Welcome to the Sentinel Blog!
We are proud to feature a carefully curated collection of articles and other content related to the most important technology topics of today and beyond. Our posts are composed and edited by Sentinel’s ALWAYS ENGAGED team of solutions architects, engineers, project managers and other subject matter experts.
Fortis Log4j CVE-2021-44228 Communication Release
Fortis Log4j CVE-2021-44228 Communication Release
The Fortis Security, Incident Response, and Threat Intelligence teams have been tracking activity related to the recently exploited Log4j remote code execution (RCE) vulnerability, also known as Log4Shell. Since this vulnerability came to light one week ago, the Fortis team has been diligently and aggressively both threat hunting in our customers' environments as well as developing and implementing new detection signatures to alert on possible malicious scanning and/or post-exploitation activity based on known indicators of compromise.
Although there are scattered reports of APT groups, ransomware groups, and threat actors beginning to use this vulnerability as an initial access vector for dropping second-stage payloads and potentially deploying ransomware, the majority of exploitation activity that has been seen since initial exploits is related to installation of cryptocurrency miners and use by the Mirai and other botnets.
The instances of ransomware and post-exploitation activity that have been observed have primarily been reported to involve the Khonsari ransomware family, dropping of Cobalt Strike beacons, and the use and sale of this vulnerability by access brokers. Several sources have reported activity beginning to emerge that is being attributed to known APT groups and threat actors in China and Iran as well as potentially North Korea and Turkey. Most notable of these groups are Iranian-based APT 35 (aka Charming Kitten or Phosphorus) and Chinese-based HAFNIUM, who are best known for their exploitation of Microsoft Exchange servers early in 2021.
This vulnerability in Log4j is being leveraged as an initial access vector, which is an early phase in the what is known as the cyber kill chain. This stage comes after the first two stages of reconnaissance and resource development and before execution, persistence, and privilege escalation. It is projected that either brokered or natively obtained access to environments will be used by these threat actors either in the short term or long term as threat actors have been known to lie quiet in a compromised environment for extended periods of time before actively deploying ransomware or mass exploitation.
Official mitigation advice has been updated to include mitigating the implications of the new CVE-2021-45046 which was discovered after the 2.15.0 patch was released. This new CVE has recently been upgrade to a CVSS score of 9.0. Currently, this CVE has only been demonstrated in MacOS environments. A third vulnerability, CVE-2021-45105 (CVSS 7.5), was also released which addressed the risk of denial of service conditions due to the possibility of infinite recursion.
Apache currently recommends updating to version 2.17.0 as this addresses all three known CVEs for Log4j. Several previous mitigation recommendations have now been deprecated by the Apache team due to the fact that they leave additional attack vectors open versus completely remediating the vulnerability. The current recommendation for safe and comprehensive mitigation is to update to the most recent safe version (2.17.0 as of 12/20/2021) or remove the JndiLookup class from the log4j-core jar. Please review the "Older (discredited) mitigation measures" headings in the attached Apache link for additional technical details.
Overall recommendations remain to prioritize asset inventory, isolation of vulnerable assets and aggressive patching for this vulnerability to limit the attack surface. Continue working with third-party vendors to apply recommended patches for their products as well as encouraging end users to apply approved and recommended updates. Additional recommendations include limiting outbound connections to trusted destinations and monitoring for suspicious or unapproved outbound traffic, including LDAP connections, from either inside the network or the DMZ. These outbound connections to listening IPs may result in redirects to IPs that host second-stage payloads to be delivered to the target.
Primary activity that has been observed by the Fortis team has been mass scanning activity with some attempts at data exfiltration based on specially crafted commands. Many vendors were able to quickly identify malicious IP addresses and domains and add them to threat feeds and block lists almost immediately thanks to the mobilization of the entire security community. Massive data has been collected both by the Fortis team and the security research community to assist in building actionable detections for this activity. However, the ease at which this vulnerability is tested and exploited complicates these indicators, rendering many of them low fidelity or benign. Nonetheless, the Fortis team has implemented alerting based on current intelligence and all current updated signatures released by vendors. Additionally, the team has put in place proprietary behavior-based alerts for products that we ingest for our customers including EDR tools, firewalls, Fortis IDS sensors, and DNS-based alerting.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
Highlights from AWS re:Invent 2021
Like many things in 2020, the AWS re:Invent conference was not an in-person event. Still in the middle of a pandemic, the choice was made to put all of the sessions, workshops, and keynotes online so people could attend virtually. As the number of infections declined and life began to return to some semblance of normalcy earlier this year, organizers decided that re:Invent could also return to convention centers provided a number of safety measures were in place to protect attendees. First, overall capacity was limited to only about 20,000 people total, compared to 2019 when more than 60,000 were in attendance. Second, there were vaccine and mask requirements to ensure everyone had multiple levels of protection from potential infection when gathered closely together indoors in large groups. Lastly, those uncomfortable with the health restrictions still had the option of streaming certain events and sessions from home. That said, a few members of the Sentinel team chose to make the trip to Las Vegas for the five-day event from November 29th through December 3rd. They listened to speeches, participated in interactive sessions, spent some time networking, and even held a special happy hour for Sentinel partners and customers. A great time was had by all. Here's a short summary of the experience, complete with some important news and takeaways from the 2021 AWS re:Invent conference.
