Cisco Firepower 6.0 New Features

Cisco Firepower 6.0 New Features

FirePower
Cisco Firepower 6.0 offers many new enhancements, the major ones being On-box SSL Decryption support for ASA with FirePOWER services , support for OpenAppID applications , Captive Portal & Active Authentication etc. Detailed new features are listed below : URL and DNS-based Security Intelligence New Security Intelligence feeds based on URLs and Domain Name System (DNS) servers are provided to enhance the existing IP-based Security Intelligence capability. DNS Inspection and Sinkholes The same way that attackers use the SSL protocol to hide their activity, attackers use the DNS protocol with the same intentions. For that reason, and as another way to address fast flux-type attacks, the Firepower system provides the ability to intercept DNS traffic requests and take appropriate action based on the policy setting. On-box SSL Decryption for Cisco…
Read More
Cisco ISE 2.0 Support for TACACS+ & additional features

Cisco ISE 2.0 Support for TACACS+ & additional features

ISE
Cisco Identity Services Engine (ISE) 2.0 came with lot of latest features , the most popular being the support for Device Administration via TACACS+.  Here is a list of the new features that come bundled with ISE 2.0 according to the official release notes listed HERE. Further details are listed below : Device Administration via TACACS+: ISE can now leverage the TACACS+ security protocol to control and audit the configuration of network device. This requires an additional license [Device Administration license] to use the TACACS+ service.An ISE administrator can create policy sets that allow TACACS results, such as command sets and shell profiles, to be selected in authorization policy rules in a device administration access service. Third-Party Device Support: Many more 3rd-party vendors have been added to Device Support list…
Read More
Configuring Role Based Access Control (RBAC) using TACACS+

Configuring Role Based Access Control (RBAC) using TACACS+

ACS
In this blog post , we will configure Cisco Secure ACS 5X to return a TACACS attribute defining the role a user should be placed into an IOS device using Role Based Access Control (RBAC).RBAC enables access restriction based on each user’s role and function within the organization.  This feature is very useful when you an ACSAdmin wants to delegate varying responsibilities to different user groups within an organization. Use of  Role-Based CLI Access feature allows the network administrator to define “views“, which are a set of operational commands and configuration capabilities that provide selective or partial access to Cisco IOS EXEC and configuration (config) mode commands. We can create following roles to accomplish goals set forth: 1) Network Operator Role (netop) Allowed to configure network related operational tasks e.g. configuration…
Read More
FlexVPN IKEv2 Smart Defaults

FlexVPN IKEv2 Smart Defaults

VPN
IKEv2 Smart Defaults feature minimizes the FlexVPN configuration by covering most of the use cases. IKEv2 smart defaults can be customized for specific use cases, though this is not recommended.The following rules apply to the IKEv2 Smart Defaults feature: A default configuration is displayed in the corresponding show command with default as a keyword and with no argument. For example, the show crypto ikev2 proposal default command displays the default IKEv2 proposal and the show crypto ikev2 proposal command displays the default IKEv2 proposal, along with any user-configured proposals.  A default configuration is displayed in the show running-config all command; it is not displayed in the show running-config command.  You can modify the default configuration, which is displayed in the show running-config all command.  A default configuration can be disabled…
Read More
2 Factor authentication for Cisco VPN Solutions

2 Factor authentication for Cisco VPN Solutions

ACS, ISE
Generally, there are two forms of approaches that are used widely in networks today for User Credentials management i.e.  Username & Password based authentication and/or Certificate based authentication.First approach is easier to manage but if you choose easy passwords or your passwords are stolen, your identity can get compromised. 2nd approach requires little bit of management overhead but offers most security since your Identity Certificates can’t be forged that easily. However, if your laptop which has your Certificate installed gets stolen , your identity gets compromised. Both methods offer single layer of authentication. Using any of the above methods alone, your identity can be compromised. Despite of losing user credentials (someone decoding your company’s global VPN Client group authentication key from the Cisco VPN Client PCF file – ) or…
Read More
Cisco Email Security Appliance Mail Flow Pipeline

