Messages

To bypass the Authenticator he uses EAP as a disguise and jumps on the RADIUS slipstream to get to the majestic and devine Auth Service to get his advise on the secret x509 at PKI city


Sent from my iPhone using Tapatalk

We/I use syslog-ng and ELK. Its much like splunk just opensource and doesnt have all the pre-made plugins..


Sent from my iPhone using Tapatalk

Whats your experience with it? Do you use it in large scale implementations where windows native supplicant is used, If so what values do you find works for your environment.

Honestly, I find a lot of security people seem to have no understanding of risk analysis. Sometimes, the best answer is actually to be insecure.

Take amazon. They have a huge risk of customers' passwords being stolen and shipping product to the wrong address. They could easily improve this by requiring strong passwords or implementing two-factor. Many security professionals would suggest that these are simple measures amazon could put in place that would greatly reduce fraud.

Those security professionals would be right, but they're only doing half the calculation. You have to balance the need for security against the needs of the business, and in amazon's case, one of their primary needs is to make it as simple as possible for consumers to order product. And it turns out, amazon makes more money--including those costs from fraud--by being less secure.

Risk is the probability of an event times the cost of that event, and this needs to be compared to the cost of the protection.

Good post


Sent from my iPhone using Tapatalk

ISE

-Otanx

I saw a demo of that at a user group.. BYOD/MDM stuff.. seemed pretty cool.  Doesn't work too well in the real world?

Well byod doesnt really work with the current mind set of it being as it wad and mdm is like BES 8 years ago


Sent from my iPhone using Tapatalk

I could fit all that except the load balancing part.. As AnthonyC mentions.. Started as unix sysadmin '99 and transitioned over to networking when Sun Microsystems went down the drain..


Sent from my iPhone using Tapatalk

I'm interested in hearing what others do to solve sccm with nac so do share yours

What issues with SCCM are you having? Pushing out a client or integration with NAC itself?

Well to get it to run is easy.. But how you do it is interesting.. Place it in a restricted VLAN with acl's only? Which opens up alot if you want it to install and run through sequences that joins it to the domain gets certs and so forth.

Or maybe some other way.. Like MAB+restricted VLAN+ACLs etc..

I'm interested in hearing what others do to solve sccm with nac so do share yours


Sent from my iPhone using Tapatalk

Now we're starting to talk about enforcement... and what happens when we have a PE or PXE build that gets put together on the corporate network without any sort of identifying criteria to differentiate it from a threat box... fun times!

What i did was set up a standalone box (LDAP) which handles all MAB records (one should have one anyway instead of in ISE local db).. Talked to the SCCM guys to give me a list of all MAC addresses thats in there, created a script and put everything in a csv file and imported it to the MAB standalone server. Gave them instructions that when large batches come in, they put it in that csv file and run the script themself and all is good.

Created a AuthZ rule that referenced the group where i put the all the computers from SCCM in and gave that "only" access to ports required to successfully PXE and let SCCM push its image on...

Now as with anything MAB, its not THAT secure, but atleast its a 2nd layer to what you have to open to get PXE/SCCM running anyhow in a production network.

If you use SVI's the vlans can talk to eachother. Then you just have a route for the VLAN 1 subnet out to your internet gatewayand viceversa. Or you use a ACL which only allows vlan 1 out. Or... Lots of ways to do this.. Depends on your design

What do you guys use to manage your macs? We have about 1200 right now and deficated people managing them.. But keeping the majority out of AD


Sent from my iPhone using Tapatalk

Would be nice to see a review... We have been thinking of going that way.. But unsure if it might be to early.


Sent from my iPhone using Tapatalk

Currently reading Cisco ISE for BYOD and Secure Unified Access by Aron Woland and im liking it. As for best i dont know. Worst: any swedish tech book


Sent from my iPhone using Tapatalk

Sometimes its nessesary to be able to see whats happening on the wire. One way to do that is to configure a SPAN or RSPAN session.

I will describe how you can configure a RSPAN session, which is remote SPAN.. Meaning you can monitor a port on one switch and listen to that monitor on a remote switch by sending the monitor session on a VLAN which you configure as a remote-span VLAN.

First off, configure your RSPAN VLAN:

sw1# conf t
sw1# vlan 999
sw1# name RSPAN-VLAN
sw1# remote-span
sw1# exit

Add that VLAN on your remote switch as well and allow that VLAN on your trunk links by adding:

# switchport trunk allowed vlan add 999

Thats assuming you restrict what VLAN's traverse your trunk links.

The next thing to do is to go to the switch on which you want to monitor a port and configure that monitor session:

sw1# conf t
sw1# monitor session 1 source interface GigabitEthernet 0/1

This will start a monitor session on Gigabit interface 0/1 on your switch. The next thing is to send that monitor to your RSPAN VLAN so you can monitor the traffic on your remote switch.

sw1# monitor session 1 destination remote vlan 999

Thats it on the source switch you monitor from, now its time to jump on your destination switch and grab that monitor session:

sw2# conf t
sw2# monitor session 1 source remote vlan 999
sw2# monitor session 1 destination interface GigabitEthernet 0/2

Thats it... The network traffic from switch 1's Gi0/1 will be sent over the wire to switch 2's Gi0/2 interface where you can plug in your network monitor/sniffer to see whats going on.

If you have WLC's as of 7.4 they can handle mDNS. Create your mDNS profile and enable mDNS multicast on the SSID where you choose what profile to use.

Theres probably a guide or two if you google it.


Sent from my iPhone using Tapatalk