Jazib Frahim (CCIE 5459) is is a technical leader in world wide security Services Practise of Cisco Advanced services for network security. He was previously a Technical Leader for Cisco TAC Security Team, leading engineers in resolving complicated security and VPN technologies. He hold two CCIE certifications, one is routing and switching and the other in security. He has presented on Cisco Live on multiple occasions and has written numerous technical documents and books, including Cisco ASA: All-in-Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd Edition); Cisco Network Admission Control, Volume 2 and Cisco SSL VPN Solutions.
The following experts were helping Frahim to answer few of the questions asked during the session: Omar Santos and Larry Edie. Omar and Larry are top security experts and have vast knowledge in security topics..
The related Ask The Expert sessions is available here. The Complete Recording of this live Webcast can be accessed here.
Q. How do you define IT metrics in an enterprise that does not have them?
A.Enterprises that do not have IT metrics can engage someone who can define these metrics for them. Incase they have the processes in place then they can start evaluating and auditing those processes and also they need to decide on how frequently they need to conduct these audits. Another aspect to consider is, so many enterprises have the processes in place but they don’t really follow them for several department like IT. Hence they need to ensure that processes should be followed in all departments.
Q. Can you give a few example of the metrics that we can start from?
A.Basic idea here is Start having the processes in place and once you have processes then make metrics out of it. For instance, you have a process of receiving alerts and notification from your vendor if they come across any vulnerability in your product or OS. So once you are aware that there is a vulnerability in your network then how long will it take you to find a work around and implement the same
Q. When defining the metrics, do you need to use any IT framework?
A.There are number of IT frameworks available. For example, When Cisco Advance services do security assessments, they follow Cisco Security Control Frame (SCF) which evaluate infrastructure from identification monitoring and correlation perspective, to gain visibility on who is logging into network, which devices are getting access on network and do they have full monitoring and correlation capability deployed. And once they have greater visibility in their infrastructure then how well they are enforcing control in their network. Tthere are other couple of frameworks like CIA confidentiality, integrity and availability etc.
Q. What are the key network devices that we need to focus on when securing an infrastructure?
A.It is not just about focusing on key network devices, Its mainly about defining the processes and operation and follow them properly. Hence it can be any network devices like router, switch or any security device like , AAA servers, firewall.
Q. If DDOS attack is happening in company , what would be the mitigation techniques you can use at that point?
A. First of all we need to understand what type of DDOS attack it is, for example is it focused on some protocol, like is it tcp based attack or a udp based attack. So somehow you need to classify these attacks. Then you can deploy infrastructure access list or transient access list to start dropping these packets.
Have in mind that DDoS attacks also are often bandwidth consuming and may require a scrubbing service from your Service Provider. Also look at using hardware based enforcement routers at your internet edge with Control plane policing and iACL.
Q. While Are all of these incidents that you presented real?
A. Yes, all incidents we spoke about are real and lot of enterprises miss on the basics while implementing securities1
Q. What is the best way to ensure that the network is fully protected?
A. Like we discussed earlier we cannot have 100 percent secured network. However by ensuring that we are following all the leading security policies and have the processes and metrics in place, we regularly audit our processes, we can ensure that our network is protected.
Q. Is there a complete list of metrics that I should be looking at and do you need to refine these metrics?
A. There is no list as such, but Based on your vertical or based on function of company, there will be a number of metrics that are solely focused around your enterprise. Hence, there is no such list that you download and start comparing your network against it.
Q. Does blackholing deny legitimate users?
A. Yes, however you can use source based real time blackhole to drop a small DDoS based on the source of the traffic.
Q. What should be an organization’s password policy?
A. A password policy should require that a password:
Be at least 8 - 20 characters long
Contain both alphanumeric and special characters
Change every 60 days
Cannot be reused after every two cycles
Is locked out after 3 failed attempts
In addition, you should be performing regular password auditing to check the strength of passwords; this should also be documented in the passowrd policy.