A Dummy Light for My Network

I’ve always heard the red lights in car dashboard referred to as Dummy Lights. One example might be the use of a light to indicate high temperature in lieu of a temperature gauge. Over the past few weeks, I’ve spent more time doing unique things with hardware and software. Yesterday I challenged myself to build an indicator light to show health issues with my Meraki MX.

Before I get into this, the cool factor here is not what I have built. The cool factor is that someone with very little experience, driven by curiosity, can build this in a very short period of time. I’m neither a professional developer nor someone with deep knowledge around hardware hacking. So I want to solicit thoughts, feedback, and recommendations.

The Trigger

After a little research, I found that the Meraki Dashboard provides a “Load Monitor” that is returned via a perfScore value. This feature is in beta and there’s not a lot of information on it. Therefore, consider your own data source that you would like to use as a trigger value. The following python code will store a numeric value (score) between 1 and 100 (with a lower number being a better score).

import requests
import json
import time
import datetime

mydashkey="****API Dashboard Key****"
mydevice="****Dashboard Device ID****"
mynetwork="L_xxxxxxxx"
logfile="/home/pi/mxhealth.log"
myhealth=18

url = "https://dashboard.meraki.com/api/v0/networks/" + mynetwork + "/devices/" + mydevice + "/performance"

headers = {
    'x-cisco-meraki-api-key': mydashkey,
    'content-type': "application/json",
    'cache-control': "no-cache",
    }

response = requests.request("GET", url, headers=headers)

jsondata = response.json()
score = jsondata['perfScore']

The Wiring

Since we know how to get a value for comparison, the next step is wiring up a Raspberry Pi. In my case, I used pins 6, 11 and 12 on my Pi (Pi 2 Model B) and wired two LEDs.

LEDWiring

I leveraged a 1K Ohm resistor, but many choose a 330 Ohm. The right section of this breadboard is my actual wiring. Its hard to see the resistor but I connected both LED cathodes to a common column and inserted the resistance between that column and the ground. Continue reading

Posted in Uncategorized | 2 Comments

Will Ransomware Die?

Ransomware has been one of the more prevalent security topics for past few years. Some probably think this form of digital destruction is here for the long haul. While this may be an accurate prediction, I can imagine a turn of events that would end this form of attack. To be clear, my theory is not that enterprise networks will plug every possible entry point. My prediction is that the ransomware business model COULD cease to be viable.

Let me expand on my position. For a business model to work, it has to have a monetization strategy. For ransomware, that strategy includes the victim sending money (typically bitcoin) to the attacker—trusting that they will be given the keys to decrypt their files. In this model, the victim has to trust their attacker [to do the right thing]. In and of itself, that seems to be an oxymoron and a plea in desperation. Continue reading

Posted in Security | Tagged , | Comments Off on Will Ransomware Die?

Using Geolocation in Firepower Access Control Policies

The use of geolocation is fairly obvious in monitoring networks with Firepower Management Center. What may be less obvious is that Continents and Countries can also be specified as the source or destination of connections in an Access Control Policy. Basically, this geographical information becomes one more match criteria that can be used to identify traffic for a block or allow action.

To get to this capability, open the Access Control Policy that is in use by the Firepower device. Within the policy, open or create an applicable rule. On the network tab (where you configure the source and destination addresses) a Geolocation tab can also be found. Clicking on this tab exposes Continents and Countries. These can be added as sources and/or destinations.

ACPGEO Continue reading

Posted in Security | Tagged , | 2 Comments

Capture w/Trace in Firepower Threat Defense

A few days ago I wrote an article demonstrating the Packet Tracer feature for troubleshooting Firepower Threat Defense. Another very cool tool for troubleshooting is the Capture w/Trace Feature. The power of this tool comes from both capturing a PCAP file (for Wireshark or your tool of choice) and a separate window pane that has a view of the device operation (very similar to the Packet Tracer output).

Similar to Packet Tracer, to initiate Capture w/Trace in the Firepower Management Console, choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt Continue reading

Posted in Security | Tagged , | Comments Off on Capture w/Trace in Firepower Threat Defense

What is FlexConfig in Firepower Threat Defense?

Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.

A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.

policy-map global_policy
 class inspection_default
  no inspect sip  

Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.

To disable SIP in FTD, we need to understand the way that this fits together. This is a series of parameters that feed the FlexConfig Object and is glued to the device by a Policy. At a high level, this is how things fit together:

Object FlexConfig/Text Object -> Object FlexConfig/FlexConfig Object

FlexConfig Object -> Flex Config Policy -> Device

Since that is enough to cause some level of confusion, let’s go through the exercise of disabling SIP in FTD (via the Firepower Management Console).

Before the modification, I am going to gather a baseline configuration directly from the device. This is possible by connecting directly to the device running FTD using this method to access the cli.

Note to reader: All Firepower content can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

Continue reading

Posted in Security | Tagged , | 4 Comments

The Real Need for Cybersecurity

According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.

Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.

Maybe some are smug enough to think they cannot be affected–with their resilient systems and diesel generators. Ever consider the likelihood of that fuel supply being available for the long term if there’s no utility power available at other places? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Maslow’s pyramid is real. Continue reading

Posted in Security, Technology | Tagged , | Comments Off on The Real Need for Cybersecurity

Three Issues of Being a Part-Time Security Professional

In Information Technology, we commonly hear the mantra of “doing more with less.” That may sound great, and in some cases it can actually be beneficial. It obviously drives the requirement of streamlining performance and the simplification of processes. It can drive innovators to innovate and the attrition of unnecessary systems. The predominate reason for this philosophy is cost cutting.

