Episode 156: Cisco ASA and FirePower Services

Cisco ASA with FirePOWER Services is a new, adaptive, threat-focused next-generation firewall that delivers superior, multi-layered protection, improves visibility, and reduces security costs and complexity. It provides integrated threat defense for the entire attack continuum by combining proven ASA firewall skills with industry- leading Sourcefire next-generation IPS and advanced malware protection.

But haven’t  we heard this all before? 

Read More

TWTV120: Defending the Data Center

TWTV120

Episode 120, Project ID 1219

Taped August 14, 2012 (Studio 13)

Released September 12, 2012

Guests: Per Hagen, Scott Gainey, Jaishree Subramania, Jeff Aboud, Swastik Bihani, Anil Kapur

We had to dig further, past our initial meetings internally and determine what would make this particular story unique from previous ones we have told this year.  Three really good shows done earlier now provide great context for appreciating the innovation we talk about in this one.   Check out: Fundamentals of High End FirewallsFundamentals of Intrusion Prevention and (TechWiseTV 115) Firewall Reinvention with the ASA-CX

So topically, Security in the Data Center is an easy hit of course.   It seems to top many lists. As Cisco broadens the tool set with new models and deployment options, we broke this one down along party lines:  

Per Hagen 4

Jaishree brought in Scott Gainey for the top down view in Segment 2. 

 Per Hagen 5

Jimmy Ray hosted Per Hagen as he explained how the new clustering technology in the ASA worked.   NOTE: ASA 5515-X running the latest software release 8.6(1) was featured in the BYOD CVD (Cisco Validated Design) Smart Solution Design Guide.

Per Hagen 7

Anil Kapur revealed how IPS (from Cisco anyway…) can now play effectively in a data center strategy.  

Per Hagen 1

Jeff Aboud joined me to illustrate how all of these new models now give us the flexibility to model a security architecture that complements the network/business strategy.  

Per Hagen 3

Swastik Bihani then joined us and showed new email encryption capabilities across all of our devices and web security changes worth knowing about. 

For a good design guide on this one - check out this well done paper (pdf) from our friends at the SBA labs

TWTV119: Next Generation Encryption

There is so something intriguing about ‘secrets’ and the ability to communicate openly yet know that only your intended recipient can ‘decode’ your message. The concept is of course not a new one.  Its the practice of this in our now digital age that has had to advance and withstand increasingly complex challenges to survive.  

This show signals the new shift now happening as we move to the latest set of secure protocols needed for the next decade and beyond.  We brought in Cisco’s NGE (Next Generation Encryption) expert, Dr. David McGrew.  David is a Cisco Fellow who not only specializes in secure communications within our Router and Switch Security Group, but somewhere along the line got his Ph.D. In Theoretical Nuclear Physics. Geeez.  

David was our sole guest on this show so that we could cover several aspects of NGE. He has some very good blog entries to review on this for further coverage.  (Panos Kampanakis also covered NGE). Another good one to read for background here is David’s blog entry on the importance of the key…no matter how strong the cipher.

Understand Cryptography?

 Secure communication includes encryption, message authentication, key establishment, digital signatures and hashing.  Over the past 30 years, public key cryptography has become a mainstay for secure communications over the Internet and throughout many other forms of communications. They form the basis for key management and authentication for IP encryption (IKE/IPSEC), web traffic (SSL/TLS) and secure electronic mail.For digital signatures, public key cryptography is used to authenticate the origin of data and protect the integrity of that data. 

 

Fascinating spy vs spy stuff for just about any audience - but also required knowledge for the networking geek.  Why is that?  

Two big reasons: 

1. Moore’s Law - Moore’s law ensures that our crypto security gets just a little weaker every day. This means that we need to deploy cryptographic protocols that will remain secure for the NEXT 10 to 15 years. There is no way to know when an attacker has broken your cipher and is reading your traffic. 

2. Mobility and Performance - New techniques have been developed which offer both better performance and higher security than these first generation public key techniques. The best assured group of new public key techniques is built on the arithmetic of elliptic curves and is ideal for our increasingly smaller devices. 

Cisco Fellow, David McGrew has been instrumental in the development of GCM, or the Galois/Counter Mode algorithm which is also key to his work advancing Next Generation Encryption. With David’s help, we explore and explain what you need to know about cryptography from the basics to the advanced so you can properly prepare yourself and your network for the next 10 years and beyond. 

 1. Why We Need Cryptographic Awareness

Learn how and why encryption can be a challenging subject to master but valuable even at the beginning levels. 

 2. Introduction to Next Generation Encryption 

Securing your communications data requires a 10 year plan and the time to start is now. Join TechWiseTV and Cisco Fellow David McGrew as we introduce the need for Next Generation Encryption by fully understanding the suite of cryptographic protocols in use today.  Know what to watch for and where certain protocols make more sense than others. 

 3. Roadblocks to Next Generation Encryption

NGE or Next Generation Encryption has technically been around since the 1980’s. Couple this with our claim today that it is a superior encryption method and it begs the question - why is not in place already?  Cisco Fellow and Cryptanalyst David McGrew returns to answer this question and more as we continue our cryptographic awareness series.  What you really need for commercial grade communications and more. 

 4. Elliptic Curve Cryptography - Master Class

Public-key cryptography is based on the intractability of certain mathematical problems. Early public-key systems are secure assuming that it is difficult to factor a large integer composed of two or more large prime factors. For elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of a random elliptic curve element with respect to a publicly known base point is infeasible. The size of the elliptic curve determines the difficulty of the problem. The primary benefit promised by ECC is a smaller key size, reducing storage and transmission requirements.  Watch this TechWiseTV segment to watch an Engineer from Tennessee simply these concepts with nothing but a whiteboard.  

