Tim Roth Practical Network Security

Where Networking and Security Collide

Page 2 of 3

Stegano exploit kit…hacking through browser ads

Check out the following articles on the Stegano exploit kit.

http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

http://thehackernews.com/2016/12/image-exploit-hacking.html

My take:

Hackers can go after our systems with advertisements on popular news sites we all visit. To the naked eye, these advertisements look legit, they may even look like security solutions that will protect us online. In reality, if you click on these advertisements they leverage your web browser to run scans against your machine. If the scans detect vulnerable software that can be exploited, your system is fair game.

“In the event of successful exploitation, the vulnerable victims’ systems had been left exposed to further compromise by various malicious payloads including backdoors, spyware and banking Trojans.” (welivesecurity.com)

Reading this quote makes me think of my friends and family who are non-technical. Every day they read something in the news about Cyber Security. When an ad appears on the side of a popular news page they visit, claiming to provide security, they assume this product is safe and will truly protect them. This product is doing the exact opposite; it could be potentially owning your system.

This is a good reminder to me.  I need to educate those around me and help them understand basic security best practices. Selfishly, this saves me time too, because then I won’t have compromised systems to troubleshoot.

“The best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.” (hacknews.com)

OpenDNS…more than just a home internet filter

When Cisco first acquired OpenDNS I was indifferent.  I perceived their service to be free content filtering for home and SMB.  After hearing all the buzz, from co-workers, security market, customers etc. I knew there had to be more to OpenDNS.

I learned that it provides an advanced cloud security platform called Umbrella.  Umbrella can be used to protect any user or any device, from anywhere,  it doesn’t matter if I am sitting in Starbucks or on the corporate network.  If you give me a little room here…I like to classify OpenDNS Umbrella as a cloud firewall/gateway that can be used to prevent attacks before it hit your users or network.

The Umbrella Data Sheet states that with Umbrella you can:

  • “Reduce malware infections up to 98%”
  • “Cut the number of alerts from your IPS, AV, and SIEM by as much as 50%”
  • “Decrease remediation time by 20%”

Umbrella in action:

Take for example, I open my email and receive a message from USPSS (which looks like USPS), the title states “check the status of your package.” Knowing that Christmas is coming, I get excited thinking one of my friends sent me a gift.  Little do I know the link within my email takes me to a false page, USPSS look alike page, and in the background my computer is reaching out to a known malicious ransomware domain.

If I was using a traditional DNS service, like Google,  it wouldn’t block the lookup to the ransomware domain, instead it would provide the ip address for the ransomware domain.

umbrella1

OpenDNS umbrella will block the DNS request for the  malicious domain, stopping the attack before it hits my client or network.

umbrella2

OpenDNS has over 65 million users and roughly 80 billion internet request daily.  OpenDNS builds security intelligence from internet data, big data analytics, machine learning, and super smart security engineers.  With this threat intel, OpenDNS can understand which domains are malicious and block the attack via DNS before it hits your network.

https://umbrella.cisco.com/use-cases/threat-intelligence

https://blog.opendns.com/2015/11/19/opendns-cracks-predictive-security/

https://blog.opendns.com/2015/03/05/opendns-unveils-nlprank-a-new-model-for-advanced-threat-detection/

Umbrella components

1.Cloud Management – Umbrella provides a cloud dashboard…much like Meraki.  In this dashboard you can control and manage your security policies and gain visibility into your network traffic. “Umbrella provides visibility into internet activity across all devices, over all ports, even when users are off your corporate network. You can even retain the logs forever.” https://umbrella.cisco.com/products/features

2.Umbrella network protection- To protect your devices on your corporate network simply redirect your external DNS request to OpenDNS.  “To switch to Umbrella, you need to explicitly change the DNS settings in your operating system or hardware firewall/router to use IP addresses of the Umbrella name servers and turn off the automatic DNS servers provided by your ISP.”

3.Umbrella Client- To protect your clients off net, you can leverage a lightweight umbrella roaming client.  There is even a plugin for AnyConnect VPN, if you are disconnected from VPN your traffic will be protected by OpenDNS.

With Umbrella roaming client, you can also protect IP based traffic.  “Alternatively, OpenDNS’s IP layer enforcement provides protection over any port, and from any location through the use of the OpenDNS Roaming Client, an endpoint client that acts as a DNS request forwarder.”https://blog.opendns.com/2015/11/03/opendns-adds-ip-layer-enforcement-umbrella/

More Details AnyConnect Umbrella  client 

More Detail Umbrella Roaming client

OpenDNS Umbrella is very different from traditional proxy type services.  It  provides protection across all ports (not just 80/443) without proxying all your traffic to an on-prem device or somewhere in the cloud. “Instead of proxying all requests, Umbrella selectively routes suspicious URLs for deeper inspection. Effectively protect without delay or performance impact.” https://umbrella.cisco.com/products/features/intelligent-proxy

OpenDNS is not a silver bullet but it dramatically can increase security.  To me, that is very powerful.  The increased security helps to take the load off my firewall,  it adds an extra layer of  protection to any device anywhere and  gain visibility into network traffic.