The first thing AWS was proud to note at this year's re:Invent conference was their accelerating level of success. The company earned around $12 billion in revenue back in 2016, and as more organizations continue to invest in the cloud that amount has increased at a significant rate. They are currently on track to generate more than $65 billion in 2021, an anticipate reaching a trillion of revenue per year at some point in the next decade. Part of this growth has to do with their constant expansion of cloud services, as they continue to design and acquire new applications capable of giving customers more features based on their specific industry or unique needs. AWS believes partnerships play an essential role in future expansion, which is why they currently have more than 100,000 partners worldwide and continue to add more on a daily basis. Sentinel is proud to be one of those partners, as the innovation and expansive catalog of AWS aligns well with the needs of our customers, enabling them to remain Always Leading.
One of the main things AWS was trying to emphasize at re:Invent in a keynote speech from VP and CTO Werner Vogels was that they are focused on building primitive cloud solutions and not frameworks. Basically the goal is to avoid appealing to every possible customer and instead allowing partners such as Sentinel to build their own solutions using AWS as a starting point. This enables organizations to work closely with Sentinel to adopt cloud services in ways that make the most sense for their business, rather than simply buying into a pre-defined package that might not fit exactly what they need. AWS cloud solutions can be paired with Sentinel services and our highly knowledgeable team of experts to create unique opportunities that keep our customers secure and enable them to accelerate their migration into the cloud. The momentum continues to grow as new services are added daily.
Speaking of new services, there were a number of exciting announcements made at re:Invent that highlighted the diversity and scalability of the AWS portfolio. While many are undoubtedly aware of 5G as a level of connectivity for their devices, AWS has started to preview Private 5G, a new managed service that enables organizations to set up and scale private 5G mobile networks inside of facilities in a matter of days instead of months. Customers can specify where they want to build a mobile network and the network capacity needed for their devices, and AWS will then deliver and maintain the small cell radio units, servers, 5G core, along with other software and modules required to set up a private 5G network and connect devices. This would essentially eliminate the need for a switching refresh and other common network components used by most businesses. There are no up-front fees or per-device costs associated with AWS Private 5G, as customers only pay for network capacity and data consumption.
The Sustainability Pillar for the AWS Well-Architected Framework marks a big and important addition to their portfolio. It's designed to help organizations learn, measure, and improve their workloads using environmental best practices for cloud computing. As part of this pillar, organizations answer questions aimed at evaluating the design, architecture, and implementation of their workloads in order to reduce energy consumption and improve efficiency. While AWS is responsible for the sustainability OF the cloud, customers are responsible for sustainability IN the cloud. Customers can reduce associated energy usage by up to 80% by implementing sustainability practices within the AWS cloud compared to a more standard on premises deployment.
Amazon Inspector is a service used by organizations of all sizes to automate security assessment and management at scale. Amazon Inspector helps organizations meet security and compliance requirements for workloads deployed to AWS, scanning for unintended network exposure, software vulnerabilities, and deviations from application security best practice. The original Inspector was released in 2015, and since then vulnerability management for organizations has changed considerably. While new features have been added over the years, there were still a number of requirements that were a bit lacking. AWS re:Invent announced a new and improved version of Amazon Inspector, capable of enabling frictionless deployment at scale, support for an expanded set of resource types needing assessment, and a critical need to detect and remediate at speed. There are continual, automated assessment scans, automated resource discovery, support for container-based workloads, improved risk scoring, along with integration into other tools such as AWS Organizations, Amazon EventBridge, and AWS Security Hub.
If your organization uses AWS Backup or was considering shifting some of your data to AWS Backup, things just got a bit easier with some big announcements at re:Invent. AWS Backup is a fully managed, policy-based service that lets you to centralize and automate the backup and restore of your applications spanning across 12 different AWS services. Unfortunately, those dozen AWS services did not include Amazon Simple Storage Service (S3)...until now. Many AWS customers had requested centralized protection and provable compliance for application data stored in S3 alongside other AWS services for storage, compute, and databases. That has become available, allowing customers to centrally manage application backups, easily restore data, and improve overall backup compliance. AWS Backup support was also announced for VMware with a new capability that enables customers to centralize and automate data protection of virtual machines (VMs) running on VMware on premises and VMware Cloud on AWS. Customers can now use a single, centrally managed policy in AWS Backup to protect these VMware environments together with 12 AWS compute, storage, and database services already supported by AWS Backup. AWS Backup can then be used to restore VMware workloads to on-premises data centers and VMware Cloud on AWS.
These are just a few of the major announcements and highlights from this year's AWS re:Invent conference. There are many more exciting things on the horizon for the AWS cloud platform, and Sentinel is excited to share them with you to show the many ways they can improve your organization. We were thrilled to see so many of our customers also come out to our happy hour event during the conference, and had some great discussions related to security, governance, multi-account management, identity, Terraform, mainframe, machine learning, and S3. Please feel free to contact us to either start or continue the discussion of how we can help enhance and protect your business through innovative technology!
