Archive

Category Archives for "packetmischief.ca"

Packets of Interest (2015-06-19)

It's been a while since I've done a POI so here we go. The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them. Diffie-Hellman Key Exchange Diffie-Hellman (DH) is the world's first public key crypto system.

BRKDCT-2333 – Data Center Network Failure Detection

Presenter: Arkadiy Shapiro, Manager Technical Marketing (Nexus 2000 – 7000) @ArkadiyShapiro

You could say I’m obsessed with BFD –Arkadiy

The focus on this session is around failure detection (not reconergence, protocol tuning, etc). This session will not go over user-driven failure detection methods (ping, traceroutes, etc).

Fast failure detection is the key to fast convergence.

Routing convergence steps:

  1. Detect
  2. Propagate (tell my neighbors)
  3. Process (routing recalc, SPF, DUAL, etc)
  4. Update (update RIB/FIB, program hardware tables)

Failure detection tools: a layered approach: Layer 1, 2, MPLS, 3, application.

Interconnect options:

  • Point to point – failure detection is really easy here; event driven; fast
  • Layer 3 with Layer 1 (DWDM) bump in the wire
  • Layer 3 with Layer 2 (ethernet) bump in the wire
  • Layer 3 with Layer 3 (firewall/router) bump in the wire

Think about this: moving to higher speeds (1G -> 10G -> 40G -> beyond) means that more data is lost as you move to higher speeds without changing the failure detection/reconvergence characteristics of the network. 1 second reconvergence time at 1G is way different than 1 second at 40G.

Be aware: ISSU may not support aggressive timers on various protocols. Another reason to be wary of timer cranking.

Continue reading

BRKSEC-2137 – Snort Implementation in Cisco Products

Presenter: Eric Kostlan, Technical Marketing Engineer, Cisco Security Technologies Group

 

Above all, Snort is a community –Eric

Snort stats

  • over 4 million downloads
  • nearly 500,000 registered users

Snort was created in 1998 (!!). Sourcefire founded in 2001.

The Snort engine

  • Packet sniffer (DAQ)
  • Packet decoder
  • Preprocessors
  • Detection engine
  • Output module

DAQ – packet acquisition library(ies?). Snort leverages this to pull packets off the wire (Snort doesn’t have its own built-in packet capture abilities). DAQ provides a form of abstraction between the Snort engine and the hardware where the bits are flowing. DAQ – Data AcQusition. DAQ modes: inline, passive or read from file.

Packet decoder – look for header anomalies, look for weird TCP flags, much more. Generator id (GID) is 116 for the packet decoder. Decodes Layer  and Layer 3 protocols with a focus on TCP/IP suite.

Preprocessors – apply to Layer 3, 4, and 7 protocols. “Protocol decoders”. Normalizes traffic. Major preprocessors: frag3 (reassembly), stream5 (reconstruct TCP streams), http_inspect (normalizes http traffic), protocol decoders (telnet, ftp, smtp, so on).

Detection engine – various performance settings (eg, how long to spend on regex). Two components: rule builder and inspection component. Rule builder: assembles the rules into Continue reading

BRKSEC-2139: Advanced Malware Protection

Presenter: Eric Howard, Techincal Marketing Engineer

Why aren’t we stopping all the malware???


The term “APT” has become the boogey man of cyber security. :-)

You don’t need to know squat about writing malware in order to launch malware

  • Malware rentals
  • Malware as a Service (swipe CC, pay bitcoin)

Why aren’t we stopping all the malware?

  1. To solve the malware problem is to follow a very involved, multi-step process. Not every step can be automated; humans are needed (analysis, triage, more). This makes the process expensive, too.
  2. There’s no silver bullet

Product does not solve the issue. Process is required, too. Ideally, good process backed by good product.

If you knew you were going to be compromised, would you do security differently? — Marty Roesch, Cheif Architect, Cisco Security, founder of Sourcefire

Do security different:

  • Plan A – Prevention: shore up the environment; dig a bigger moat, build thicker walls
  • Plan B – Retrospection: track system behaviors without regard for disposition (ie, do this for everything, not just known malware but also “known good” and “unknown”)

Plan A

  • 1-to-1 signatures: like anti-virus; also hashes; AV vendors only enable 8-10% of their rules; AMP cloud runs all sigs all the time; Continue reading

BRKCRS-3900: NBase-T and the Evolution of Ethernet

Presenters: Dave Zacks, Distinguished Engineer; Peter Zones, Principle Engineer

History has been: 10x performnce increase at 3x the cost. 40Gb broke that model –> 100Gb PHYs were very expensive; industry needed/wanted an intermediate step.