Stay tuned for my future posts on security and OpenDNS.

Windows 10 Denial of Service Vulnerability

Good read from Cisco Talos on a recent Windows 10 Vulnerability. If you have Windows 10 make sure you apply the following security update.

“An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user.”

“Microsoft patched this vulnerability in security update 3178467 as described in Security Bulletin MS16-110. Talos has released rules that detect attempts to exploit this vulnerability to protect our customers.”

http://blog.talosintel.com/2016/11/vulnerability-spotlight-windows-10.html

http://blogs.cisco.com/security/talos/vulnerability-spotlight-windows-10

 

 

 

 

 

Optimize Internet Performance with OpenDNS

When looking at internet performance one critical component that can be overlooked is DNS.  It doesn’t matter how fast the internet pipe is, if you have slow DNS service it can impact overall performance.

I am a big user of Waze and before I get in my car I will plug in my destination, then Waze provides me with the fastest route. Think of OpenDNS as the Waze of the internet. They can ensure you take the most efficient path to OpenDNS services. This will ultimately provide a quicker DNS lookup and better end user experience.

If you want to go to google.com, you don’t have the ip addresses for Google memorized. Your device will call out to a DNS service and request the ip address for Google, and  from there, your host will communicate directly via IP.

I did a quick test on networkworld.com.  When I pulled up networkworld.com my host sent out 311 DNS request to OpenDNS. Most webpages have multiple objects, image, etc. and each one is typically tied to domain name.  Can you imagine the end user experience if you have slow DNS service?

http://info.opendns.com/rs/033-OMP-861/images/OpenDNS-Global-Network.pdf

OpenDNS has plugins with over 500 of the largest ISPs in the world and service integration with global CDNs (content delivery networks).                       OpenDNS is rated as the fastest DNS services in North America, and one of the fastest globally.

https://blog.thousandeyes.com/comparing-latency-top-public-dns-providers/

OpenDNS has plugins with over 500 of the largest ISPs in the world and service integration with global CDNs (content delivery networks)

“So now a user in Austin, Texas who types in the URL for a YouTube video will share part of his IP address as part of the DNS request. That way, the domain name system server can route the request to a Google data center in Dallas, as opposed to one in Ireland. This can substantially speed up access to content, which is what people hire Akamai for in the first place.”

Speeding up your DNS with OpenDNS is free.

http://info.opendns.com/rs/033-OMP-861/images/FB-PremiumDNS.pdf

Want to learn more about OpenDNS? More posts to come!

(site image from opendns.com)

OpenDNS SmartCache, what DDOS attack?

Did you have internet issues last Friday?    

Looks like OpenDNS customers didn’t notice a thing.

 

What is OpenDNS and how did they help these customers? 

OpenDNS is a Recursive DNS service that is security centric. OpenDNS will block malicious traffic before it hits your firewall or network.

Let me start with a quick 101 on DNS….

Almost all of today’s network/internet communication are tied to DNS (Domain Name Service).  If I want to call my wife and don’t know her phone number, I can ask Siri to call her and she will look up my wife’s phone number and then dial it for me.

DNS is the phonebook for the internet.  It connects domain names (google.com) to IP addresses.

There are two main DNS server types, Recursive and Authoritative.

Recursive DNS-is like a telephone operator; they will check multiple phone books to provide you the most accurate local phone number.

Authoritative DNS -will actually create the phonebooks based on data provided from name registrars.

The issues the Internet experienced last week were due to a DDOS attack against an Authoritative DNS service.

http://www.networkworld.com/article/3134057/security/how-the-dyn-ddos-attack-unfolded.html

DNS in action

Say I wanted to go to google.com….

picture1a

1.My computer would send a request to my Recursive server for the IP address of google.com

2.Recursive server doesn’t have an entry

3.Recursive server forwards request for google.com to Authoritative server

4.Authoritative server responds back to the Recursive server with IP address for google.com

5.Recursive server provides my computer with IP address for google.com (Go to 1.1.1.1 to reach google.com)

 

What if the Authoritative server is offline?  Maybe our Authoritative server was DDOS?

Hopefully you leverage OpenDNS for your recursive DNS service. OpenDNS provides a feature called SmartCache.

