Tag Archives: Cisco

PCI Council, Cisco Provide Guidance on PCI-Compliant Virtual Systems

via PCI Council, Cisco Provide Guidance on PCI-Compliant Virtual Systems – Security – News & Reviews – eWeek.com.

The PCI Security Standards Council issued a new guidance to help IT administrators deploy and manage cloud environments and virtual data centers while ensuring PCI compliance where necessary.

The PCI DSS Virtualization Guidelines Information Supplement, released June 14, covers a number of virtualization areas, including different types of virtualization, specific notes on cloud computing and how to ensure “mixed” virtual environments are compliant, Bob Russo, the general manager of the PCI Council, told eWEEK. The guidance does not contain new requirements or standards but is intended to be a primer on how to ensure virtual environments comply with the existing PCI-DSS 2.0 standard.

New guidance is always appreciated!  The PDF includes five pages of risks specific to virtualized environments,  ten pages of recommendations to deal with the risks, and two pages to help assessors assess the risks.

But why do you need all that when Cisco has a Solution In A Box?

At the same time, Cisco announced it will be releasing a Cisco PCI Solution for Retail Design and Implementation Guide at the end of the month to help enterprises and retail customers with an in-depth guide on how organizations can achieve PCI compliance. The document provide guidance for different types of “store footprints,” such as size of the retail organization and the type of services provided, Lindsay Parker, global retail industry director at Cisco, told eWEEK..

Oh, it’s a guide to solving your DSS problems with Cisco solutions.

2011-06-16 Edit:

Anton Chuvakin weighs in:

PCI DSS in the Cloud … By the Council

The long-awaited PCI Council guidance on virtualization has been released [PDF]. Congrats to the Virtualization SIG for the mammoth effort! I rather liked the document, but let the virtualization crowd (and press!) analyze it ad infinitum – I’d concentrate elsewhere: on the cloud! This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic.

Here are some of the highlights and my thoughts on them.

via Anton Chuvakin Blog – “Security Warrior”: PCI DSS in the Cloud … By the Council.

Cisco Targets Wireless Security to Step Beyond PCI Compliance

Cisco is looking to bolster wireless security with an eye towards going above and beyond compliance with Payment Card Industry (PCI) requirements.

Part of that starts with the addition of new PCI compliance reporting capabilities for the Cisco Wireless Control (WCS). On top of its previous PCI reporting functionality, WCS now offers a PCI summary report and the ability to filter and focus on individual locations or devices.

Reports and logging are great if you read the logs… You do read the logs daily, don’t you?

via Cisco Targets Wireless Security to Step Beyond PCI Compliance – Security – News & Reviews – eWeek.com.

Multiple Linux vulnerabilities found in Cisco videoconferencing systems

This is quite a hole in a Cisco product.

The vulnerabilities were first reported to Cisco by Florent Daigniere, a researcher with Matta Ld, a penetration testing company based in Richmond, Surrey. He found seven distinct vulnerabilities in the Cisco products, including hard-coded usernames, weak session IDs and weak obfuscation of credentials.

In a posting at the Full Disclosure Mailing list, Daigniere said the Cisco vulnerabilities would allow an attacker to “get full control of the device and harvest user passwords with little to no effort.” The attacker could also launch an attack against other parts of the target infrastructure.

via Multiple Linux vulnerabilities found in Cisco videoconferencing systems.

GNS3 Configuration Guide

Chris Bloomfield has written an excellent, step-by-step guide for installing and configuring GNS3 and using it to build virtual network.

GNS3 is actually the graphical front-end of Dynamips/Dynagen and allows you to drag-and-drop routers onto a stage, connect them up, run IOS on them, and save their configs, just as if you had your own network. It can be a little confusing to set up first of all so I will present a step-by-step guide below of how to install and configure GNS3 including a couple of advanced options which will allow you to run Cisco Security Device Manager SDM on your PC.

via Subnetting Made Easy And Other Cisco Tidbits: GNS3 Configuration Guide.

Cisco, NetApp, VMware Combine Forces on FCOE Storage System

Looks like a fantastic new option, if you have the budget.

Cisco Systems, NetApp and VMware jointly announced July 28 that they have made ready for prime time a new fully certified, end-to-end FCOE storage package for VMware virtual environments.

The package contains VMware-validated Cisco Nexus 5000 Series Switches and NetApp FAS-series unified storage using FCOE in virtual environments running VMware vSphere.

via Cisco, NetApp, VMware Combine Forces on FCOE Storage System – Data Storage from eWeek.

Researchers uncover Cisco firewall vulnerabilites, McAfee console flaws

Fresh info from Black Hat 2010!

King demonstrated a cross-site scripting attack against the centralized management console of McAfee’s Network Security Manager, a system that manages the sensors enterprises have deployed in the network as part of McAfee’s intrusion prevention system (IPS). The vulnerability enables an attacker to execute remote code on a browser, steal a session cookie of an administrator and log in with no credentials. By using the technique, an attacker could gain full control of the McAfee IPS.

and:

SecureWorks’ Jarmoc demonstrated several firewall vulnerabilities within Cisco’s ASA Firewall, a widely used firewall that is deployed in SoHo environments as well as Fortune 500 companies. One flaw allows an attacker to bypass the access control list (ACL), which negates the firewall’s security policy settings. Jarmoc also found issues with Cisco’s Adaptive Security Device Manager (ASDM), a Java-based GUI used for administering the firewall. Weaknesses within the authentication mechanism enable several different techniques that can allow an attacker to gain administrator credentials and execute code.

via Researchers uncover Cisco firewall vulnerabilites, McAfee console flaws.