Ethernet has a really strong roadmap and will continue to evolve for a very long time. Roadmap: http://www.ethernetalliance.org/roadmap/

  • 25Gb – direct server connect (Twinax)
  • 40GBase-T (Cat 8 cable!)
  • 2.5/5G – N-BaseT
  • 400Gb
  • More

SERDES

  • Serializer/deserializer
  • Turns bits on the wire into bytes and vise-versa
  • 40Gb Ethernet based on 4x10Gb SERDES

100m is the sweet spot for copper cable lengths. Why? CSMA/CD and also electrical wiring, placement of wiring closets just make 100m the right fit.

Cisco Mgig

  • PoE/PoE+/UPoE
  • Standards compliant
  • Investment protection (existing cable plant)
  • Supports 100M but not 10M; (had to drop something as far as standards and nobody uses 10M anymore really)

802.11ac Wave 2

  • Max PHY rate: 6.8Gbps (in absolute best conditions)
  • More likely 3-ish Gb/s
  • Point: it’s more than 1Gbs

Cisco Mgig products:

  • 4500E line card
  • New 3850 models with Mgig ports
  • New compact 3560CX with 2x Mgig ports

Between 2003 and 2014, approx 70 billion meters of Cat 5e and Cat 6 cabling were sold

Continue reading

BRKSEC-2010: Emerging Threats – The State of Cyber Security

Presenter: Craig Williams (@security_craig) – Sr Technical Leader / Security Outreach Manager, Cisco TALOS

I’m from Talos. We love to stop bad guys.

 
Talos by the numbers:

  • 1.1 million incoming malware samples per day
  • 1.5 billion Sender Base reputation queries per day

Talos has a serious amount of data. For serious.

Data is key. It allows generation of real threat intel.

We basically have a bottomless pit of data

Talos vuln dev team:

  • Looking for ways to programmatically find 0-days
  • Takes this research and feeds it back into Cisco to a) make Cisco products more secure and b) generate sigs and threat intel to protect customers

With ransomware, you’re basically funding the malware underground.

Malvertizing:

  • Malicious ads which redirect user to malware and then infects them
  • Kyle & Stan campaign dynamically generated a new .exe every time it was downloaded; prevented matching on the file hash; Cisco AMP can stay on the bleeding edge of this
  • blogs.cisco.com/security/talos/kyle-and-stan

Destructive/Wiper Malware:

  • Targets your data
  • Not just file data, but also seen targetting network devices and wiping their configs
  • Cryptolocker 2.0: uses TOR for C&C; encrypted binary to avoid hash fingerprinting; anti-VM check
  • Cryptolocker 3.0: still Continue reading

BRKARC-2032 – Designing for Secure Convergence of Enterprise and PCNs

BRKARC-2032 – Designing for Secure Convergence of Enterprise and Process Control Networks

Presenter: Chuck Stickney, Cisco SE

Handful of OT folks in the room; majority IT.

Convergence Benefits

  • Simplification (common protocols)
  • Reduced Cost
  • Pervasive enablement of features and services


PCN vs Enterprise

  • PCN: peer-to-peer, publish/subscribe model; application defines communication parameters; strict time sync
  • Enterprise: three-tier architecture; session oriented; many-to-one (centralized apps)
  • PCN: short, high-volume messages; localized traffic; delay/jitter sensitive; unreliable transmission; no out of order messages, no retransissions; similar to voice/video (these are problems that IT has solved for years)
  • Enterprise: large messages; remote traffic; delay tolerant; reliable, connection oriented; retransmission, re-ordering

“Layer 2, Layer 3″ are not terms that OT folks understand. IT folks: speak a language your OT folks can understand.

PCN Characteristics

  • Proprietary protocols (Modbus, Profibus, DeviceNet)
  • Incompatibility between systems (connectors, cabling, signals) (think: Ethernet vs Token Ring)
  • Industrial Ethernet: a common data link layer using standard 802.3 components (EtherNet/IP, Modbus/TCP, Profinet)
  • Ethernet/IP: Rockwell; uses Common Industrial Protocol (CIP); implicit, real-time (UDP, mcast port 2222); explicit, non-time critical (tcp port 44818)
  • Profinet: Siemens; IO and non-realtime; IO is Layer 2 only where app layer directly interfaces with MAC layer bypassing layers 3 – 6; non-real time Continue reading

BRKARC-3004 APIC-EM Controller Workflow and Use Cases

Presenter: Markus Harbek, CCIE, CCDE

 
Who knows what SDN stands for?