Sentinel's Holiday Gift Guide 2021
Season’s greetings! As always, your friends at Sentinel would like to wish you a happy and healthy holiday season, filled with all sorts of fun and delights. Some of that may include gift giving or a gift exchange, which is also historically one of the more challenging things to figure out during this time of year. There are so many gift options out there, and so many people to buy for, each with their own individual preferences. Given that Sentinel specializes in IT solutions and services for all types of organizations, we’d like to take a moment to kick up our feet and share some interesting and worthwhile items for the technology lover in your life. The five items included as part of this year’s Holiday Gift Guide are not sold by Sentinel, nor have we been paid to promote them. They are simply a few tech-related products we believe that you or someone you know might enjoy.
Worky Home Office [$150]
Still working from home, but miss your office accessories? The folks at Worky have created a portable solution that allows you to have some of the comforts of the office no matter where you’re working from. Their portable workspace comes in a suitcase-like box that opens to reveal a whiteboard, LED light for video conferencing, stationary supply organizer, file and accessory organizer, a 4-port power strip, and a spot to place/store your laptop. It’s perfect for those who don’t have a proper desk at home, or need to get some work done on the road.
Doorbell cameras have become quite popular over the last few years, as they enable you to see who’s at your front door without ever having to actually open it. Smart locks have also gained some major attention for their ability to unlock doors using your smartphone or voice assistant. Naturally then, Lockly decided to combine these advanced tools into a single device. You can install their Vision Doorbell Camera Smart Lock onto the front door of your home or office, and take advantage of all the features it provides. When someone rings your doorbell, an alert is sent to your smartphone that enables you to activate the camera and see who is outside. You can have a conversation with the person at your door through the device as well. As for the smart lock capabilities, it has a fingerprint scanner and hack-proof keypad, both of which can be used to unlock your door or grant someone limited or one-time access. You can also lock or unlock the door yourself using a smartphone app or voice command to another smart device.
SanDisk iXpand Flash Drive Luxe [$40-75]
Getting files and media back and forth from your smartphone to a laptop or tablet can be challenging, especially if the devices aren’t compatible with one another. It’s not always a simple as using AirDrop or Bluetooth to connect and transfer things wirelessly. That’s why SanDisk created the iXpand Flash Drive. It’s a storage drive that comes in multiple capacities, and includes both a USB-C and lightning port so you can plug it into whatever devices you’re using at the moment. Say you have a PDF file stored on your work laptop. You can load it onto this iXpand flash drive via USB, then access and open the file later at home on your iPhone via the lightning port. This isn’t revolutionary technology, just an advancement that improves accessibility and portability between different types of devices.
Whether you’re trying to avoid COVID-19 or just general allergies, breathing in clean air can help keep you healthy. There are plenty of air purifiers available on the market today; unfortunately most tend to be large and quite expensive. LG’s PuriCare Mini Portable Air Purifier may not be the cheapest air purifier you can find, but it won’t break the bank and has the added benefit of being lightweight and very portable. Weighing only 1.2 pounds, it is certified to remove 99% of 0.3-micron ultra-fine dust particles from the air, which can contain viruses, disease, and harmful substances such as heavy metals. The device also connects to your smartphone via Bluetooth, enabling users to control air flow, obtain filter information, check real-time air conditions, and monitor battery life.
Many of us can’t get through the morning without a hot cup of coffee (or three), though how you get that shot of caffeine can vary depending on your personal preferences. For those with more “traditional” sensibilities, there’s nothing quite like a standard coffee maker set to brew a full pot at the start of your day. While the results are always the same (and largely dependent on the type/strength of coffee you brew), the path to that first cup has finally started to change with the times. Hamilton Beach now offers a “smart” coffee maker, capable of adding remote operations and schedule functions to your brewing process so it’s easier and more convenient to make. It connects via smartphone app or Amazon Echo device, so you can ask your smart speaker to start brewing, change the brew strength, or turn off the coffee maker. You can even program routines to schedule a brew at a specific time each day, and come up with unique command phrases to launch specific operations in an even simpler fashion. This is an ideal gift for someone who likes waking up to the smell of freshly brewed coffee, or would prefer to start the brewing process with a simple command without ever having to get out of bed.
Three Considerations With Cloud Storage
by Michael Soule, Sentinel National Director of Enterprise Architecture and Innovation
Organizations eager to modernize their approach to storage are discovering a wealth of options available through the public cloud. Sentinel Technologies regularly offers guidance to our customers as they seek to expand their public cloud investments, and often encounter three primary considerations when migrating or expanding storage capabilities.
One of your first considerations for cloud storage should involve determining which type of storage is best for your specific organization and each use case. Amazon Web Services (AWS) launched Simple Storage Service (S3) in 2006. The S3 offering brought blob storage to center stage alongside file and block storage. Each of these storage types have different use cases and provide unique benefits, so do your research before deciding which one will satisfy your needs.
The new cloud consumption models feature variable costs for transfer and storage. It is common for the transfer costs to be higher than the actual cost to store the data. This brings us to the second consideration – optimizing caching and data transfer. These variable costs can influence architectural optimization by using caching appliances like the AWS Storage Gateway, private network endpoints, or dedicated circuits such as AWS Direct Connect.
The third and final consideration is that of scale. Scale benefits organizations by offering both extremely small options and extremely large options. Although variable costs require attention to manage with accuracy, they also allow for extremely small costs that enable you to rapidly evaluate new architectures. Additionally, as data rapidly expands it can be more efficient to use cloud services for massive scale. Being able to evaluate new concepts in real time for the cost of a meal offers immense value.
