Accend Networks San Francisco Bay Area Full Service IT Consulting Company

Category: Blogs

Categories
Blogs

PKI – Public Key infrastructure

Public Key infrastructure

1. How you can make it healthier and safe

2. How to make it efficient

3. If we do PKI then what best practice should we move on with

What is PKI (public key infrastructure)?

PKI (public key infrastructure) is the underlying framework that enables entities -- users and servers -- to securely exchange information using digital certificates. The entities that facilitate and use PKI typically involve general internet users, web clients or browsers, and company servers -- though this can extend to other virtual machines (VMs) as well.

The word infrastructure describes PKIs since it does not refer to one single physical entity. Instead, it refers to the components used to encrypt data and authenticate digital certificates. These components include the hardware, software, policies, procedures, and entities needed to safely distribute, verify and revoke certificates.

Public key infrastructure (PKI) is the well-established protocol for organizations that need to secure distributed points of communication, such as browsers and IoT and mobile devices. For device manufacturers and application developers, revenue security depends on creating a highly secure ecosystem that ensures regulatory compliance and consumer trust.

The security needs of networks and the infrastructure protecting them change over time in response to new threats and advances in technology. With tens of billions of IoT devices already in operation, the potential attack vectors for hackers to steal data or infiltrate systems are great and growing exponentially. PKI is a vital element of IoT network security, provisioning unique device identities, bolstering authentication protocols, and enabling trusted communication channels between servers and devices. However, not all implementations follow PKI security best practices, resulting in flawed and vulnerable systems.

in technical terms, PKI is a two-key asymmetric cryptosystem that supports various information technology (IT) systems in their pursuit of high-level information confidentiality, encryption and confidence. The two keys, in this case, are also the two main pieces that facilitate this secure data management: a public key and a private key.

To put PKI in the best practice possible as well efficiently I would like to use the 7-Step Method in order.

(PKI) 7-Step Method
Step – 1 (Initial PKI design)
To ensure a secure and smooth PKI setup, start by following some simple best practices. Plan Our implementation carefully from the beginning because making changes later can be difficult and costly. Understand your PKI needs well, both now and for the future. By doing this, we will avoid potential security risks and save time and resources, making your PKI experience much easier.
Step - 2 (Address the entire key and certificate

Define key and certificate security policies and protocols that address every stage of their lifecycle. Establishing a PKI may seem straightforward from the outset, but when one considers the millions of certificates that will possibly be issued, their expirations, and the security issues that would require revocation, it can quickly become very complicated. This becomes a potential security flaw, as the more complex a PKI is, the more difficult it is to track identities and revoke certificates that could be used to breach a system.

An important PKI design best practice is to plan for the entire lifecycle of certificates. By fully mapping the policies regarding the issuing, updating, monitoring, expiry, revocation, and decommissioning of certificates, all future managers of the PKI will have a clear outline of what should happen with certificates at all stages of their existence.

Step - 3 (Employ strict protections for private keys)

The cryptographic keys that are used in the PKI are the most vulnerable point of a PKI deployment and must always be protected. Hackers can use a variety of techniques to analyze and detect keys while they are in use or transit. Once in control of these keys, they can decrypt private data or pose as authenticated users to access systems. Within this context another PKI security best practice is to always use hardware security modules (HSMs), where possible, to store keys and perform cryptographic operations.

If you need to provision older devices without a secure update mechanism, which are already in the field, make sure to use white-box cryptography so that keys are not exposed in the clear during the provisioning process.
Step - 4 (Conduct regular certificate authority audits)
Throughout a PKI deployment, regular checks should be performed to ensure that the Certificate Policy and Certificate Practice Statements (CP/CPS) are being implemented and adhered to. Even for internal deployments, it is still a PKI design best practice to create audit trails that can be easily accessed and monitored. This ensures compliance with security policies and with the desired assurance level of the organization.
Step - 5 (Protect the roots)
The root CA is the master key that underpins the entire PKI. If it is compromised, every certificate issued is invalid and would have to be revoked and reissued. PKI deployment best practices dictate that the root CA remains strictly protected and is never published online. The initiation of a PKI should begin with a root signing ceremony, where the policies surrounding the root are established. These policies should cover the root’s chain of custody, where the root is stored, and how it’s scripted.
Unfortunately, attacks on PKIs are not just an external issue. The private keys and other data surrounding your PKI can be extremely valuable. For that and other reasons, threats can also come from employees. There are a number of PKI deployment best practices that can be implemented to mitigate internal threats. These include using secured rooms for key and root programming that require two or more security IDs to access, and using a distributed security model that ensures there is no single point of responsibility that can be compromised.