  • Still Don’t kNow
  • Still Does Nothing
  • Schnitzel Dinner Night


APIC – Application Policy Infrastructure Controller

  • Data center
  • n9000s
  • Focus on application network profile. SLA, Security, QOS, load balancing
  • Application intent

UCI – User Centric Infrastructure

APIC-EM – APIC Enterprise Module

  • Catalyst, ISR, N7k, n6k, n5k, WLAN
  • Focus on user, things, network profile, QoS, security, SLA, device
  • Application intent

Eventually, APIC and APIC-EM will have a common policy model so they can share policies across DC and enterprise. They will not integrate directly but will talk to a common policy orchestrator.

APIC-EM is really focussed on brownfield deployments because the assumption is that customers already have networks up and running hat APIC-EM needs to integrate into. APIC-EM won’t cconfigure OSPF and STP today, things like that, because they’re more than likely already running.

Imperative Control

  • Baggage handlers at an airport follow sequences of simple, basic instructions

Declarative control

  • ATC tells where to take off from but not how to fly the plane
  • ATC tells the “what”
  • Pilot figures out the “how” part
  • In the network, this would be like the admin wanting segmentation between tenants, controller decides which technology Continue reading

BRKSEC-3005 – An IoT Security Model for Securing IT-OT Assets

Presenter: Jeff Schutt – Cybersecurity Solutions Architect (Jeff works in Adv Services in the IoT team)

Full Title: An IoT Security Model & Architecture for Securing Cyber-Physical and IT-OT Converged Assets

Mix of IT/OT folks in the room. 

How do we do physical security?

  • Protect the perimeter
  • Detect breaches
  • Situational awareness (<< THIS!)
  • Forensics

How do we do cybersecurity?

  • Same principles!
  • Just different tools

IT landscape

  • Systems approach
  • Requirements dominated by business data focus
  • Time horizon: driven by Moore’s law and high tech product cycles
  • Scale: 1000s
  • Security: built into protocols (IPsec, TLS)

OT landscape

  • Requirements dominated by needs of physical systems
  • Time horizon driven by capital equipment life; complete lifecycle determined and managed by engineers
  • Scale: few; 10s – 100s
  • Security: No access to outside systems; insecure protocols

With IT and OT convergence, ther’s no way people are going to lose their jobs. We all have too much to do for anyone to be redundant. Additionally, there is a well-known shortage of skilled workers in this area.

Security awareness and training: a combination of people, process, and technology.

“Airgap security” does not address “people, process and technology”. Airgap is NOT security (on its own). Airgap is not Continue reading

BRKIOT-2109 – Connecting Oil & Gas Pipelines

Presenter: Konrad Reszka, IoT Vertical Solutions Group Engineering Lead

Given a chance, how many people in this room would volunteer to be a meteorologies in San Diego?


Inflection point between 2009 and 2010 where the number of connected devices began to out number the connected people. 50 billion “things” by 2020. And this doesn’t include phones and tablets. It’s other smart devices.

Shift in dominant endpoints: from consumers (people) to devices (like sensors and such). This shift demands changes in the network to support this growth.

Cisco + Schneider Electric joint functional reference model for connected pipelines.

  • Modular approach
  • Pick the pieces you want
  • ISA99 model
  • Modern approach, such as virtualization
  • Forthcoming reference model with Cisco + Rockwell

Isolate your enterprise network from the operations network.

  • Industrial DMZ at level 3.5 (in the ISA99 model)
  • “Pull the plug” if need be and airgap the OT network from the enterprise network
  • Makes compliance/audits esier

In the erm… pipeline:

  • Connected Pipelines Cisco Validated Design
  • Schneider Electric TVDA (their version of a CVD)
  • Both docs are being co-written by Cisco and Schneider

Had to leave session halfway through due to an overlapping MtE session.

Copyright Joel Knight. All Rights Reserved.
www.packetmischief.ca

DEVNET-1001 – Coding 101

How to Call REST APIs from a REST Client and Python

Presenter: Matt (didn’t catch last name, sorry)


I was late to this session because of wonderful San Diego traffic :-/

A walk-through of using the REST API on APIC-EM.

http://learninglabs.cisco.com – sample code, docs

Postman – plugin for Chrome browser to craft, send, receive API commands over HTTP using a nice graphical interface. Helpful for building and testing queries and also viewing the raw output from the controller that you’re querying. Is there an equivalent for Firefox?

APIC-EM docs fully cover the API. Methods, variables, etc.

“Requests” library in Python – simplifies the CRUD operations in Python.

When you’re in the lab, verifying the SSL cert of your controller (in your code) might be optional. Don’t bring that into prod code. Get a proper cert and have your code validate the cert.

Other references:

  • http://developer.cisco.com
  • http://learnpythonthehardway.org/book
  • http://api.jquery.com
  • http://codeacademy.com/tracks/python
Copyright Joel Knight. All Rights Reserved.
www.packetmischief.ca
1 7 8 9 10 11 16