My argument would generally be that IT should NOT simply be keeping the lights on, it should be adding value by creating competitive differentiators for the business. Being able to execute on that effectively SHOULD change the perspective of IT as it is viewed by the rest of the leadership team. One particular concern I have in regards to those businesses that continue aggressively down this path of cost cutting (or don’t proper initially fund) IT, is in regards to Cybersecurity.

In many cases smaller shops, or shops that don’t fully understand the risks, tend to place their technical team members into split roles. Maybe the view is that someone should be a part-time security person and a part-time network or system administrator. This introduces several concerns and I wanted to quickly share three that are top of mind.

Issue One — What do I do in my spare time?

While issue three (below) may be the primary concern for many, I actually think issue one is the most important. Even the very disciplined in joint roles are conflicted. In our world, there is no such thing as spare time. We prioritize what we do and what we are never going to have time to do.

Spare time may be better defined as when we don’t have a fire to put out. In that case, the person in the split role might look at the capacity planning for the network or perhaps the WAN link that is throwing a considerable amount of CRC errors. The security person might look at recently reported exploits and consider how they would’ve leveraged their tools to defend against them. Are there deficits that need to be filled? Continue reading

Posted in Security, Technology | Tagged , | Comments Off on Three Issues of Being a Part-Time Security Professional

Using iTerm2 with Cisco VIRL

I love using VIRL to do quick self-check of a config, personal education, and learning the behavior of particular features. I also love using the iTerm2 Terminal Emulator on the Mac. Unfortunately, it isn’t obvious how to make the two play well together. I have had to re-educate myself on this over and over again as I get new computers, mess up my settings and do certain upgrades. I’m pretty sure I copied some of this configuration and the script that I will share from somewhere. So if this looks familiar, reach out to me and I will link back to the source.

This post meant to both share the config and caveats with others as well as to document the nuances for my future reference. In short, there is a standard configuration and a custom configuration for the terminal settings in VIRL’s VMMaestro. These are found in “VMMaestro -> Preferences.”

VMMaestroTerm2

These settings control whether the built-in (VMMaestro’s client) is used or an external terminal client should be used. I much prefer an external client and iTerm2 is my current client of choice. To eliminate the need of manually launching and connecting, I have customized the Applescript code found below. This can be duplicated by opening the Applescript editor, copying the text and saving as virlterm.scpt. Continue reading

Posted in Uncategorized | Comments Off on Using iTerm2 with Cisco VIRL

Amazon Delivery, Not a Fully Implemented Process

Those of us who work in technology see the need to take expensive, time consuming and/or mundane activities and convert them to streamlined automated processes. Ideally we improve these to the point that they improve accuracy, provide a better experience and can [mostly] be forgotten about. However, not every process fits all of the intended use cases. Maybe a more accurate statement might be that every process isn’t developed to fit every use case. For those of us who are outliers and find ourselves in those process deficiencies, these incomplete processes can create a lot of frustration.

A Little Background

I’ve been an Amazon Prime user for some period of time. I have also been free of a home mailbox for about 18 months and only used a PO Box to receive general mail. As a Prime customer, I regularly place orders with Amazon. Anyone else that has had the experience I’m about to share can probably finish my story. Continue reading

Posted in Uncategorized | Tagged | Comments Off on Amazon Delivery, Not a Fully Implemented Process

Packet Tracer in Firepower Threat Defense

I wanted to share a quick post on a feature that I have found incredibly useful on the ASA and has been extended to Firepower Threat Defense. The feature is called Packet Tracer and is an easy way to apply “packet walk” logic to a flow that would be initiated through the platform. Like most things FTD, the Firepower Management Console is the point of contact for initiating the process.

To initiate Packet Tracer in FTD, open the Firepower Management Console and choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt Continue reading

Posted in Security | Tagged , | 1 Comment

Simple Python Script to Read from Device

There’s a lot of talk about network programmability and I recently had a simple use case that surfaced. The goal was locating a serial number in Cisco Devices. Basically, a script is required that will do the following.

  • Process a list of IP Addresses and/or hostnames
  • SSH into each device
  • Determine if the device has a given SN

There are many ways this can be accomplished, but the method I am using utilizes SSH. This example requires the use of Paramiko to implement SSHv2. The script can match other items in the output of show version and can easily be modified to have multiple matches and return additional information. Continue reading

Posted in Uncategorized | 2 Comments

Latest Ransomware Techniques Show Need for Layered Security

I think everyone that touches security has had multiple conversations about the hardened edge and soft center, commonly found in networks. This usually accompanies some discussion around the overlapping concepts of difference in depth, layered security and security ecosystems. It seems like many of the recent exploits have used a C2 connection for instructions. In those cases, assuming a perfect NGFW product and configuration actually existed that caught 100% of the malicious traffic, it would have the capability to impact those attacks.

However on June 27, Cisco Talos published an article about a ransomware variant known as Nyetya. As of today, Talos has been able to find no evidence of the more common initial infection vehicles. Both Cisco and Microsoft have cited the upgrade process for a tax accounting package as the initial point of infection.

Per Cisco Talos:

The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.

So what does this mean to the majority of the world that doesn’t use MeDoc? Can they be affected too? And if so, how could defenders prevent the rampant distribution into their environments?

Expanding on these questions: Continue reading

Posted in Security, Technology | Tagged , | Comments Off on Latest Ransomware Techniques Show Need for Layered Security