Issuing certificates and provisioning keys and identities as PKI security best practices are still only one step in running a secure PKI. The ongoing integrity must be maintained. This includes a process for revoking keys and certificates that can no longer be trusted. Certificate authorities should maintain a certificate revocation list, which contains all suspended security certificates. Communications with a device or application using a revoked certificate should be blocked. For example, an IoT device using a certificate that is no longer authorized will not be able to gain access to a server.

Creating a highly secure and trusted ecosystem for your organization’s devices or applications depends on a successful and ongoing PKI deployment that follows PKI implementation best practices. While it’s possible to develop and manage a PKI internally, it requires resources and expertise outside of many organizations’ capabilities and may not scale smoothly as production grows.

Step - 7 (Revoke compromised keys and certificates)
Intertrust PKI is a managed PKI for IoT service that is trusted across the world and already secures the identities of billions of devices. Our scalable and flexible identity provisioning and PKI management is built on PKI design best practices and utilizes industry-leading security technologies, including white-box cryptography, to ensure that your networks and organizations are secured against risks arising from distributed communication points.
Categories
Blogs

Configuring IP on Cisco Secure Firepower Threat Defense (FTD) & Adding a Secure Firepower Management Center (FMC)

Cisco Secure FTD and FMC
Cisco Secure FTD and FMC
Cisco Secure FTD and FMC

Configuring IP Cisco Secure Firepower Threat Defense (FTD) & Adding a Secure Firepower Management Center (FMC)

Cisco Secure Firepower Threat Defense (FTD) is a comprehensive security solution that combines firewall, intrusion prevention, and advanced threat protection capabilities. To effectively deploy and manage a Cisco FTD device, configuring the IP address is a critical step. This article provides a step-by-step guide on how to configure IP addresses in a Cisco Secure FTD device and its management interface, the Cisco Secure Firepower Management Center (FMC).

Step 1: Configuring IP on a Cisco FTD Device:

  • Power on the FTD Device:
  • Connect the power cable to the FTD device.
  • Plug the power cable into a power outlet.
  • Turn on the power switch on the FTD device.
  • Connect to the FTD Device:

Step 2: Connect a console cable to the FTD device and your computer:

  • Launch a terminal emulator program (e.g., PuTTY, SecureCRT).
  • Configure the terminal emulator settings to match the appropriate serial port and communication parameters (e.g., baud rate, data bits, parity, stop bits).
  • Access the FTD Device CLI:

Step 3: Open the terminal emulator program and select the appropriate serial port to which the console cable is connected.

  • Set the communication parameters as configured in the previous step.
  • Press Enter to display the FTD device login prompt.
  • Log in to the FTD Device:
  • At the login prompt, enter the default username "admin" and the default password "Admin123" (for newer versions) or "Admin123" (for older versions).

If prompted to change the default password, follow the instructions to set a new password.

Step 4: If prompted to change the default password, follow the instructions to set a new password.

configure network ipv4 manual Replace `` with the desired IP address for the management interface and `` with the appropriate subnet mask.

Step 4: Verify the configuration: Use the "show network" command to verify the IP address configuration for the management interface.

2. Configuring add manager on a FTD Device:

Step 1: Configure the FMC Manager:

Use the following command to add the FMC manager to the FTD device:

configure manager add <FMC_IP> <REGISTRATION_KEY>

Replace `<FMC_IP>` with the IP address of the FMC and `<REGISTRATION_KEY>` with the registration key provided by the FMC.

Step 2: Verify the FMC Manager Configuration:

To ensure that the FMC manager has been added successfully, enter the following command:

show managers

This command will display the FMC manager’s IP address and its status.

To add a Cisco Secure Firepower Threat Defense (FTD) device to a Secure Firepower Management Center (FMC) for centralized management and monitoring, follow these steps:

Step 1:Access the Firepower Management Center (FMC):

  • Open a web browser on a computer connected to the same network as the FMC.
  • Enter the IP address or hostname of the FMC in the browser's address bar.
  • Log in to the FMC using valid administrator credentials.

Step 2: Navigate to the Device Management Section:

After logging in to the FMC, navigate to the “Devices” section. This section is typically located in the top navigation menu.

Step 3: Add a New Device:

In the “Devices” section, click on the “Device Management” tab.Click on the “Add Device” button to initiate the process of adding a new device to the FMC.

Step 4: Enter Device Details:

  • In the "Add Device" form, enter the necessary information for the FTD device:
  • Device Name: Provide a descriptive name for the device.
  • Device Hostname or IP Address: Enter the hostname or IP address of the FTD device.
  • Device Type: Select "Firepower Threat Defense" as the device type.
  • Registration Key: Enter the registration key for the FTD device. This key is obtained from the FTD device CLI.
  • Access Policy: Select an appropriate access policy to apply to the device. If no access policies are available, create one beforehand.

Step 5: Verify Device Connection:

Click on the “Test Connectivity” button to verify the connection between the FMC and the FTD device. Ensure that the connectivity test is successful.

