NSA-formulated point-to-point encryption module announced for ISR G2 router
Cisco has announced a hardware encryption module for its ISR G2 router that allows point-to-point encryption of IP traffic based on what’s called “Suite B,” the set of encryption algorithms designated by the National Security Agency for Department of Defense communications.
According to Sarah Vanier, security solutions marketing at Cisco, the VPN Internal Service Module for the Cisco ISR G2 router lets information technology managers select how to use any of the main encryption algorithms as well as the SHA-2 hash algorithm to protect sensitive information traveling between any two routing points equipped with the module.
“The module allows you to offload the encryption process on to the card,” says Vanier, with the hardware doing the hard work of encryption and decryption of traffic at the beginning and terminating points.
The selection of encryption and hash algorithms in the Cisco card include the Advanced Encryption Standard, standards-based elliptic-curve cryptography or Triple-DES, to satisfy encryption requirements that might range from unclassified to Top Secret in military networks, she said.
The card, which is said to support up to 3,000 concurrent tunnels with throughput of up to 1.2Gbps, can make use of the SHA-2 hash algorithm to assure data integrity between the two router points.
Nelson Chao, Cisco product manager, said the Cisco encryption card does not currently support multi-cast encryption, but that is anticipated to be supported by Cisco in the future, perhaps late next year.
Cisco also points out that the encryption module is still undergoing official encryption testing to achieve the government’s FIPS-level certification, but the module is shipping now.
The Cisco VPN Internal Service Module for the ISR G2 starts at $2,000.
Cisco support will make Microsoft’s Hyper-V environment more attractive to corporate customers, but it remains to be seen whether that’s enough for Hyper-V to give VMware’s ESXi a run for its money.
Cisco says it will offer virtual switch support for Hyper-V that is similar to what it already offers to VMware environments via its Nexus 1000v virtual switch, meaning a richer network layer view of what’s going on among virtual machines.
The collaboration of Cisco and Microsoft will give customers better monitoring and control of the virtual environment than they would get with the current option — using the native virtual switch that ships with Hyper-V, says Mike Spanbauer, principal analyst with Current Analysis. “There’s simply more features than within the [Cisco] switch,” he says. “There are more network features to support a more manageable environment.”
Spanbauer says it’s not clear what effect Cisco’s support for Microsoft will have on the percentage of customers that choose Hyper-V over ESXi, a battle that currently is pretty convincingly being won by ESXi. “This will further extend visibility and control so the network team can manage and influence data flows and have some handle on the performance of the entire environment,” Spanbauer says.
But customers using VMware instead will have similar improved visibility. “My guess is that it will be close if not equitable,” he says.
How big a deal this will be when it comes time for enterprises to pick a virtual environment isn’t clear. “It’s hard to determine how influential network insight is to virtual-platform choice,” he says. Customers ultimately will decide based on whether the Hyper-V option solves specific problems they are having managing cloud deployments, he says.
The decision won’t be made just based on that, though. Factors such as storage, memory and licensing issues will all weigh into what customers ultimately choose, he says.
Cisco’s support for Hyper-V will come next year only after Microsoft releases Windows Server 8, which includes Hyper-V 3.0 and its augmented virtual-switch capabilities.
Cisco says it will offer two ways to peek inside Hyper-V physical machines to mine network-layer information about Hyper-V virtual machines and to extend Cisco network-layer monitoring, management and configuration to them.
The first is a version of Cisco’s Nexus 1000V Series switch designed to support Hyper-V. It is a distributed virtual switch that fits Hyper-V virtual machines with virtual Ethernet cards that can be managed via another component of the switch, Cisco’s Virtual Supervisor Module.
The supervisor module is tightly integrated with Microsoft System Center Virtual Machine Manager, Cisco says, which will enable customers to set separate privileges for different classes of administrators. The Virtual Supervisor Module can be deployed on a physical appliance or on a virtual machine. The entire distributed switch can be hosted on a Cisco physical appliance called Nexus 1010 Virtual Services Appliance.
The combination gives current administrators in Cisco shops easier management of the virtual machines because they can deal with them via Cisco NX-OS software that they are already familiar with, Cisco says. The virtual machines seem as if they are extensions of the physical network, making it easier to enforce policies, to provision and to diagnose problems on the virtual machines, Cisco says. Rather than deal with the virtual environment separately, it is brought under one umbrella.
