The oft-requested and long awaited arrival of TACACS+ support in Cisco's Identity Services Engine (ISE) is finally here starting in version 2.0. I've been able to play with this feature in the lab and wanted to blog about it so that existing ISE and ACS (Cisco's Access Control Server, the long-time defacto TACACS+ server) users know what to expect.

Below are five facts about how TACACS+ works in ISE 2.0.

I've been doing a lot of reading and video watching on securing industrial control and automation systems (ICAS) (sometimes referred to as SCADA systems) so this POI has a few links related to that and ends with a link to an editorial piece about privacy and why privacy matters to us all.

It's been a while since I've done a POI so here we go. The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ Kaspersky Lab found this new variant of the Duqu malware in their own network. They wrote a paper based on their analysis of this new malware. It fascinates me how sophisticated these software packages are and how much effort the threat actors put into them. Diffie-Hellman Key Exchange Diffie-Hellman (DH) is the world's first public key crypto system.

Presenter: Craig Williams (@security_craig) - Sr Technical Leader / Security Outreach Manager, Cisco TALOS

"I'm from Talos. We love to stop bad guys."

Talos by the numbers:

• 1.1 million incoming malware samples per day
• 1.5 billion Sender Base reputation queries per day

Talos has a serious amount of data. For serious.

I don't believe this is well known: Cisco IOS has Role Based Access Control (RBAC) which can be used to create and assign different levels of privileged access to the device. Without RBAC there are two access levels in IOS: a read-only mode with limited access to commands and no ability to modify the running config (also called privilege level 1) and enable mode with full administrative access. There is no middle ground; it's all or nothing. RBAC allows creation of access levels somewhere between nothing and everything. A common use case is creating a role for the first line NOC analyst which might allow them to view the running config, configure interfaces, and configure named access-lists.

Cisco's Identity Services Engine (ISE) is a powerful rule-based engine for enabling policy-based network access to users and devices. ISE allows policy enforcement around the Who?, What?, and When? of network access.

• Who is this user? A guest? An internal user? A member of the Finance department?
• What device is the user bringing onto the network? A corporate PC? A Mac? A mobile device?
• When are they connecting? Are they connecting to the secure network during regular business hours or at 02:00 in the morning?

These questions can all be answered easily within ISE and are all standard policy conditions that are relatively easy to implement. In the post below I'm going to focus on the How? — How is the user or device connecting to the network? Asked another way, the question is Wired? or Wireless?

This post is for anyone who administers a Juniper SSL VPN. I saw an issue in our environment recently that was created by an unexpected interaction between two different systems that were working to enforce our computer security policy. Because the way the systems were configured is pretty common and because the issue is not specifically warned against by Juniper, I'm going to share it here.