These are three considerations you should have in mind when preparing to modernize your storage solutions, whether on premise or via a public cloud provider.
+Type of Storage
+Data Transfer & Caching
Sentinel Technologies offers multiple options to help customers gain value from cloud storage solutions quickly. Please contact us if you would like to learn more about cloud storage solutions and how they can benefit your organization.
Sentinel Prescribes An Upgraded Collaboration Solution For A Healthcare Customer
A healthcare organization was using older and unsupported communication and collaboration software within their environment, which left them vulnerable to security and other organizational risks. Out of an abundance of caution and a desire to expand the adoption and use of collaboration applications within the organization, they engaged with Sentinel on a project that consisted of upgrades to their Cisco Unified Communications platforms, upgrades to designated third-party applications, upgrades to their VMware host environments supporting the platforms & applications, integration with Microsoft Active Directory, and adoption of Cisco WebEx Meetings though a hybrid integration with the upgraded Cisco UC. These upgrades and enhancements took place on host systems located in an on premise data center, Sentinel’s CloudSelect C3 environment, and through integrations with Cisco’s cloud-based services. It impacted all handsets and connected devices throughout the organization’s entire Unified Communications & Collaboration network.
The components below were deployed by the Sentinel team to upgrade the healthcare organization’s Cisco Unified Communications platform to Version 12.5:
+ Upgrade Cisco CallManager (CUCM) environment to Version 12.5(1)SUx
+ Upgrade Cisco Instant Messaging and Presence (IM&P) environment to Version 12.5(1)SUx and add High Availability to the environment
+ Upgrade Cisco Unity Connection to Version 12.5(1)SUx
+ Upgrade Cisco Emergency Responder (CER) to Version 12.5(1)SUx
+ Upgrade Cisco Unified Contact Center Express (UCCX) to Version 12.5(1)
+ Migrate Agents to Finesse and Cisco Unified Intelligence Center
+ Upgrade Cisco / Calabrio Advanced Quality Management (AQM) to Version 11.5(1)
+ Upgrade Windows Servers to 2012 R2
+ Upgrade SQL Server to Version 2014
+ Upgrade Cisco Unified Attendant Console applications
+ Upgrade Servers to Microsoft Windows Server 2016
+ Upgrade Attendant Console Application to Version 12
+ Install Cisco Expressway Core and Edge Servers, Version 12.5.7 as new virtual servers
+ Implement Cisco Mobile Remote Access (MRA)
+ Implement Uniform Resource Identifier (URI) for B2B Calling
The Sentinel team performed the following upgrades to and Installation of supporting hardware components on the healthcare organization’s environment:
+ Upgrade Cisco IOS on ISR Voice Router Hardware
+ These devices support Local PSTN and SRST connections
+ Upgrade six (6) ISR Voice Routers latest version of Cisco IOS
+ Upgrade three (3) End-of-Life ISR Voice Routers to the latest version of IOS supported on these devices. These End-of-Life ISR Voice Routers were not replaced as part of this project, but Sentinel recommended they be replaced in the future.
+ Upgrade Cisco IOS on existing VG Analog Gateway Hardware
+ Upgrade sixty-one (61) VG Analog Gateway to latest version of Cisco IOS
+ Upgrade Singlewire InformaCast Paging System to Version 12
+ Upgrade Software/Firmware on all Cisco Phones to latest version supported by the Phone Model. Any phones that do not support the latest version will be targeted for replacement in the future.
+ Installation and configuration of two (2) Cisco DX80 video desktop units
+ Firmware / Application Upgrades to third-party devices registered to Cisco CallManager (as required to support connectivity to upgraded environment)
The items below were components deployed by Sentinel to help the healthcare organization expand their Cisco Meeting, Collaboration, and Mobility applications:
+ Initial Migration of Cisco WebEx Licensing
+ Configuration and On Boarding of Cisco WebEx Control Hub
+ Migration from legacy Cisco WebEx Administration to Cisco WebEx Control Hub
+ Migration of end-user devices to new Cisco WebEx subscription
+ Implementation of Context-Based User Integration into Cisco UCC Environments
+ Implementation of Microsoft Active Directory Integration to WebEx Hybrid Directory
+ Implementation of Microsoft Azure Active Directory Integration (ADFS) to WebEx Hybrid Directory
+ Implementation and configuration of Single Sign-On for WebEx Services
+ Implementation of Cisco CallManager LDAP Integration
+ Implementation of Cisco Unity Connection LDAP Integration
+ Implementation and deployment of Cisco Jabber Desktop and Mobile Application
+ Implementation and configuration of Cisco WebEx Applications
+ Implementation and configuration of Cisco WebEx Meetings
+ Implementation and configuration of Cisco WebEx Teams
+ Implementation and configuration of Hybrid Calling Service
+ Implementation and configuration of Hybrid Calendar Service
+ Implementation and configuration of Hybrid Directory Service
The project scope included a combination of user training and knowledge transfer between Sentinel and members of the healthcare organization at various times throughout the project, which were detailed as follows:
+ Contact Center Training
+ Sentinel conducts “Train-the-Trainer” services related to Contact Center components - Cisco Finesse and Calabrio
+ Cisco Jabber Training & Knowledge Transfer
+ Sentinel conducts training for the five (5) user pilot group for use on Cisco Jabber
+ Sentinel provides a documented procedure (knowledge transfer) for deployment of Cisco Jabber
+ Cisco WebEx Services Communications Plan
+ Sentinel supports customer’s development of end-user training materials and the communications plan detailing the use and enabling the adoption of Cisco WebEx Services
Once this project with Sentinel had been completed and deployed, the healthcare customer was able to:
+ Eliminate organizational risk associated with supporting older versions of software
+ Eliminate security risks associated with supporting the older versions of software
+ Expand the adoption and use of collaboration and mobility applications
A Financial Services Company Invests In A Security Upgrade With Sentinel
A financial institution was using obsolete perimeter network firewalls in a pair of their data centers, which were in desperate need of an upgrade. In addition to the firewall refresh, the customer wanted to add other security capabilities to their data center locations, including advanced intrusion prevention (IPS), SSL decryption for inspection of traffic, DoS (denial of service) prevention, and web application firewalling.
