Archive Page 2

Time of Day Call Routing

Published August 17, 2010 Bob Long , Unified Communications Leave a Comment
Tags: , ,

I recently came across an opportunity to use a relatively new feature in Cisco Unified Communications Manager (CUCM). Suppose you are the telecom administrator at a community hospital. During business hours, the Facilities Department is staffed and team members simply call the office to report facilities issues. After hours though, the office is unstaffed and you need calls to the office to be sent to a cell phone which is carried by the associate on call.

One way to do this would be to use simple call forwarding. The issue here is that it relies upon a human being to forward the office phone to the cell phone when they leave the office.

If you’re familiar with CUCM, you’ll recognize this as a textbook example of when to use time-of-day routing. But nothing is ever as simple as it seems.

After consulting with the Director of Facilities, you find out their hours are flexible depending upon time of year and staffing levels. Ideally, the Facilities Director would like to be able to edit the schedule. Until recently, this meant giving administrator-like access to CUCM to the Facilities staff. Not to mention the training involved in how to self-manage their time-of-day routing. (There is a solution, but let’s first delve into how to solve the basic problem.)

  1. Set up a Directory Number (DN) on the shop phone of 78001. This is the number our associates are going to dial when they need to reach Facilities. This DN is going to be in the Internal partition, like the rest of our DNs
  2. Create a new partition called “After_Hours_Pt” or whatever you like
  3. Create a new DN, identical to the first one, except it’s going to be in the After Hours partition and will be call-forward all (“CFA”) to the on-call cell phone number.

We now have two identical route plan entries in two different partitions. So we need to edit our calling search spaces to include the After Hours partition, making sure it is listed first (that is ahead of the Internal partition). The order in which these partitions are listed on the caller’s calling search space will determine which one is used.

The next step is placing a time restriction on the After Hours partition so it’s only operative when we want calls to go to the cell phone. To start, I’ll create a three time periods

  • Weeknights – M-F, 1630 – 2359
  • Weekmornings – M-F, 0000 – 0730
  • Weekends – S-Su, 0000-2359

Then it’s just a matter of creating a time schedule which includes those three time periods and we have the basic setup finished.

But now we need to address the issue of allowing the Facilities Director to edit this schedule and make changes. Let’s presume the Facilities Director has an end-user account in CUCM, and that account is a member of the Standard CCM End-Users security user group (the name of group may change slightly in newer versions of CUCM).

When you were creating the time periods, there was an option to specify which end user owned them. By making the Facilities Director the owner of these time periods, he/she will be able to log into their CUCM User Webpage and edit the schedule as needed. Changes can now be made without the intervention of the administrator, and that should make everyone happy.

Author: Bob Long

Related Courses:
CIPT1 v6.x/7.x – Implementing Cisco Unified Communications IP Telephony, Part 1

Share

Small Targets, Big Rewards

Published August 16, 2010 Hacking & Cybercrime , Security Leave a Comment
Tags:

Small towns, cities, counties, and municipalities—and small banks and credit unions—have become popular targets for online bank account looters. The theft of “modest” sums ranging from $10,000 to $500,000—or more—can quickly grow the balance sheets of successful criminals.

In one recent case in Illinois, thieves targeted the assistant of the administrator of a small town of 10,000 people near Chicago. When the assistant attempted to log on to the town’s local bank account, she was redirected to a page informing her the bank’s website was experiencing technical difficulties—a delay tactic that allowed the criminals enough time to create their own interactive session with the account. The assistant was even provided a fake phone number for customer service, which she later called and found to be a residential number.

By the next day, the thieves had transferred $70,000 out of the town’s bank account. Fortunately, the bank (after notifying town staff of the previous transfers and learning they were the work of thieves) was able to halt one fraudulent wire transfer of $30,000. This prevented the total amount stolen from reaching six figures.

Computer Crooks Steal $100,000 from Ill. Town, by Brian Krebs, Krebs on Security blog via the Cisco 2010 Midyear Security Report


Share

Using the ACS for ASDM Access

Published August 14, 2010 Doug McKillip , Security Leave a Comment
Tags: ,

Last time we discussed how to use the LOCAL database of the ASA security appliance to configure minimum user privileges for ASDM access. We showed that ASDM contains two other default account profiles (other than full administrative privileges) for partial access to the GUI.

While using the LOCAL database is a viable mechanism for a small organization with only a few devices, larger enterprise operations frequently require a centralized Access Control Server (ACS). This server is not only used to control device access for users and groups of users, but is an absolute requirement if accounting is to needed since Cisco AAA does not allow accounting to the LOCAL database. This post will explore how to use the Cisco ACS for ASDM access.