Cisco Email Security Appliance Mail Flow Pipeline

ESA
Reputation Filter The SBRS is based on an IP address's overall reputation for sending email on the Internet. SenderBase incorporates a number of variables into the score. Some of these variables are: spam traps, public blacklists, user complaints, and volume data. The SBRS is rated from +10 to -10, where positive scores indicate a good reputation and negative scores indicate a bad reputation. The further the number is from zero, the more data supports that determination. IP addresses that have a SBRS of  None are senders who send a very low volume of mail or where there is not enough data yet in order to determine a score. Senders who suddenly have a large, percentage increase in mail volume will see their scores drop one to two points. This is because…
Read More
FlexVPN Overview

FlexVPN Overview

VPN
If you are studying for CCIE Security  Lab Exam or written for that matter, you need to brush up your skills & learn to test & deploy FlexVPNs. Not only in Lab studies, in production enviroment, FlexVPN is the cisco’s way of integrating all major VPNs into one Umbrella i.e FlexVPN or Unified Overlay VPN FlexVPN is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single, comprehensible set of CLI and bind it together with something offering more flexibility and means to extend functionality in future. FlexVPN is Cisco’s implementation of the IKEv2 standard featuring a unified paradigm and CLI that combines site to site, remote access, hub and spoke topologies and partial meshes (spoke to spoke direct).FlexVPN offers a simple but modular framework that extensively uses…
Read More
ACS5.X : 802.1x Port Based Access Control via RADIUS attributes

ACS5.X : 802.1x Port Based Access Control via RADIUS attributes

ACS
NOTE : This article covers IEEE 802.1X Port-Based Access Control method. Identity Based Network Service (Cisco IBNS) & IBNS2.0 framework are covered in other articles. This article will cover  IEEE 802.1X Port-Based Access Control Using Authentication from Cisco Secure ACS 5.X using dynamic VLAN assignment.The basic idea behind the standard is to authenticate and authorize before a user can connect to the physical or logical port of a Layer 2 device in order to gain access to VLAN or WLAN infrastructure. Here, we have following three basic components of IEEE 802.1x architecture : Authentication Server :Cisco Secure ACS 5.X Authenticator                :Catalyst Switch Client or Supplicant    :XP Native Client (or AnyConnect Secure Mobility Client etc.) In order to assign a VLAN to a client upon successful authentication…
Read More

CUCM Presence Vs CUPS Presence

Unified Presence
In Cisco Unified Communicator Manager (CUCM ) , Users can check the status of another phone via what is known as "Phone Presence" i.e status of phone/line DN being in either ON HOOK state, OFF HOOK state ,  DO NOT DISTURB state etc.This feature in CUCM is called BLF (Busy Lamp Field).BLF displays the real-time status of another phone device "phone presence" information". There are couple of ways BLF status can be seen in CUCM: BLF Speed Dial : BLF SD is two-fold feature.First,you can press SD button to call another Speed Dial extension and also, you can see "phone presence" status of SD user's extension. BLF Call Lists  : Using BLF Call Lists Feature,which is actually configured at Enterprise Parameter Level, you can monitor "phone presence" status via Missed…
Read More

Understanding & Configuring Presence Service in Cisco Unified CME

Unified Presence
A presence service is a system for finding,retrieving, and distributing presence information from a source, called a presence entity (presentity), to an interested party called a watcher.Presence Service enables the calling party to know before dialing whether the called party is available.Presence features uses SIP SUBSCRIBE and NOTIFY methods to allow users and applications to subscribe to changes in the line status of phones in a Cisco Unified CME .Phones act as watchers and a presentity is identified by a directory number on a phone. SIP phones and trunks use SIP messages for presence information; SCCP phones use presence primitives in SCCP messages.SIP/SCCP phones can subscribe to Busy Lamp Field (BLF) speed-dial notification as well as BLF for directory call lists for missed calls, placed calls, and received calls. Here…
Read More