The financial institution also had other network security products in production that were either end of life/end of support or in need of support renewals and/or upgrades. They decided to consolidate some of these products and capabilities to help improve the overall security and management of the organization.
Sentinel engineers were engaged to refresh the firewalls at both the production and DR data centers. This included both externally facing firewalls as well as virtual internal firewall systems.
Sentinel’s Advisory team worked with the customer’s security and IT teams to create a detailed blueprint design document and testing plan for the deployment. The initial blueprint was based on the financial institution’s existing firewall services. This engagement also added a number of new services not previously deployed that required complete planning and design.
+ Analyze the current environment to make sure it is ready for infrastructure implementation.
+ Engage with the customer’s team to collaborate on technical and policy requirements for the new security systems deployment, including:
+ Firewall policy requirements (Advisory)
+ Firewall services – based on existing
+ Intrusion Prevention Services (IPS) – new added capability
+ External IPS
+ Internal 3rd party virtual IPS
+ Denial of Services
+ URL filtering – using the existing filtering services, policy, and reporting as a baseline
+ Anti-malware prevention services (AMP) – new service
+ Web application firewall services (WAFS) – new service
+ Note that Sentinel required involvement of the application team to work with Sentinel and Radware for this component
+ Redundancy and DR of Firepower VMs and FMC
+ VMware redundancy and failover
+ Backup copy process/script or other means to protect the virtual FMC at the DR site
+ Develop specific requirements, design, and then use a case-specific blueprint document based upon customer discussion.
Sentinel provided Advisory services consulting for the deployment. This included time to work with the customer’s security team on creating the optimal setup for existing and new services that closely adhered to the security policies and standards of the organization. Sentinel documented these standards for the project engineering team to set up during the deployment of these services. When applicable, existing systems were reviewed for configuration and formed a baseline for how the new services would be configured. Since many new services were included as part of this deployment, including web application firewalls, IPS, and anti-malware, Sentinel’s Advisory team collaborated with the customer’s security team to clearly define the policy and business outcome expectations for these enhanced security solutions.
Advisory services also performed a small assessment on the new perimeter and third party internal firewalls. This included testing the policy to check if enforcement functioned as expected, along with a brief summary report of the findings. Sentinel provided time for the final testing and report.
Firepower Threat Defense
Sentinel deployed Firepower Threat Defense (FTD) based on the Advisory policy recommendations and the design blueprint. The system planned for high compliance services and policy setup in support of these requirements where applicable. The following was deployed:
+ Firepower Management Center VMware
+ On customer’s VMware
+ Log integrated to either HP Arcsight or to Sentinel SECaaS Managed SIEM if contracted
+ Ready to manage firepower physical and virtual instances
+ Firepower Appliances
+ Production pair of FTD high-availability
+ DR single FTD with similar to same policy as production
+ Policy on perimeter firewalls in conjunction with Advisory recommended policies and in support of compliance services
+ (2) virtual appliances to protect each third party provider connected to the network
+ The above was planned on how to segment via VLAN and through the single FTDs using sub-interfaces
+ Sentinel assumed the same or very similar policies were applied to each of the third party providers
+ AMP anti-malware
+ Assure this is in place and operational
+ Setup AMP inspection policies per planning
+ Confirm AMP operations
+ URL Services
+ Based upon current URL and reporting
+ Setup for production and DR
+ SSL decryption policy
+ Deployment with hardware acceleration (newer version capability on FTD)
+ Setup of SSL policies for traffic inspection
+ Testing of SSL
+ Measurement of amount of SSL traffic and load on firewalls
+ VPN services
+ Setup of VPN services for remote access
+ Assumes multi-factor integration of Cisco Duo or other provided/compatible multi-factor solution
+ The deployment of a multi-factor authentication system was NOT part of this engagement and required additional deployment.
+ Automated copy or replication services to DR
+ VMware redundancy of FTDs and FMCs within the data center(s)
The customer significantly hardened their security posture by upgrading their firewalls, deploying new services within their environment, optimizing policies and settings, as well as taking advantage of the advanced features and management provided by Cisco’s Firepower solution.