While using the LOCAL database of the ASA for ASDM access was fairly straight-forward (the ASDM-defined roles were a big help!), using the ACS involves a bit of “trial-and-error” since documentation is lacking. For this experiment we created a username of adminjr with the goal of using a minimum amount of privilege to load ASDM. The screenshot below illustrates what happens if adminjr doesn’t have enough privileges to load ASDM.

By entering a few commands into the ACS, ASDM will appear to load but it’s actually locked with the following result:

Fortunately, the Failed Attempts section of the ACS is helpful here. As the accompanying screenshot shows, ASDM is attempting a number of show commands to bring up the initial post-login screen.

Using this screen along with trial-and-error, we arrive at the following minimum commands for adminjr to load ASDM:

Several additional comments are in order here.

  1. What is NOT shown is the requirement that shell access must be allowed for the adminjr user.
  2. While these commands ensure that ASDM will load without a problem, they do not allow full access to the buttons and features for even basic monitoring functions. The commands shown last time need to be added to ensure this functionality.

With some creativity, a network administrator could create various Command Authorization sets for centralized control of such commonly required capabilities as VPN configuration and monitoring, Failover configuration and monitoring, as well as basic firewall (access-list, service-policy, NAT) rule commands.

Author: Doug McKillip

References:

ASDM 6.0 User Guide – Configuring Management Access

Share

Criminals Now Protecting Their “Intellectual Property”

Published August 13, 2010 Hacking & Cybercrime , Security Leave a Comment
Tags: , ,

However cutting-edge and entrepreneurial you believe your business is in terms of technology and security, remember one thing: The criminals who prey on business online are trying to always be a few steps ahead of you.

Witness the trend of creators of malicious software placing tough anti-piracy protections on their creations, in a bid to keep other criminals from stealing their intellectual property.

  • The latest version of the builder kit for the Zeus banking Trojan, which has long been a threat to financial institutions and delivers lucrative personal information back to a botnet command-and-control server, includes the type of copy protection one would normally find on a sophisticated piece of enterprise software. The creators of Zeus have added a hardware-based licensing system to the Trojan builder kit, which only allows the kit to be copied on a single computer.
  • The creators of a competing malware kit, SpyEye, which appears to be trying to gain market share from Zeus, have also decided to protect their technology. “Not to be outdone [by Zeus], the SpyEye author now claims his malware builder also includes a hardware lock, using VMProtect, a Russian commercial software protection package,” reports Krebs On Security.

It’s sobering news that criminals are quickly meeting and even exceeding the safeguards that legitimate enterprises build into their products—yet another sign that the sophistication and business acumen of online criminals knows no bounds. Also of concern is the fact that protected malware code and software can be harder to reverse-engineer, and therefore, more challenging for enterprises and their security vendors to develop ways to halt it.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

Action Plan for Securely Adopting Cloud Computing

Published August 11, 2010 Cloud Computing Leave a Comment
Tags:

Businesses are allowing many audiences—employees, partners, vendors, and customers—to benefit from working with solutions based on the cloud computing model. Below are some basic steps to take, and questions to ask, when bringing these solutions into your business.

1) Assess your organization’s overall understanding of cloud computing.

  • Discuss functionality and risks.
  • Assess current policies and operating practices.

2) Ask the basics first: Why cloud computing?

  • Understand business drivers propelling you towards cloud computing.
  • Will sensitive data or business operations be hosted in the cloud? If so, why?
  • Develop a preliminary risk outline to work and build on.

3) Outline a solid communication, awareness, and education plan.

  • Develop custom sessions for executives, plus general content for all employees.
  • Establish a “Cloud Board” of business and technical leaders to work through adoption strategies.
  • Avoid organic growth models that are cumbersome to operate, scale, or secure.
  • Measure consumption trends and determine risk tolerance.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

5 Steps to Build a Corporate Mobility Policy

Published August 9, 2010 Security Leave a Comment
Tags: , ,

Currently, most enterprises mold their mobile security strategies around compliance measures—such as US  requirements like the Health Insurance Portability and Accountability Act (HIPAA)—relating to how personal information, both stored and in motion, is protected by businesses. Government regulations, the lawsuits, fines, and reputational damage that can result from noncompliance, and security breaches are all significant motivators, of course, but companies need to think beyond these requirements if they want to embrace mobility fully as a way of working and exchanging information.

Compliance does not equal security—nor does it take into account all sensitive information that an enterprise may want and need to protect.

Step 1: Discovery.
Find out how mobility is happening in the corporate environment—and why—to build appropriate security parameters. Understand what the business value of mobility is for the enterprise. The approach will vary by company and industry (for example, an educational institution’s security concerns around mobility are likely to be quite different from those of an energy company with a nuclear facility).

