Teneo !!!

Aaron’s blog on Networking, and Enterprise Technology

Category Archives: Security

Sophos vs McAfee: Is there a winner?

I just finished up with a comparative study of Sophos and McAfee.  The results were interesting.  Sophos actually detected mal-ware that my existing McAfee implementations did not, and it is extremely fast.  If I were to have picked my favorites of Sophos it would be:

1).  Tiny differential updates throughout the day.  McAfee only updates once per day (Monday – Friday), and this really failed when a buggy update shutdown XP systems in 2010.

2).  Scanning engine is incredibly fast, and smaller memory footprint (compared to McAfee).

3).  Firewall and peripheral device control (i.e. USB Device lockouts and blocking of wireless bridging).

Now, on to McAfee.  I still have not yet found E-Policy Orchestrator’s equal.  It’s central management system is still a great policy interface.  I was asked by a sales rep, “What is the most important thing an antivirus product must do, in a manager’s eyes”.  Well, that question backfired, as my answer was “Good reporting and management”.

Now, if they had asked me “….. for the business….”, I would have answered, “catch malware”.  You see, from my point of view, I need to know how my entire infrastructure is handling security events and making sure all devices have protection.

Sophos does not have great reporting.  I’ve been told they are working on an API to make it better, but I am not known to purchase based on “future roadmaps”.  They have reports, sure….. but the best reports are ones that we can create ourselves.  Out-of-the-box reports are great, but not when you are slicing and dicing data looking for something.  That is where EPO excels at.

Another piece, albeit small but still powerful, is the ability to search by username.  If someone is having a problem, it is so easy to just search for their username, and pull up their system and all policies and events associated with them.

Finally, Sophos does not handle inheritance.  Setting policies at a root level, and having those policies trickle down to sub-groups, are a great way to be efficient and manage them.

I’m still bothered of the fact that Sophos found items that McAfee didn’t.  Is it because my policies were not strong enough?  Am I scanning often enough? Or is Sophos just better at catching them?  You see?  It’s bothering…..

Overall, Sophos is really a great client and overall  system.  Had I not already been spoiled by EPO’s great features, I would have jumped on it.  I am eager to see what Intel’s purchase of McAfee has planned for them.

Microsoft Antivirus…….. good?

Recently, I’ve been following Microsoft’s antivirus since my Admin brought me up to speed on it.
They are actually doing really well in the market. Which is really ironic. As Microsoft was really never known well for it’s security. Their answer is usually asking the same question twice, or adding more security reducing functionality.

Still, being that they are still the number one target, they probably have more data than other security companies, since they have to already fix the flaw in their OS.

Unfortunately, I had just renewed the contract for our current antivirus, so I’ll have to wait another year. But, that gives me time to follow them.

Curious how this will play out.

11-year old network manager

I’d better step it up a notch! I could be replaced by a younger, more energetic network manager!

http://www.networkworld.com/news/2008/032708-netkid.html?fsrc=rss-security

But, we all knew this was happening. It’s not so much the intelligence that impresses me about him…. but rather, the responsibility that he possessed.

Accessing Cisco ASA using SSH

So, I purchased a Cisco ASA 5505 to build a VPN Tunnel from a remote office to my main office. Really simple to do, when you are using Easy VPN . Anyway, I wanted to turn on SSH. So, I enabled SSH on the ASA, and tried to access it:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
ssh_exchange_identification: Connection closed by remote host

Hmmmm….. let’s do a debug, and see what happens:

 

asa# debug ssh
Device ssh opened successfully.
SSH0: SSH client: IP = '1.2.3.10' interface # = 1
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Ahhhh….. we have to create a default RSA key pair. Let’s do that.

 

asa(config)# ca generate rsa key 1024
WARNING: the 'ca' command syntax has been deprecated
Please use the 'crypto key generate' command.

Okaaaay…… looks like we have to change our ways again.

 

asa(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
asa(config)#

Okay, so far so good. Let’s try to connect again:

 

[apaxson@netutil ~]$ ssh -l username 1.2.3.4
RSA key fingerprint is 9b:99:12:45:6f:7a:bb:37:f4:25:19:1d:d9:0d:62:24.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '1.2.3.4' (RSA) to the list of known hosts.

Outstanding!