Large School District Chalks Up A Major Security Upgrade With Sentinel
One of the largest high school districts in the country worked with Sentinel to implement basic Network Admission Control services using Cisco Identity Services Engine (ISE) and a next-generation firewall (NGFW). These basic services included network device authentication (AAA), 802.1x/RADIUS authentication for Cisco wireless networks, a guest wireless portal and sponsor portal for the personal devices of students and staff, Cisco Umbrella with DNS-layer security, and remote access authentication using the Cisco AnyConnect Secure Mobility VPN Client.
The district had a myriad of different devices and users accessing their networks via switches, wireless access points, and VPN’s. They were looking to implement a 1 to 1 solution for all devices and provide secure access for all 30,000 students and staff within the district network. They wanted to use Cisco ISE features to consolidate access policies across the district, while increasing security for both on premise and remote students/staff.
Cisco ISE enables organizations to set policies for controlling access to corporate network infrastructure through the use of contextual information such as device type, endpoint configuration (posture), location, media access control address, user role or user identity, and more. This contextual information is then used to establish post-connect controls on endpoints such as laptops, workstations, mobile phones, tablets, printers, cameras, and Internet of Things (IoT) devices.
Key features of Cisco ISE include (but are not limited to) the following:
+ Centralized Management – administrators can centrally configure and manage user profiles, posture, guests, authentication, and authorization services in a single web-based GUI console.
+ Contextual Identity and Business Policy - a rule-based, attribute-driven policy model for flexible and business-relevant access control policies. Includes attributes such as user and endpoint identity, posture validation, authentication protocols, device identity, and other external information.
+ Access Control - a range of access control options, including downloadable Access Control Lists (dACLs), virtual LAN (VLAN) assignments, URL redirections, named ACLs, and security group ACLs
+ AAA Services – standard RADIUS protocols for Authentication, Authorization, and Accounting. Supports a wide range of authentication protocols, including but not limited to PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible, Authentication via Secure Tunneling (FAST), EAP-Transport Layer Security (TLS), and EAP-Tunneled Transport Layer Security (TTLS).
+ Internal Certificate Authority – an internal certificate authority. Provides a single console to manage endpoints and certificates.
+ Device Discovery and Profiling – determines device type, device manufacturer and operating system information by inspecting packets that are sent by these devices in the network.
+ Endpoint Posture Service – endpoint compliance security posture checks to determine OS versioning and patch level, anti-virus/endpoint protection version, and OS updates.
+ Guest Lifecycle Management – a streamlined experience for implementing and customizing guest network access. Support is built in for hotspot, sponsored, self-service, and other guest access options.
+ Security Product Integration – bi-directional integration with other security products.
Strategy / Approach
The rapid increase in the number of bring your own devices, guest access requirements, vendor access requirements, and IoT devices has significantly expanded the overall threat vector. This has fueled the demand for NAC products in medium-to-large organizations and is used to help them mitigate the greater risk. The effectiveness of NAC products has also grown through the integration with next-generation firewalls, threat detection software, endpoint protection software, SIEM, and mobile device management software.
The design and rollout of NAC products such as Cisco ISE can be a daunting task considering that the implementation of NAC technology touches virtually every element of a network, including switching, firewalls, endpoint protection, PKI, and user directory. Moreover, larger enterprise networks have significantly more devices and networks to secure. Because of these challenges, Sentinel worked with the client and their network security staff to design and implement these new ISE features in a multi-phased approach. This multi-phased approach allowed the school district and Sentinel to work through any Cisco ISE implementation-related issues and tuning before moving on to the next phase.
At a high level, Sentinel broke this engagement up into three separate phases, as follows:
Phase I: Cisco ISE Software Install – During this phase, the district’s ISE nodes were installed by Sentinel.
The distributed deployment consisted of (9) Cisco Identity Services Engine nodes running as Virtual Machines in the district’s existing Hyper-V Virtualization environment. The Cisco ISE nodes and personas included the following:
+ (9) ISE Policy Service Nodes
+ (2) Primary ISE Administration Nodes
+ (2) Primary ISE Monitoring Nodes
Phase II: Discovery and Wireless True-up – During this phase, an overall access and security policy was developed jointly with the school district and Sentinel. Adjustments to consolidate the wireless access policies were made in accordance with the overall agreed-upon access policy and design.
Phase III: VPN Authorization and Client Posturing – During this phase, VPN authorization was added to leverage the existing Cisco ISE implementation. This modified policy included device posturing to ensure endpoints had appropriate characteristics such as antivirus/anti-malware, OS versions, etc.
As a result of this project, the district increased security for all on premise and remote users across their network by implementing consolidated, enterprise-wide access policies.
A Town Migrates Their Phone System to Cisco Voice
As a suburban town was preparing to enter a new era of growth and innovation, they sought to upgrade their phone system to support their current and future needs. They wanted the ability to separate resources in a virtual environment, and to deploy third party applications for a variety of purposes. The increase in employees working remotely also led to a desire for single number reach so everyone would be easier to contact without being forced to call multiple numbers.
The town had an aging digital and IP Avaya phone system located on two PRIs (Primary Rate Interfaces) that terminated in their main data center. Some of the phones had reached end of support and it was costly to replace them with IP phones, while other phones on the system required extensive infrastructure maintenance and support with software and security patches. In order to avoid further expenses to maintain an outdated system, the town decided to migrate their phones and three contact centers from the Avaya infrastructure to a new Cisco Unified Communications platform.