Step 2: Identification.
Create an acceptable-use policy that outlines the devices that are supported by the enterprise. Outline what disciplinary actions may result due to noncompliance with corporate policies relating to the use of mobile devices. Explain why certain devices are not permitted in the enterprise (and if/when that policy might change).

Step 3: Keep it Flexible.
When crafting a policy, keep in mind that it should be flexible enough to cover both immediate and future security concerns. Take into consideration what the organization might need to compete in the future and attract top talent—particularly from the very mobile, very connected Generation Y.

Step 4: Education.
Communicate—and enforce—the policy across the organization. But keep in mind that secure mobility is not just about enforcing acceptable-use policies from a human resources or legal standpoint: It’s also about the safety of the network.

Step 5: Manage the device life cycle.
You may not be able to manage every mobile device in the enterprise, but you can inventory every device you do control. Note the level of access of the user. Can the user access sales figures, personnel files, or customer data? Through this process, create a record of who is accessing what information, with what device (or application), and for what reason.

In addition, make sure you have the ability to lock and/or wipe clean a device automatically and remotely after employment termination or if a device is lost or stolen—a critical security measure. Consider the example of an HR department staff member who loses a device with employees’ personally identifiable information saved on it. That data, once exposed, could be used inappropriately by identity thieves and can create serious legal and disclosure woes for the company.

Mobile security also needs a system-level approach that goes beyond setting acceptable-use policies. Enterprises should implement tools that allow visibility into wireless environments and detect security threats as they emerge so they can take swift action.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

Collaboration Critical to Employee Success says Cisco

Published August 6, 2010 Security Leave a Comment
Tags: ,

Today’s employees expect to collaborate extensively with their colleagues—and believe it’s not just beneficial, but essential to their careers and to the business.

In a recent study, Cisco surveyed employees at midmarket and enterprise businesses in the United States and found that when workers embrace collaboration, they do so wholeheartedly. More than 75% said collaboration is critical to their success on the job; more than 90% said collaboration makes them more productive.

The study divided respondents into four categories. Workers identified as Collaboration Enthusiasts—those who believe collaboration is a key business differentiator—use an average of 22 tools, including social networking sites, blogs, and wikis, to connect with colleagues. Respondents in the Collaboration Laggard group use far fewer, often because their company doesn’t make them available.

Competitive, entrepreneurial businesses should consider the type of work environment they want to foster and employees they would like to attract. If businesses intend to champion collaborative work processes, they must welcome the use of tools and solutions that may feel uncomfortable from a security standpoint.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.


Share

Traffic Engineering in Brief

Published August 5, 2010 Bob Long , Unified Communications Leave a Comment
Tags: , ,

Anytime we’re working on a VoIP deployment, we need to ensure the network is able to support the new application. In addition to obvious requirements including quality of service (QoS), power over Ethernet (PoE), and security planning, it may be advisable to do a bit of traffic engineering.

The end product of the traffic engineering process is knowing how much bandwidth is going to be required across our network. And as with so many things, it’s easier said than done. Let’s start off with a very simple example.

The Widget Group has three sites; Toronto, Vancouver, and Seattle. Each site has a traditional PSTN connection used for their off-net calls. An MPLS WAN connects the three sites. To figure this out, we just need to know how many calls are placed across the WAN between the sites.

There are a few ways to collect this data. If there are existing tie lines between the PBXs, then usage data could be collected for those circuits. If not, then long distance billing data could be used if it were itemized.

The math isn’t too terrible from this point. You analyze the data to find the busiest hour (make sure you have an adequate sample size here), then use an Erlang calculator. The output will tell you the number of simultaneous calls your network needs to support. Then you multiply that figure by the amount of bandwidth each call takes, and you’ve arrived at your answer.

Widget Group’s busy traffic hour is 10 erlangs, and company policy says only 1 call in 100 can be blocked. The calculator tells us we need 18 lines and 432 kbps bandwidth.

But there are some twists and turns. As I said, the math part is easy, but figuring out which calls go over which network links gets a bit more complicated.

The scenario above assumes that all calls use the same amount of bandwidth. But, consider faxes for a moment (sure, there are faxes sent between offices.) When those calls are carried across a VoIP-enabled network, we cannot use G.729. So while it’s quite possible the majority of calls will be G.729 the fax calls may be G.711. This makes the math more complicated.

Things start getting really complicated when Tail-End Hop Office (TEHO) is used. In such a scenario, a call originating in Toronto and destined for Vancouver would be carried across the WAN from Toronto to Vancouver, and placed out Vancouver’s PSTN lines as a local call. Then it’s necessary to get a lot more granular in how you collect, sort, and analyze the data.