Nexus 1000V is also integrated with other Cisco products so their features can be applied to virtual machines. The virtual switch will support three virtual network services products at launch. First, Virtual Security Gateway provides zoned security policies for multi-tenant virtual environments. Second, Virtual Wide Area Application Services supports accelerated application performance for applications hosted on virtual servers in data centers and private clouds. Third, Network Analysis Module grants visibility into the virtual environment for troubleshooting performance problems.
The second alternative Cisco will offer for gaining better visibility into Hyper-Vis a new version of Cisco Unified Computing System Virtual Machine Fabric Extender, which extends Cisco management to virtual environments. The benefit is similar to that of Nexus 1000V in that it gives a network-layer view and controls of the virtual environment, Cisco says.
With UCS VM-FEX administrators can treat the physical and virtual elements of their networks as a single infrastructure for provisioning, configuration, management, monitoring and troubleshooting.
The new products will work with Windows Server 8 but not earlier versions of Windows Server. Existing versions of Nexus 1000V and UCS VM-FEX already work with Hyper-V competitor VMware’s virtual environments.
Cisco says pricing isn’t available yet for the new products.
LAS VEGAS – A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.
The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systemsinto which the Internet is divided.
Typically large corporations, universities and ISPs run autonomous systems.
The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel’s Electronic Warfare Research and Simulation Center, who discovered the problem.
Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that it would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the severity of the problem, since Cisco dominates the router market.
The problem lies in the OSPF protocol itself, which can be tricked into accepting false router table updates from phantom routers on the network — Nakibly says he used a laptop attached to the test network he was attacking.
The phantom sends a false link state advertisement (LSA) — a periodic router table update — to the targeted router. The router accepts it as legitimate because, to verify its authenticity, all it checks for is that it has the most recent LSA sequence number, contains the proper checksum and is plus or minus 15 minutes old.
Nakibly described how to falsify all of these and to overcome the protocol’s defense mechanism called fightback that floods accurate LSAs in the face of false ones.
The false LSA can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making the victim router send traffic along routes that don’t exist in the actual network topology, he says.
The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says.
To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. Designated routers store complete topology tables for the network, and they multicast updates to the other routers.
Nakibly introduced a second attack that is not as effective, but similarly takes advantage of a vulnerability in the OSPF specification.
National Cyber Alert System
Cyber Security Bulletin SB11-213
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary
Vendor — Product
Description
Published
CVSS Score
Source & Patch Info
azeotech — daqfactory
AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal.
Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request.
The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681.
Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695.
Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table.
Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543.
Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file.
Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to “critical security vulnerability issues.”
SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field.
Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line.
opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes.
upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/.
SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669.
APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message.
Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/.
Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar.
IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets.
The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference.
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component.
Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5.
templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488.
The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488.
Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488.
Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.
SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors.
The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.
Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer.
Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow.
Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges.
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application.
jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484.
Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption.
Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file.
Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file.
The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.
The amount of Internet traffic crisscrossing the world will quadruple by 2015 as the number of networked devices surpasses 15 billion, according to a report out today from Cisco.
Releasing its fifth annual Visual Networking Index Forecast today, the networking giant forecast that global Internet traffic will reach 966 exabytes a year in just four years. One exabyte equals 1 million terabytes, 1 billion gigabytes, or about 250 million DVDs.
Per month, global IP traffic will hit 80.5 exabytes by 2015, up from about 20.2 exabytes per month in 2010. And per second, traffic will hit 245 terabytes, the equivalent of about 62,500 DVDs.
The increase alone in global traffic between 2014 and 2015 will be 200 exabytes, more than the total amount of all IP-based traffic seen last year.
The dramatic jump in Internet traffic will occur as a result of four key factors, Cisco says:
More devices. Driven by demand for mobile phones, tablets, smart appliances, and other connected gadgets, the number of Internet-connected devices will be twice the number of people on the planet in another four years.
More people. By 2015, almost 3 billion people will be surfing the Net, more than 40 percent of the world’s total population.
Faster speeds. The average broadband speed is expected to jump to 28 megabits per second in 2015, up from 7 Mbps now.
More videos. In another four years, 1 million minutes of video, or 764 days’ worth, will cross the Internet every second.
Computers accounted for 97 percent of all traffic last year. That number will drop to 87 percent by 2015, as more mobile devices hop online. As a result, mobile Internet traffic around the world will jump 26 times, to 75 exabytes per year or 6.3 exabytes per month in 2015.
The number of people accessing online video will increase by about 500 million users in another four years. Web-enabled TVs will also scoop up their share of more data, according to Cisco, accounting for 10 percent of all consumer Internet traffic and 18 percent of online video traffic by 2015.
Retailers, other distributed enterprises get controller-less Wi-Fi branch option
Cisco shops can finally run a slew of branch office WLANs without having to put a controller at each site.