There were a number of features the town wanted to include with the migration to the new platform. Their existing PRIs needed to be shifted to a Session Initiation Protocol (SIP) system, with routers placed in the primary and secondary data centers to provide carrier redundancy. Additionally, the town sought to expand their remote work capabilities so employees could operate from just about any location, and use cell phones or other devices with applications to easily stay in communication with one another. They were also eager to deploy single number reach in their environment, which would simplify calling between employees by letting them dial one number and have it ring on all their devices. Lastly, the town aimed to reduce the number of applications in use by adopting one to manage both voice messages and emails.
Sentinel’s solution was a full Cisco VoIP deployment using industry standards to include the following Cisco software solutions:
+ Communication Manager – 1 Publisher, 2 Subscribers and 2 TFTP Servers
+ Unity Connection – 2 HA Servers
+ IM and Presence – 2 HA Servers
+ Unified Contact Center Express – 2 HA Servers
+ Cisco Expressway Servers – 2 Expressway-C servers and 2 Expressway- E Servers
+ Emergency Responder – 2 HA Servers
Cisco Unified Communications combines the flexibility and convenience of mobile communications with secure and managed benefits of Cisco IP communication. The proposed solution included:
+ Single number reach. This solution gives users the ability to direct incoming calls to ring on multiple devices as well as the Jabber phone or desk phone, thus providing a single number for callers to reach the user. This extends the call control of Cisco Communications Manager from a mobile worker’s primary workspace phones to any location or device.
+ Single Inbox. This solution gives the users the ability to have a single pane to see all digital communication, including email and voicemail messages. This also enables the mobile worker to check voicemail from a mobile device connected to the customer network without requiring additional applications on the phone.
+ Cisco Instant Messaging and Presence (Cisco Jabber). This solution is a desktop, laptop, and cell phone application that transparently integrates a wide variety of communications channels and services such as voice, instant messaging, voicemail, presence, web conferencing, and video from a single multimedia interface on your device in order to simplify communication and collaboration.
+ Dual-Mode Phones. These devices function as enterprise IP phones on campus or remotely connected through the Cisco Expressway. They typically provide a wide variety of smartphone capabilities, including group calling, call transfer, paging, and other personal digital assistant features.
+ Cisco Expressway. This solution allows remote workers to connect Cisco IP phones as well as Cisco Voice applications without using VPN. This enables employees to work in any location with WAN access. Expressway functions as a secure gateway, allowing access to the voice systems from anywhere without special software on the user’s devices.
+ Cisco Emergency Responder. This solution allows phones to be identified with location accuracy based on their IP address. This assists 911 dispatchers, first responders, and local personnel as they attempt to quickly respond to emergency events. In addition, it allows for record keeping of calls and gives authorized personnel the ability to add notes for a specific incident as needed (Note: this ability to update records is not a replacement for proper record keeping).
+ Cisco Unified Contact Center Express. This solution helps organizations deliver a connected digital experience, enabling contextual, continuous, and capability-rich journeys across time and channels. This easy-to-deploy and easy-to-use solution supports up to 400 agents. Secure and highly available, it supports powerful agent-based services and fully integrated self-service applications, including Automatic Call Distributor (ACD), Interactive Voice Response (IVR), Computer Telephony Integration (CTI), digital channels including email and chat, as well as customer experience management tools.
+ Cisco Finesse Desktop. This solution is a next-generation agent and supervisor desktop embedded within Cisco Contact Center Express. It includes an intuitive, easy-to-use design to help improve the performance of customer care representatives and enhance customer service.
The Sentinel team was able to implement the solution, allowing the town to utilize remote workers more efficiently as well as provide a streamlined support structure for their phone system and unified communications platform.
About Sentinel Collaboration Solutions
Sentinel’s Collaboration offerings are designed to handle today’s complex business and IT landscape, closely engaging with your organization to develop and implement a comprehensive voice strategy suited to your company’s unique needs. Our collaborations portfolio includes:
+ Unified Communications
+ Unified Contact Center
+ Mobility Solutions
+ Conferencing Solutions
+ Video Collaboration
+ Managed Services 24x7x365 Monitoring
+ Application Security
+ Identity Access & Endpoint Security
+ Network & Perimeter Security
+ Physical Security
Sentinel Gives A School District Extra Credit for Upgrading and Expanding Their Cisco UC Solution
A medium-sized school district had largely ignored their existing phone system and collaboration platform, not making any changes or upgrades for several years. As a result, those pieces of their environment became outdated and reached end of support. It was also discovered that two schools were operating on an antiquated Toshiba phone system. The district decided it was time to invest in a next generation solution that made communication and staff collaboration much more robust and could quickly alert staff and authorities during emergency situations.
In addition to an upgrade of the district’s phone system, Sentinel also deployed Cisco Unified Communications technologies including Presence and Expressway to further enhance their collaboration capabilities. The new phone system also enabled each school to connect with its overhead paging system as well as trigger emergency alerts with the push of a button. These features had not been available at any school in the district prior to the upgrade.
The software and hardware of the district’s Cisco phone system had reached end of support, which meant new licenses and handsets could not be purchased and they were unable to expand the system to include additional schools. If a hardware issue were to occur involving the servers, it would be particularly difficult to obtain the parts necessary to restore service.
