Archive

Archive for the ‘Security’ Category

VMWare vShield-App vs vShield-Edge

June 14th, 2013 Comments off

One of my customer called me today to ask what the difference was between vShieldApp and vShieldEdge, as they were looking at a competing firewall.

I paused for a minute because I could not explain it clearly, as Vmware’s website isn’t that clear about it either. I reached out to my trusted Vmware SME and he was able to explain the difference to me.

vShieldApp is a hypervisor based firewall (internal to cluster) – port based ACL functionality to isolate VM’s from each other.

vShieldEdge is a virtual firewall (internal cluster or to external world)

This is how VMWare explains it
(vShield-App is on the left, vShield-Edge is on the right)
v-appv-edge

Clear as mud ? This article will help explain further
v-app-design
VMware® vShield Edge and vShield App Reference Design Guide

Map certificates to Tunnel Groups on Cisco ASA FWs

May 9th, 2013 Comments off

Yesterday I noticed some strange messages in my syslog

Turned out that on ASA Firewalls that have more than 1 Connection Profiles that use certificate authentication, you will need to map the certificates to the Tunnel Groups

Mapping the certificates to specific tunnel-groups can be done in the CLI or in the ASDM. Since the trend or push now by Cisco is mostly using the ASDM, you might as well get used to it. In all honesty, it’s extremely functional and once you get used to it very easy to navigate.

Capture1

Then pick a name for the rule and select the Connection Profile

Capture2

For security reasons, I would always set anything that has to do with the Default tunnels, policies, maps, etc. to disconnect in a separate DAP policy. That way if a connection attempt is made that you have not explicitly defined or allowed, it will be terminated. For this reason we will chose the “New” button and name our map something intuitive that will allow us to immediately associate it to the tunnel we are mapping it to! For instance if your tunnel is called “marketing_tunnel” and your policy for that tunnel is “marketing_policy” – name your map “marketing_certmap”. Trust me; this makes life much easier on a busy ASA when you are troubleshooting. Also create your certificate maps in the order of importance that will make the “Priority” relative by default. Chose the connection profile (tunnel-group) you wish to map this rule to and click “Ok”.

Next we need to define the criteria (certificate values) that will be used for the certificate map. As of 8.4, there are four sections to the criterion: Field, Component, Operator, and Value.

Capture3

In the above example we are using criteria that would specify the name and domain of the person or device trying to authenticate. For this device it would be something like testserver.mycompany.com or testserver@mycompany.com. All of this information must be present on the certificate it was issued or it won’t be passed to the ASA during the authentication process.

In the example above, we are specifying that the certificate issuer is being used to map the connection to a specific tunnel group. You may have more than one CA in your organization, each one used for different purposes. For Example: A CA that is used for laptops authenticating to the wireless infrastructure, A CA that is used for the users to authenticate to the VPN, and a CA that is used for your mobile devices to authenticate wireless and VPN. In all of these circumstances, because the CN for each CA will be different – you can assign each type of device to a different tunnel-group, and apply different policies or restrictions to those tunnel groups.

Categories: Networking, Security

CSIS: 20 Critical Security Controls Version 4.1

April 27th, 2013 Comments off

SANS recently release the newest update of their well known security guide

Download the version 4.1 , March 2013 here

san20

http://www.sans.org/critical-security-controls/cag4-1.pdf

Poster is here : http://www.sans.org/critical-security-controls/spring-2013-poster.pdf

Categories: Security
l>