5. Cisco, NGE and You

Robb and Jimmy Ray wrap up the Next Generation Internet story with an important review of deployment techniques and best practices. 

LINKS OF INTEREST:

Breaking Germany's Enigma Code
FLAME
RSA Factoring Challenge

 

Contributors: Emma Kilcoyne, David McGrew

Guest: Dr. David McGrew, Cisco Fellow

 

As always...thank you for watching!

 

________
Robb Boyd
Managing Editor/Producer/Host

@robbboyd

Watch our fan film: Raiders of the Lost Ark

Keep up: techwisetv.com, fundamentals.techwisetv.com, blog.techwisetv.com
facebook.com/techwise, twitter

Wireless Workshop: New Cisco Security Monitor Module

 LIVE WORKSHOP: Thursday August 16, 2012 at 8:00am PST/11:00am EST

As the number of devices joining your network continues to grow, your concerns about how to monitor and secure your networks performance.
The good news is, the all-new Cisco Security Monitor Module for the 3600 Access Point gives you the opportunity to monitor for threats your network without compromising speed and performance via a dedicated radio.
Register now to join Cisco Product Manager, Mark Denny, and Engineer, Fred Niehaus, as they walk through the benefits of this including its proven ability to provide:
• Comprehensive network security, feature expansion, and investment protection  
 • Concurrent serving of clients, spectrum analysis and full spectrum Cisco Adaptive Wireless Intrusion Prevention System (wIPS) at both 2.4 and 5-GHz bands  
  
Don’t miss this chance to get this new information about the Cisco Security
Monitor Module from our experts. Register now!

 

 

TWTV118: Maximize your WAN with Cisco ISR

Episode 118, Project ID 1206

Taped July 10, 2012, Released August 3, 2012

Guests: Vasanth Raghavan, Manu Parbhakar, Adam Groudan 

Don't leave the 'S' out of your ISR...

Are you getting all the value you can out of your router? Chances are high that you either have a high performance machine at the edge of your network that is just idling or you will soon. The value of this show applies equally to those of you who roll your own as well as leverage services from our service provider partners.

We include actionable information in at least four areas - 
1. Security - secure services…managed VPN enhancements, virtual office and traditional security
2. Cloud Connectors - Specifically Cloud Enhanced Voice and Video (HCS)
3. A field trip!  - Smart Guidance for architecture deployment (SBA) - who likes being first?  You don’t have to…chances are high that the SBA guys have already failed first..and then published the ‘architectural manual’
4. Machine to Machine - the high growth potential that network intelligence can bring to your most critical functions like transportation, vending machines, people…you can put a router on anything!

 

Don't miss the workshop!

 

Dear Koobface...my social insecurity

Originally released back in January of 2011, this was a segment inside a security special show we taped at the end of 2010 doing a deepdive on the Cisco Annual Security Report.  I wanted to write something a bit snarky....I like the way it turned out. The jokes may only be obvious to security folks.

My script:

SCENE: 3B - VO Package - Open Letter to Koobface
LOCATION: Discussion Area
TALENT: Robb

(ROBB)

Dear Koobface.  Can I still call you Koob?

You have been a wonderful friend, I remember how we first met.

Got a message from one of my old friends…click here ‘can’t believe your face in this video’ or something…you know me, I love seeing myself on camera, … wait.  I am apparently missing a required component… a ‘video codec’ I think it said..well I’m this far, I like video stuff…lets get that sucker loaded.  

Wow. I did not realize what had happened right away….but I was bitten. ‘Socially Infected’ if you will.

To be fair, your not a one friend kind of friend…  Social infection has taken on a whole new meaning in the last year thanks to this ‘Gratuitous link-sharing behavior’ I have heard it called. Social Networks are the Place to be!  And you my friend, are the expert at making money on this! Hats off to you Koob!

Well that video component you said I needed was actually an executable file that kicked off a whole bunch of activities.

*******

Can I be honest?  You had me at ‘click here.’  But you were not done were you?  

At first I thought you were just bragging - “Gotta check in” you said I should have seen the signs - Command and control, a central feature of every budding botnet. Turns out you were just casing my place, logging my social activities and sites, I know I made it easy, all those cookies laying around - fair enough.

You were measuring windows and checking out the floor plan…making room for your tools.. Very specific tools it turns out. Now, I appreciate the effort actually, no sense hauling in tools you don’t need - you could see what I was doing.  Now, my friends are your friends!  And convenient too, since they now think all these new messages from you are coming from me.

****

With no extra work on my part, you even helped me become a webserver.  I’ve never been a webserver!  Now I got to act as proxy or provide relay services for all our little koobface friends - in fact, and I love this one, I did not even have to break my own CAPTCHA’s anymore.  I never liked those things!  I mean why prove I am human if I have friends that will do it for me?  Great little service.  And downright neighborly!

Thats when things started to go wrong Koob.  You know why.  It was the money.  I was already impressed with your social media propogation parlour tricks…but you showed your true colors.   You know money is what ruins most relationships.  

Your modularity should have tipped me off - the fact that you could sell yourself on a ‘pay per infection’ basis to those suspicious looking friends of yours - SEARCH HIJACKERS - ready and willing to lead my browsing preferences right into those worthless click-fraud sites…DATA STEALERS…what kind of friends are these?  Nice try convincing me it was just a creative back up strategy.   But the final straw, the ROGUE ANTI-VIRUS INSTALLERS…those guys are so old school….I can’t believe you still hang with them.   ‘Click here to protect yourself’. It does still pay I guess.  

You know Koob. Enough was enough.  You are who you hang out with.  

That is why I unfriended you.