The company announced the Flex 7500 Series Cloud Controller at Interop last week, which centralizes control and management functions in the “private cloud” data center but allows for distributed data forwarding in local branch APs.
Connections and inter-AP fast-roaming capabilities stay up if there’s a WAN failure between the branch site and the controller, and users can also authenticate locally, according to Greg Beach, director of product management in Cisco’s wireless networking business unit.
The Flex 7500 is a “1 [rack-unit] appliance that supports 2,000 APs [across distributed sites], local authentication and fast roaming. If a WAN link goes down, already connected devices survive,” he said.
The architecture alleviates the high cost associated with having a controller in every site in enterprises that are highly distributed, such as retail organizations.
However, the control and management functions are inaccessible if the WAN is unavailable. Cisco wireless VP and general manager Ray Smets said at the show that “retailers want CleanAir,” Cisco’s well-received spectrum analysis capabilities for identifying and mitigating sources of interference. “To get CleanAir, they need a controller. And they want that controller in the data center.”
In other words, while a WAN failure would not impact local connectivity and data forwarding, continued operation of the bells-and-whistles RF management features such as CleanAir remain dependent on a live WAN.
That’s because while CleanAir uses purpose-built ASICs in Cisco APs for monitoring, you need a correlation and analysis engine to crunch the data collected. According to Cisco CleanAir documents: “You can deploy Cisco CleanAir technology effectively with just Cisco Aironet 3500 Access Points and the Cisco WLC for simple detection and mitigation of RF interference. For added benefits such as location, zone of impact, policy enforcement, and visualization of air quality, you should also consider including the Cisco Mobility Services Engine (MSE) and the Cisco WCS [Wireless Control System].”
Cisco recently posted a YouTube video of several of their engineers discussing the development of the Cisco ASR 1000 Series routers employing the new 40-core Quantum Flow Processor. With four threads per core, the QFP is able to process 160 distinct packets concurrently, in their entirety – not just headers. Other geek-friendly stats are available on the Cisco site.
As always, Gyver Networks can answer any additional questions you might have regarding procurement, deployment and administration.
Microsoft Office Communications Server (OCS) 14, hereafter known as Lync 2010, is the next generation solution for all-in-one enterprise connectivity offered by the tech giant. With this most recent rendition of unified communications software, Microsoft has existing telephony solutions providers squarely in their sights, and Cisco and Avaya would do well to sit up and take notice.
OCS provided a wide range of integrated communications options, but Lync 2010 supercedes them all with advances in not only standard IP-based communications mediums like chat, presence, and videoconferencing, but also a vastly improved voice solution featuring access from anywhere without VPNs or third-party applications, and smartphone client apps with full functionality.
The conferencing features are particularly advanced, allowing users to begin a meeting at their workstation, then transfer and continue on their smartphone if they have to hit the road – without ever leaving and rejoining the meeting! Pretty cool. Other options include the ability for anonymous users to join meetings without downloading software or, going in the opposite direction, an administrator lobby for additional meeting access controls.
Chat warriors need not fear either, as Lync chat integrates contact and presence info with many popular chat clients like Yahoo!, AOL, MSN, and others.
Of course, everything integrates with existing Microsoft applications platforms for seamless functionality and integration with existing MS infrastructure. The feature set is rich, the options are innumerable, and the price is surprisingly affordable for an all-in-one connectivity platform. Even though Lync 2010 is billed as an “enterprise connectivity” suite, small and mid-size businesses would be well served to consider the advances in internal communications, client presentations, and overall productivity Microsoft Lync 2010 would afford their company.
Just because you’re the tougest kid on the block doesn’t mean that you don’t have to prove it every so often, and Cisco did recently, comparing wireless offerings against several other industry leaders.
Throughput vs. distance testing was performed pitting the Cisco Aironet 1252 against comparable 802.11n access points from HP, Aruba, Motorola and Trapeze, measuring access to assorted 802.11a/b/g/n wireless clients at various ranges. The Cisco outperformed the pack in both 2.4GHz and 5GHz bands, by as much as 169% in the former and 64% in the latter.
Microsoft is running a pretty sweet deal for families looking to simultaneously upgrade both their home network and operating environment. The Microsoft Store is offering a family 3-pack of Windows 7 Home Premium and a Cisco wireless N router for a ridiculously low price. The combo package allows families to save as much as $300 off the combined software license and hardware retail costs.
Who said there are no good deals before Thanksgiving? Better jump on it, though, as the offer will likely expire soon.
