service.

http://www.networkworld.com/article/3134057/security/how-the-dyn-ddos-attack-unfolded.html

DNS in action

Say I wanted to go to google.com….

picture1a

1.My computer would send a request to my Recursive server for the IP address of google.com

2.Recursive server doesn’t have an entry

3.Recursive server forwards request for google.com to Authoritative server

4.Authoritative server responds back to the Recursive server with IP address for google.com

5.Recursive server provides my computer with IP address for google.com (Go to 1.1.1.1 to reach google.com)

 

What if the Authoritative server is offline?  Maybe our Authoritative server was DDOS?

Hopefully you leverage OpenDNS for your recursive DNS service. OpenDNS provides a feature called SmartCache.

“SmartCache uses the intelligence of the OpenDNS network at large, now providing DNS service to millions of people around the world, to locate the last known correct address for a Web site when its authoritative nameserver is offline or otherwise failing. A common occurrence, authoritative DNS nameserver outages often take major Web sites offline for hours or even days at a time, making them inaccessible on the Internet. One recent example of such an outage resulted in popular Web site Amazon.com inaccessible for several hours.”

More details on SmartCache

So in our example, OpenDNS server has the cached entry for google.com and it doesn’t matter that the Authoritative server went down.

picture1bThere are many benefits to OpenDNS but one that really stood out last Friday was SmartCache.

For me, goodbye 8.8.8.8 and hello OpenDNS.

Irony in DyDNS Blog Post?

Seem ironic that DY posted this article on Thursday October 20th? The day before half the east coast went down?

http://dyn.com/blog/recent-iot-based-attacks-what-is-the-impact-on-managed-dns-operators/

http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/

Similar to what happened with Krebs?

http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/

Details on DyDNS attack

Great Article from NetworkWorld.com, details around yesterdays attacks.

“The DDoS attack force included 50,000 to 100,000 internet of things (IoT) devices such as cameras and DVRs enslaved in the Mirai botnet, as well as an unknown number of other devices that are parts of other botnets, says Dale Drew, CTO of Level 3. He theorizes the mastermind behind the attack hired multiple botnets to compile the number wanted for the attacks.”

Details on Mirai from NetworkWorld

My Take

My take, hackers are finding new ways every day to attack us.  Now the devices we are connecting to the network(toasters, thermostats, etc.) to provide value…are now being used against us. As an industry we need to get better at implementing security best practices. Don’t hear me wrong…I don’t think security best practices will solve everything…but helps shrink the avenues hackers can leverage. Great basic lesson and example in this story…Security 101, let’s change our default passwords.

Interested to learn more about the attacks from yesterday. Crazy world.

Learn how to build a campus network with Meraki switching

Meraki Campus Switching

I have been very impressed with the Meraki switching line.  Using Meraki switching you can now build out an entire campus network .  I typically see  the Meraki 400 series at the aggregation layer and 200/300 series in the closet.  In the following videos I will show you how to configure 425s at the aggregation stack and 350s at user layer.

Meraki Aggregation switch stack- In this video, you will learn how to configure stacking, spanning, layer 3 interfaces, and aggregation services for the Meraki 425 switching platform.

 

Meraki closet switch stack – In this video I will show you how to build a Meraki MS350 switch stack and how to configure a port channel between the closet and aggregation stacks.

 

 

Meraki Switch OSFP configuration – Learn how to configure OSPF on Meraki switches. Using my lab I will show you how to connect a Meraki OSPF network to a Cisco OSPF network.

 

 

 

Configuration links

Product Information

 

Meraki Network Access Control

Meraki Network Access Control

Check out the following videos to learn more about Meraki Network Access Control.

You can use the Meraki network to identify who is the user and  allow them access only to the resources they need. To implement NAC you only need a Meraki network and a radius server, no extra licensing required! The radius server can be a  free linux radius server, Cisco ISE, Windows 2012 R2 etc.

1.Meraki NAC Overview

2.Meraki NAC on Wireless Network

3. Meraki NAC on Wired Network

Useful links

1.Setup NPS on Server 2012 R2

https://glazenbakje.wordpress.com/2013/08/31/microsoft-windows-server-2012-radius-setup/

2.Setup 802.1x authentication with NPS and Meraki Wireless Network

https://shabiryusuf.wordpress.com/2012/12/24/meraki-network-policy-server-nps-and-radius-with-wpa2-enterprise/

3.If you need to create your own self signed cert for Server 2012

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Installing_a_Self-Signed_Certificate_on_Windows_Server

4.Apply group policies based on radius tags

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

5.Creating and applying group policies

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

6.Configure 802.1 authentication with NPS and Meraki Wired Network

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

7.Dynamic vlan assignment Meraki Wired Network

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1x_(RADIUS)_for_MS_Switches

8.Configure Windows 7 client for Wireless 802.1x authentication

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7

9.Configure Windows 7 client for Wired 802.1x authentication

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

Meraki Group Policies

I keep hearing from my customers that we must make management easier so I wanted to quickly share with you about one of my favorite features called Meraki Group Policies. A Group Policy is a way to control network traffic in a Merak fabric. A Group Policy can control things like L3/L7 Firewall policies, Traffic shaping, content filtering (block gambling,streaming audio etc.), Advanced Malware Protection etc.

Here are some use cases for Group Policies. You can get creative as to how you want to apply them.

  1.  Identify a user (Tim Roth in HR) and build a group policy to control how much bandwidth I have for streaming audio and block me from talking to HR servers. A cool thing here is that you only need a radius server and Meraki fabric to make this happen, no additional licensing needed.
  2. Limit backup traffic during the day: For a remote site, we can create a Group Policy that is only applied during the day to limit backup traffic from saturating the WAN link. Then, when it is 5pm, the Group Policy is inactive and backup traffic can use the entire link.
  3. Identify guest clients, redirect them to authenticate through splash page and control where they can go, both internally and on the interwebs.
  4. Blacklist a rogue client: Say you receive an alert from Meraki Security Center that states you have a client that is spreading malware in your environment, simply go to the client view in your Meraki Dashboard, right click on the client and apply a Blacklist Group Policy directly. This Group Policy will halt the clients communication. VERY POWERFUL.

Meraki Group policies have been HUGE for some of my customers. They are leveraging the Meraki fabric to identify their clients and apply network control policies to them.  In most cases, they don’t have to go out and buy additional software, licensing etc. It’s like a real world network control system….that anyone can manage.

The following are ways to control traffic with Group Policies. As you can see some features are not universal to all platforms.  (Image from Meraki.com)

group-policy-options

The next image highlights way to apply the Group Policies.

group-policy-2

Check out this  link that provides more technical detail on Meraki Group Policies.

https://documentation.meraki.com/MR/Group_Policies_and_Blacklisting/Creating_and_Applying_Group_Policies

Stay tuned for future posts on Meraki Group Policies…..

Newer posts »