“SmartCache uses the intelligence of the OpenDNS network at large, now providing DNS service to millions of people around the world, to locate the last known correct address for a Web site when its authoritative nameserver is offline or otherwise failing. A common occurrence, authoritative DNS nameserver outages often take major Web sites offline for hours or even days at a time, making them inaccessible on the Internet. One recent example of such an outage resulted in popular Web site Amazon.com inaccessible for several hours.”

More details on SmartCache

So in our example, OpenDNS server has the cached entry for google.com and it doesn’t matter that the Authoritative server went down.

picture1bThere are many benefits to OpenDNS but one that really stood out last Friday was SmartCache.

For me, goodbye 8.8.8.8 and hello OpenDNS.

Irony in DyDNS Blog Post?

Seem ironic that DY posted this article on Thursday October 20th? The day before half the east coast went down?

http://dyn.com/blog/recent-iot-based-attacks-what-is-the-impact-on-managed-dns-operators/

http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/

Similar to what happened with Krebs?

http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/

Details on DyDNS attack

Great Article from NetworkWorld.com, details around yesterdays attacks.

“The DDoS attack force included 50,000 to 100,000 internet of things (IoT) devices such as cameras and DVRs enslaved in the Mirai botnet, as well as an unknown number of other devices that are parts of other botnets, says Dale Drew, CTO of Level 3. He theorizes the mastermind behind the attack hired multiple botnets to compile the number wanted for the attacks.”

Details on Mirai from NetworkWorld

My Take

My take, hackers are finding new ways every day to attack us.  Now the devices we are connecting to the network(toasters, thermostats, etc.) to provide value…are now being used against us. As an industry we need to get better at implementing security best practices. Don’t hear me wrong…I don’t think security best practices will solve everything…but helps shrink the avenues hackers can leverage. Great basic lesson and example in this story…Security 101, let’s change our default passwords.

Interested to learn more about the attacks from yesterday. Crazy world.

Learn how to build a campus network with Meraki switching

Meraki Campus Switching

I have been very impressed with the Meraki switching line.  Using Meraki switching you can now build out an entire campus network .  I typically see  the Meraki 400 series at the aggregation layer and 200/300 series in the closet.  In the following videos I will show you how to configure 425s at the aggregation stack and 350s at user layer.

Meraki Aggregation switch stack- In this video, you will learn how to configure stacking, spanning, layer 3 interfaces, and aggregation services for the Meraki 425 switching platform.

 

Meraki closet switch stack – In this video I will show you how to build a Meraki MS350 switch stack and how to configure a port channel between the closet and aggregation stacks.

 

 

Meraki Switch OSFP configuration – Learn how to configure OSPF on Meraki switches. Using my lab I will show you how to connect a Meraki OSPF network to a Cisco OSPF network.

 

 

 

Configuration links

Product Information

 

Meraki Network Access Control

Meraki Network Access Control

Check out the following videos to learn more about Meraki Network Access Control.

You can use the Meraki network to identify who is the user and  allow them access only to the resources they need. To implement NAC you only need a Meraki network and a radius server, no extra licensing required! The radius server can be a  free linux radius server, Cisco ISE, Windows 2012 R2 etc.

1.Meraki NAC Overview

2.Meraki NAC on Wireless Network

3. Meraki NAC on Wired Network

Useful links

1.Setup NPS on Server 2012 R2

https://glazenbakje.wordpress.com/2013/08/31/microsoft-windows-server-2012-radius-setup/

2.Setup 802.1x authentication with NPS and Meraki Wireless Network

https://shabiryusuf.wordpress.com/2012/12/24/meraki-network-policy-server-nps-and-radius-with-wpa2-enterprise/

3.If you need to create your own self signed cert for Server 2012

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Installing_a_Self-Signed_Certificate_on_Windows_Server

4.Apply group policies based on radius tags

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

5.Creating and applying group policies

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

6.Configure 802.1 authentication with NPS and Meraki Wired Network

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Tagging_Client_VLANs_with_RADIUS_Attributes

7.Dynamic vlan assignment Meraki Wired Network

https://documentation.meraki.com/MS/Port_and_VLAN_Configuration/Dynamic_VLAN_assignment_via_802.1x_(RADIUS)_for_MS_Switches

8.Configure Windows 7 client for Wireless 802.1x authentication

https://documentation.meraki.com/MR/Encryption_and_Authentication/Enabling_WPA2-Enterprise_in_Windows_Vista_and_Windows_7

9.Configure Windows 7 client for Wired 802.1x authentication

https://documentation.meraki.com/MS/Access_Control/Configuring_802.1X_Wired_Authentication_on_a_Windows_7_Client

« Older posts Newer posts »