Monday, April 28, 2008

Configuring VPN as leased line backup

Q:
Hi every body
Can you help me in configuring a VPN.
The setup is like this my customer has a point to point lease line as a primary link going to head office using Router 1841 , OSPF is running on this segment
, he has a ASA 5510 behind the the router , from ASA he has a ADSL modem directly connected
Now , what he wants to achieve is once the primary link (lease line) goes down , traffic start going out ffrom the ADSL link through a VPN tunnel.
Keep in mind on the Head Office he is running with Juniper Products.
Do you have any idea how it will be achieved.
I will really appreciate your quick response.



A:
Hi ...,
We deploy similar IPSEC VPNs over Internet links for high availability requirements. I call this MPLS Plan B... (In your case Leased Line Plan B :)

Here is my understanding of your setup:
Remote Office: Cisco ASA connected to Internet, Cisco 1841 connected to leased line
Headend: Juniper firewall connected to Internet, Some Cisco hardware connected to leased line
Internal Routing: OSPF


What you need is to extend dynamic routing (in your setup OSPF) to Cisco ASA and the Juniper appliances. Make sure that both ASA and the Juniper appliances participate in the OSPF. First build the IPSEC tunnel between the remote site ASA 5510 and the headend Juniper. Firewalls will route traffic to IPSEC tunnel interfaces as a by product of OSPF routing decision.

An important catch is the validation of the cost of Internet links for OSPF. Internet OSPF cost must be higher than the leased line cost, this will assure that leased line will stay as the primary link. Increase costs manually if that is not the case.

Inter-product IPSEC tunnels (in this case ASA to Juniper) can be tricky I do recommend a lab proof of concept before production cutover.

Another way of building Internet failover is to use GRE tunnels between internal Cisco hardware, so that you can bypass the Juniper headend firewall integration for routing (All you will need is a simple IPSEC VPN between ASA and the Juniper that allows GRE traffic between internal Cisco routers) . I prefer the first option.

cheers,
- yinal

Sunday, April 20, 2008

End Point device security is becoming a major issue?

Q: Hi, End Point device security is becoming a major issue. Devices like IPODS, Mobile's etc. are a threat to Data Security in Organizations. Any of us are facing such challenges in their organizations?

A: Hi .....,
Here are 3 basic approaches:
1- Cut the cord – do not allow transfer of any data to mobile devices, this option assures security but it is not a mature solution on the user side. We all agree that mobile devices are business enablers
2- Control/Manage End Points – You need to manage all these end points as a part of your enterprise operation. Security on the endpoints is no more different than any other enterprise components but it is more difficult since the resources are much more limited (you cannot have 20 applications running on Nokia phones or you cannot manage iPods centrally. You can start with the following list – single client is preferred:
- Port Control (USB, CD, Floppy, Bluetooth, IR, Wi-Fi, Ethernet etc)
- Location awareness
- Encryption (file, disk, mail), key/cert management
- Firewall
- IPS
- Antivirus (http and SMTP)
- Antispam, Phishing, Malware control (http, SMTP, SMS)
- URL filtering
- Application control, and tripwire type change control
- Remote device management (in a secure manner :)
- Biometrics/TPM/SSO/802.1x support
- Easy to scale on multiplatform esp. on mobile
3- Control Data- Instead of focusing on the device level security, you may focus on data security. You can shift from the logical controls to data level security controls. If the data in the organization is classified by security requirements and protected accordingly, the devices will naturally comply with the higher plan. For the critical data I do recommend checking the enterprise rights management systems (a.k.a. DRM). Once your data is protected by enterprise rights management (ERM) or Information Rights Management (IRM) , it will be protected on the endpoint devices as well. Deploying ERM is the challenge. You may start googling with the following keywords; EMC (Authentica), Oracle (SealedMedia), IBM or Microsoft RMS or choose dedicated shops like InstaSecure Modevity or Liquid Machines. I hear a lot of activity around Liquid Machines.

Let me know if you have a specific question on the topics above,
cheers,
- yinal

Tuesday, April 1, 2008

How much can "fear" be used ethically in selling a computer & network security solution?

Hi ...,
I have worked on both buy and the sell sides of the enterprise security space for years.

Fear is not a wrong feeling, but lying is a wrong unethical, immoral act.

The ethics; encompassing right conduct during the information security sales cycle is not unique to information security; it is based on the same ground principles of business ethics.

A sales person should be telling the truth. FUD selling is as unethical as selling unreal hope or misusing trust. FUD is discussed more because buyer side falls into the lies easier.

Fear, is a lifesaver when it is sensed in the right time in the right amount.
Fear can be classified as an instinct instead of an emotion.

If a tire sales person tells me that my car may have a serious accident because I have old tires, and it is the truth, I may owe him my life, there is nothing wrong with the fear there.
But if the same tire sales person tells me that my car may have a serious accident because I have old tires, and whatever he tells me is an is actually an empty ungrounded sales pitch, fear is the tool of sales. It is wrong.


That is the ethics line between the evil and the good. On my personal life I only relay fear where I have fear, where I share the same concerns with the person I am talking with. Risks can only determined from facts, not hearsay or imaginary sources, so my personal fears can be far way from reality for the person I am communicating with. A disclaimer of the facts when discussing the fearful topics can be a good ethical start for the sales side.

I can give more real life examples if you need any,
Let me know if you have any questions,
Regards,
- yinal ozkan