Step 6: Save and Apply Changes:

After verifying the device connection, click on the “Save” button to save the device configuration in the FMC.

The FMC will initiate the process of adding the FTD device to its managed devices list

Step 7: Monitor Device Registration:

Once the FMC has added the FTD device, it will start the registration process.

Monitor the “Devices” section or any notifications on the FMC for the registration status of the FTD device. The FMC will retrieve the device configurations and apply the assigned access policy to the FTD device.

Once the FTD device is successfully added to the FMC, it can be centrally managed and monitored through the FMC’s web interface. The FMC provides extensive security policy management, threat monitoring, and reporting capabilities, enabling administrators to effectively manage their network security using the FTD devices.

The FMC would take a few minutes before completing the FTD registration. You can check the status by going to the Notifications > Tasks menu on the top right side:

Configuring IP addresses in Cisco FTD devices and their management interface, the Firepower Management Center, is essential for proper network connectivity and effective device management. By following the step-by-step instructions outlined in this guide, network administrators can successfully configure IP addresses in Cisco FTD devices and configure manager as well, enabling them to monitor and secure their networks efficiently.
Categories
Blogs

Migrating from Cisco AireOS 3504 WLC to Cisco Catalyst 9800 Controller

Migrating from Cisco AireOS 3504 WLC to Cisco Catalyst 9800 LAN Controller

We will cover how to migrate from the Cisco AireOS 3504 WLC controller to the new Cisco Catalyst 9800 LAN controller.

  • First, you will get the output of “show run-config startup-commands” from the CLI output.
  • After that, you can upload the configuration to theCisco WLC Config Converter(you will need a Cisco CCO account). See example below:

Then select AireOS → Catalyst 9800 from the drop-down menu. (Note: you can use this tool to convert AireOS to Converged Access, AireOS →AireOS (5520/8540) – when you’re upgrading from lower models to higher models, and vice versa).

Once it is done, it will provide you with an output with the following sections:

  • Translated Config (this section shows you all the lines the tool was able to migrate and it also shows the old configuration lines commented out, pretty nice because you can compare the current configuration with the previous ones).
  • Lines start with prefix “!$” need to be taken care of before applying to C9800
  • Lines start with prefix “!%” have note and examples, about features and steps to follow.
  • Unsupported Config (this part shows all lines showing unsupported configuration – either because the commands or protocols have been deprecated, or the newer Cisco Catalyst WLAN controller doesn’t support those configurations.  You will have to go through these lines manually to see if they are needed or not in the new controller.  In most cases, you might be able to ignore it and manually configure them in the new GUI if they are still needed.)
  • Not Applicable Config (similar to the previous section, the tool will provide configuration lines that the new C9800 controller doesn’t support. You will need to go through and see if those lines are still needed or not. if so and there aren’t too many lines, you should manually create them in the GUI).
  • Unmap Config – these are configuration lines that were not migrated. It could be due to some extra configuration lines or lines only known to the existing WLC3504 controller.

The tool does allow you to download the migrated configuration in CSV or Translated_Config.cfg format.  You can import that to your favorite editor so that you can use it to modify and/or make notes as needed while you are working on your migration project. 

I recommend importing the Translated_Cconfig.cfg into Microsoft Excel so that you can make notes, highlight it, or use other editing options while working on it. You will need to reference this file until you’re done migrating everything over to the C9800 controller.

To transfer configuration lines to the C9800 controller, you will ssh to the C9800 controller and start copy lines with without any notes in front of it (i.e., !% or !). You should start several lines or a section at a time and see if there are any errors while pasting it. If so, fix them before moving to the next set of configuration lines.

Once you’re done pasting everything, you can open the GUI of the C9800 and you should see the migrated configuration there.

For the Unsupported Config, Not Applicable, or Unmap Config, go through all of them and see what is needed or not.  Add them if they are needed or just leave them.

Conclusion

As you can see, the Cisco WLC Config Converter tool provides an easy way to upgrade your existing legacy or end-of-life WLAN controller to the new model.  It assists in migrating the bulk of the critical configuration items but there are still some manual configurations that need to happen. These are things like:

  • Configure AAA Radius and TACACS authentication and authorization methods
  • Adding the new C9800’s IP to your Radius and TACACS+ servers
  • Joining the existing Access Points to the new C9800 controller with no downtime

Those are beyond the scope of this article.

Feel free to reach out to us if you need help migrating from your existing Cisco AireOS WLC controllers to the Cisco Catalyst WLC controllers or anything related to the Cisco WLAN controllers, reach out to use at sales@accendnetworks.com and we would love to be able to assist you.

Categories
Blogs

Q&A With Accend Networks

Q&A With Accend Networks

Safety Detectives: Please share your company background, how you got started, and your mission.

Accend Networks: Accend is a 10-year-old company and was started by Paula Wong, its CEO and Founder, with over 25+ years of IT experience.