Technorati Tags: , ,

Cisco discontinues the Pix Firewalls

Well, it has finally happened.  It was only a matter of time.  Since the Cisco ASA (Adaptive Security Appliance) did exactly what the Pix does, and them some, why support two lines?
Cisco announces that they will stop sales for the Pix Firewall in January 2009.  Support, however, will be continued until 2013.

See Cisco’s press release.

So, let’s talk about these ASA’s.  For those that do not know, the ASA is actually the PIX underneath, with modularity to allow you to expand it to a specific appliance, such as Application Inspection or Virus/Malware/Spyware inspection.  I’m actually using the one with the CSC module, which includes the Virus/Malware/Spyware inspection.  The ASA actually inspects SMTP,HTTP,POP3, and IMAP packets.

When I first purchased and used it 18 months ago, Trend Micro (who owns the scanning engine of the CSC module) had quite a few bugs in it, so, I didn’t like it at first.  Too many problems.  However, over the last 18 months, their updates and bug fixes have seem to stablize it a little bit

You can learn more about the ASA at Cisco’s website, if you aren’t already familiar.

Technorati Tags: , ,

Cisco IOS – Order of Operations

So, for the first time, I had to NAT an IPSec tunnel for a vendor, due to overlapping networks.  I know the fundamentals, but have never actually done it.

First, define the vpn traffic…. check

Next, define the  nat traffic…. check

Map the traffic to the cryptomap….check

Create the access-list to filter the VPN Traffic…..no check…. ummm…. okay.. so here is where I needed some help.  Does the ACL get hit first, and THEN NAT?  If so, I’ll need to use the NAT address in the ACL.  But, what if NAT gets hit first?  Then I’ll have to use my private address in the ACL.

What to do?  Well, visit the irc chat room #cisco, that’s what.  They sent me to an incredible post which details the operations of both ingress and egress in a Cisco IOS system.

Very handy!  ….. <Aaron is printing>….

Cisco PIX/ASA VPN access to DMZ ?

How many times has someone wanted to access the DMZ (or some other network other than "inside") from the VPN?  Why didn’t it work?  Did you figure it out?

Well, the problem stems from IPSec.  See, IPSec and NAT just do not get along.  Mainly due to the security inherit in the protocol.  So, how do you get around it?  Well, you tell the ASA/PIX not to NAT your VPN traffic.

Let’s assume I have two networks:  (inside) 10.10.10.0/24 and (dmz) 172.16.1.0/24 and let’s also assume that the VPN is being attached to the inside interface.

Create an access-list to match the VPN Traffic to the DMZ:

access-list DMZnoNAT permit ip 172.16.1.0 255.255.255.0 10.10.10.0 255.255.255.0

Now, apply the access-list to the NAT statement on the interfaced named ‘dmz’, so it will not be nat’d (i.e. 0)

nat (dmz) 0 access-list DMZnoNAT

Done!  You should now be able to pass VPN traffic from 10.10.10.0 to the DMZ on 172.16.1.0, because we are no longer NAT’ing the traffic, and IPSec is happy again!

Powered by Qumana

New Antivirus Vendor?

When I first started my job at my current company last year, I was amazed on the security products they were using.  Keep in mind, that the company I work for, made several acquisitions over the last few years.  So, we have locations using McAfee, Computer Associates, Trend Micro, and Symantec.  Not only is this an administrative nightmare, but it’s not cost-effective.  So, for budgets, I placed some money to consolidate.

It turns out, there is a U.S. company called ESET, that not only has a good solution, but is priced extremely reasonable, in comparison.  I’ve never heard of them, and was embarrassed when our Swedish division told me about them, and I didn’t know anything about it.

In my eyes, deciding a vendor isn’t really about virus definitions anymore.  That’s become a trivial process.  For me, the deciding factor for choosing a solution are the following:

  • Central control of policies and processes (including emergency updates and scans)
  • Central Reporting
  • Built-in Reports
  • Ability to customize reports
  • Database to use 3rd party reporting
  • Easy rollout (including pushing software to new clients)
  • Small footprint on the client

I am starting to demo their products for the time being.  The only downside is that they do NOT offer Macintosh solutions.  Well, that won’t break my heart, since less than 1% of our network is Mac, just disappointing that they didn’t choose to support the best OS out there (shameless plug). 

However, they do offer solutions for Linux, Windows, Domino and Exchange servers, etc.  Worth checking out!

~~Aaron