Author: Bob Long


Share

IP-Addressable Devices: Who’s Listening to Your Network?

Published August 3, 2010 Hacking & Cybercrime , Security Leave a Comment
Tags: , , ,

The concept of a “networked refrigerator” that’s connected to the Internet may seem like a running joke among watchers of the Internet’s infiltration onto a host of devices, but at a time when cars with Internet-enabled dashboard screens are being introduced, the idea of more and more business devices that can communicate on a network doesn’t seem so far-fetched. And as wireless devices beyond the usual desktop and laptop computers start connecting to corporate networks, the threat window only grows: Criminals need to find only a single unguarded “in” to begin snooping into a network.

It is not difficult to find the open doors. Wireless printers, for example, which are now commonplace in the enterprise, can retain digital images—a potential boon for data thieves. And what about the digital camera that can seek a connection to a laptop that happens to be connected to a corporate network? The camera and the laptop establish a wireless connection, making it possible for the user of the digital camera to “leapfrog” directly into the corporate network. The data being passed between wireless devices is also vulnerable, and could easily be hijacked and used inappropriately. The variety of endpoints that are capable of being connected, or are already connected, is astonishing.

This interconnectedness will escalate, as will the effects it will have on our networks. In just a few years, every door lock, card reader, video camera, vehicle, power meter, and light switch will have an IP address—at least in the business world. Therefore, from a security standpoint, it will become increasingly important—within the enterprise and within our homes (since many of us are now mobile or remote workers, too)—to segment and firewall different classes of devices in a network.

Enterprises also should keep in mind that their “smart” office devices can be sources for data loss in other ways—no wireless connectivity required. For instance, data thieves may only need to make a small investment in a few used digital copiers to reap a big return in their hunt for sensitive data: An investigative report by CBS News showed how easy it is to retrieve tens of thousands of documents from digital copiers that have not had their hard drives sanitized prior to resale. Among the information found: Design plans for a building near “Ground Zero,” the site of the 9/11 terrorist attacks in Manhattan, and 95 pages of pay stubs with names, addresses, and Social Security numbers for employees of a New York construction firm.

Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.

Related Course
IAUWS – Implementing Advanced Cisco Unified Wireless Security v1.0

Share

Using ASDM with Minimum User Privileges

Published July 30, 2010 Doug McKillip , Security Leave a Comment
Tags: , ,

Occasionally as I’m teaching a Cisco training class, I get an idea for a blog post and it happened again this week. The Securing Networks with ASA Fundamentals curriculum is mostly based on the Adaptive Security Device Manager (ASDM). While the class describes the use of privilege levels for use with the command-line, ironically it does not discuss how to apply these privileges to various levels of ASDM access. This first part of a two-part series will examine how to supply both the minimum CLI privilege commands required to run ASDM as well as the ASDM pre-defined user AAA authorization roles. Later I’ll examine how to accomplish ASDM privileged access using a Cisco Access Control Server with TACACS+.

The screenshot below shows the ASDM configuration screen used to accept the GUI default user access pre-defined roles:

As the above screenshot indicates, ASDM defines 3 user roles:

  • Admin: total access – privilege 15
  • Read-Only: allowing read-only access to the Configuration tab – privilege 5
  • Monitor Only: no Configuration tab access – privilege 3

If these are accepted and a username is created with a privilege of 3, when this user logs in, the following screen results:

Note that the Configuration Tab is totally missing! The following lengthy list of commands are supplied JUST for privilege 3 by ASDM to create the Monitor role:

For experimentation purposes and through laborious trial-and-error, we chose to find the minimum commands required to load ASDM. Believe it or not, we found that only the following two commands were required!

  • privilege show level 3 mode exec command logging
  • privilege show level 3 mode exec command blocks

Using just these 2 commands will cause problems, however, as shown by the following screenshot:

The addition of one more command – privilege show level 3 mode exec command interface – will solve that problem, but in trying to minimize commands additional annoying errors will result for users attempting to monitor using ASDM as shown next:

Bottom line: you will need to use the minimum ASDM-supplied privilege commands to be able to navigate the subareas.

By the way, the Read-Only role only adds four additional privilege 5 commands:

  • privilege show level 5 mode exec command import
  • privilege show level 5 mode exec command running-config
  • privilege show level 5 mode configure command asdm
  • privilege show level 5 mode configure command privilege

Author: Doug McKillip

References:

  • ASDM 6.0 User Guide – Configuring Management Access

« Previous PageNext Page »

Subscribe in a Reader

Subscribe by Email

Follow us on Twitter

CCNP Prep Kit

Posts by Author & Technology

Archives