Paula started it out of some repeated bad experience in a corporate environment after putting in countless hours. First was getting laid off after putting in and working over 16-18 hours for a start-up and even invested her own money into that company (it was during the dot com boom) in hopes that it would return a great profit.

Unfortunately, the company went belly-up. The second was working for a Webex where Paula was terminated due to subordination right before her stock option was going to get vested. She also worked crazy hours at this company.

After two bad luck experiences, Paula felt the corporate environment wasn’t for sure and thought starting a company would be the next best venture.

Accend’s own is to be the go-to IT Solutions provider nationwide.

Apart from our typical network implementation and support projects, we often get requests to help clients install their commercial off-the-shelf (COTS) projects such as SolarWinds and Cisco Unified Communications Manager. Part of our process is to assess the current environment and understand the software purchased so that our consultants can take over seamlessly. The consultants who get assigned to assist clients typically have over 5+ years, sometimes up to 20+ years, in supporting products so that best practice recommendations can be made to guide the clients as needed. We either work with the customer or do the installation ourselves, depending on the client’s preference. Another COTS product is implementing VMware Horizon and Workspace ONE. This is just an example of our approach to getting things done.

In terms of area coverage, we provide advanced network services in California (both northern and southern), and nationwide with several clients on the east coast. The work can be on-site or remote; but luckily, with the availability of remote tools, we can easily support customers with just a phone call.

These are highlights of what we provide, but it is not limited to these examples. We offer dynamic network services since we’re flexible and understand client needs.

SD: What is the main service your company offers?

AN: Accend specializes in cybersecurity but we also provide network design, implementation, and support for data, voice, wireless, and video networks.

SD: What is something unique that helps you stay ahead of your competition?

AN: Accend is very efficient in delivering our services to our customers. We are also able to solve complex problems that our competition can’t.

SD: What do you think are the worst cyberthreats today?

AN:We keep hearing about ransomware attacks affecting many companies and it tends to increase. Not only is it targeting large and well-known enterprises and the government, but they are also costly.

Categories
Blogs

Why You Need an MSP

Services Why You Need an MSP
Why You Need an MSP

Let’s start with the basics. Most people (especially those on the far spectrum of the digital divide) are probably scratching their heads and wondering, “What exactly is an MSP?” Well, it is an acronym for the Managed Service Provider. Now that we have that down, it raises another question, “Why do I need one?” We’re here to answer this question and more.

Managed services involve the practice of outsourcing on a proactive basis certain processes and functions intended to improve operations and cut expenses. Managed Service Providers are a type of IT service company that acts as an outsourced third-party providing a server, network and specialized applications to end users and organizations. It is a strategic method adopted by corporations at various levels as a method of improving operations. Some of the big names in the industry include giants such as IBM, Atos, Infosys, Capgemini, and many others.

What services do MSPs provide?

MSP‘s provide a wide range of services, cutting across fields and disciplines. The services they provide include, but are not restricted to :

  • Firewall Availability Monitoring
  • Security Information Event Monitoring and Log Analytics
  • 24x7x365 Real-Time Security Monitoring
  • Virus Removal
  • Industry-leading Anti-Virus and Anti-Ransomware for Windows, Mac, and Linux
  • NOC Services
  • Advanced Endpoint Detection
  • Critical Application Patching
  • IT security
  • Network infrastructure
Contact us for more information on how we can help.
Why should you partner with an MSP?

Now that we have basic knowledge of an MSP and the many services it provides, it’s time to talk about why it’s so important to partner with one. There are numerous advantages to partnering with an MSP and employing its services. Some are obvious, while others are not. We will walk you through some of the important advantages:

Access to top talent :MSPs provide users with access to skilled individuals with years of experience and expertise under their belts. This is especially important to new startups that may lack the know-how necessary to operate and benefit from the experience that MSPs bring to the table.

24/7 Network Monitoring of Network Devices, Servers, and Desktops : Data is like a river, constantly flowing and ever-changing. MSPs are experts at monitoring and managing this constant stream of data in a way no one else can and transforming it into vital information. By keeping you up-to-date on the constantly changing business sphere, you can keep up with current trends and happenings both within your organization and the industry.

Asset Inventory and Management : This service is vital for proper bookkeeping and auditing within an organization. MSPs provide a digital framework that accurately follows the flow of products in and out of the system, with important details such as amount, time, cost and much more. This is especially important in combating forgery and other fraudulent activities, particularly when dealing with an enormous amount of products.

Patches and Updates : MSPs provide the latest in software and IT infrastructure; they keep you updated on the latest data management systems to boost your productivity to the maximum and keep your company running as smoothly as possible.

This is just a brief run through of the services provided by MSP’s. I encourage you to partner with one today to boost your productivity and profitability.
Share on FacebookShare on Twitter Share on Linkedin