Furthermore, many schools in the district expressed frustration at the inability to access overhead paging systems from their phones. Each school only had a single paging station used by the front office.
The district also had no real E911 solution. Emergency dispatchers only received the main phone number and street address for the school that placed the 911 call, meaning there was no way to send responders to a specific location inside these large buildings or place a call back to the exact user that made the 911 call.
Lastly, the district needed a way to quickly and easily send broadcast alerts to school faculty and administration in the event of an emergency.
Sentinel deployed a comprehensive Cisco Unified Communications system on a pair of medium density Business Edition 6000 servers. The solution included the following applications:
+IM and Presence
+Expressway Core and Edge
+Singlewire InformaCast Fusion
Some of the features and technologies in the proposed solution included:
+Cisco 7800 Series IP phones were deployed to the two schools still utilizing the ancient Toshiba phone system. This allowed all schools within the district to place calls using internal extensions. IP phones already in place at schools and integrated with the previous Cisco system were ultimately leveraged and left in place to cut costs.
+Unity Connection was incorporated into their premise Microsoft Exchange server to enable Unified Messaging functionality. This allowed users to listen, respond, and delete voicemails from their PC or mobile device through their email client.
+Cisco Instant Messaging and Presence servers were installed to provide instant messaging and presence status functionality to school staff via the Jabber client. The Jabber for Windows client was deployed to staff desktops. Users were also able to install Jabber for iPhone or Android to their mobile devices.
+Cisco Expressway Edge and Core servers were added to provide phone registration, instant messaging, and presence functionality to Jabber and other Cisco endpoints over the internet without the need for a VPN connection. This allowed employees to collaborate from home or on the road just as if they were at their desk.
+Cisco Emergency Responder was deployed for E911 services. It created zones within each building to provide more specific locations to the 911 dispatch center. Alerts also notified on-site security personnel whenever emergency calls were placed. A tracking feature was implemented so phones would be automatically placed in the most accurate zone when moved to a different location. This brought the schools into compliance with Kari’s Law and Ray Baum’s Act.
+Singlewire InformaCast Fusion is a hybrid cloud-based mass notification system. It creates alerts for emergency situations such as active shooter, building evacuation, and severe weather. Alerts can be triggered via panic buttons on all IP phones, a web page, or mobile app. Mass notifications were sent as audio broadcasts to Cisco IP phones, SMS text messages to mobile devices, and emails on the network. A virtual Fusion appliance was installed to integrate with Unified Communications Manager, and InformaCast hardware appliances were deployed to each school for remote survivability.
+Cisco ATAs were installed to integrate each school’s overhead paging system with the Unified Communications system. This allowed users to access the paging system from any Cisco IP phone. This also enabled the InformaCast system to broadcast alerts through the overheard paging systems.
+Barionet 50 door controllers were installed and integrated with InformaCast. These controllers were connected to door sensors at each school, allowing district security staff to receive alerts whenever doors were opened and closed after hours.
The Sentinel team was able to deliver the exact solution the customer was looking for. Products such as Instant Messaging & Presence, along with Expressway, enhanced employee collaboration whether they were at school or at home.
Emergency Responder and InformaCast Fusion improved the district’s ability to alert staff and authorities to emergency situations, greatly increasing the safety of students, faculty, and staff.
Cisco Business Edition 6000
Singlewire InformaCast Fusion
The Benefits of AWS Route 53
Sentinel Technologies focuses on providing valuable solutions to our customers that optimize their technology environments. Recently Sentinel has helped several customers with the consolidation and simplification of their public domain name system (DNS) resolver functionality utilizing Amazon Web Services (AWS) Route 53. Organizations often have multiple domain names to facilitate access to their services. Each domain name must be registered and includes records that need to be maintained. For example, Sentinel has registered the sentinel.com domain and there are a number of additional records associated with it. Route 53 handles user requests to an organization’s infrastructure elements running both inside and outside of the AWS cloud.
MJ Holding Company is the largest North American distributor of trading cards. They maintain multiple public domain zones for internal and client services. Sentinel worked with MJ Holding to facilitate the consolidation and migration of multiple resolver and registrar services to AWS Route 53. It created a simplified experience for the ongoing management of their public DNS functions, and enabled them to take advantage of numerous integrations with other AWS products.
AWS Route 53 is a foundational component for all other AWS products. It’s such an essential AWS product, Amazon makes every effort to ensure it remains 100% Available as part of the service level agreement (SLA). Route 53 is also a fantastic way to integrate with other AWS products for additional benefits. Static web pages can be hosted in Simple Storage Service (S3) and secured with included Transport Layer Security (TLS) certificates through the CloudFront Content Delivery Network (CDN). Dynamic web services like WordPress can be hosted in the AWS Virtual Private Server (VPS) product Lightsail.
The AWS product catalog is so large it can initially be quite daunting to work through and identify applicable products with valuable benefits, but the rewards for doing so are worth the effort. As an AWS Consulting Services Partner, Sentinel focuses on building innovative and beneficial solutions for customers that leverage these products. Route 53 is an excellent product with a low barrier of entry that can help all types of organizations achieve more and improve the operation of their IT environment.
If you are interested in learning more about AWS Route 53 or other AWS products, please contact us or reach out to your Sentinel Account Manager.