This Cookie Policy was last updated on October 13, 2022 and applies to citizens and legal permanent residents of the United Kingdom.
Our website, https://www.4cornernetworks.com (hereinafter: "the website") uses cookies and other related technologies (for convenience all technologies are referred to as "cookies"). Cookies are also placed by third parties we have engaged. In the document below we inform you about the use of cookies on our website.
A cookie is a small simple file that is sent along with pages of this website and stored by your browser on the hard drive of your computer or another device. The information stored therein may be returned to our servers or to the servers of the relevant third parties during a subsequent visit.
A script is a piece of program code that is used to make our website function properly and interactively. This code is executed on our server or on your device.
A web beacon (or a pixel tag) is a small, invisible piece of text or image on a website that is used to monitor traffic on a website. In order to do this, various data about you is stored using web beacons.
5.1 Technical or functional cookies
Some cookies ensure that certain parts of the website work properly and that your user preferences remain known. By placing functional cookies, we make it easier for you to visit our website. This way, you do not need to repeatedly enter the same information when visiting our website and, for example, the items remain in your shopping cart until you have paid. We may place these cookies without your consent.
5.2 Statistics cookies
We use statistics cookies to optimize the website experience for our users. With these statistics cookies we get insights in the usage of our website. We ask your permission to place statistics cookies.
5.3 Advertising cookies
On this website we use advertising cookies, enabling us to personalize the advertisements for you, and we (and third parties) gain insights into the campaign results. This happens based on a profile we create based on your click and surfing on and outside https://www.4cornernetworks.com. With these cookies you, as website visitor are linked to a unique ID, so you do not see the same ad more than once for example.
Because these cookies are marked as tracking cookies, we ask your permission to place these.
5.4 Marketing/Tracking cookies
Marketing/Tracking cookies are cookies or any other form of local storage, used to create user profiles to display advertising or to track the user on this website or across several websites for similar marketing purposes.
When you visit our website for the first time, we will show you a pop-up with an explanation about cookies. As soon as you click on "Save preferences", you consent to us using the categories of cookies and plug-ins you selected in the pop-up, as described in this Cookie Policy. You can disable the use of cookies via your browser, but please note that our website may no longer work properly.
7.1 Manage your consent settings
You can use your internet browser to automatically or manually delete cookies. You can also specify that certain cookies may not be placed. Another option is to change the settings of your internet browser so that you receive a message each time a cookie is placed. For more information about these options, please refer to the instructions in the Help section of your browser.
Please note that our website may not work properly if all cookies are disabled. If you do delete the cookies in your browser, they will be placed again after your consent when you visit our websites again.
You have the following rights with respect to your personal data:
To exercise these rights, please contact us. Please refer to the contact details at the bottom of this Cookie Policy. If you have a complaint about how we handle your data, we would like to hear from you, but you also have the right to submit a complaint to the supervisory authority (the Information Commissioner's Office (ICO)).
For questions and/or comments about our Cookie Policy and this statement, please contact us by using the following contact details:
4CornerNetworks Ltd
4 Harecroft Lane
Ickenham
Uxbridge
Middlesex
UB10 8FD
United Kingdom
Website: https://www.4cornernetworks.com
Email: moc.skrowtenrenroc4@nimda
Phone number: 0131 516 9771
This Cookie Policy was synchronised with cookiedatabase.org on March 16, 2023.
It is a fact that older networks, developing over years, suffer not only capability issues as new services become available, but may have been built without using best practice. Our Network Audit service can advise on where future problems may occur, and where existing networks may develop issues (such as lack of firmware patching and upgrades; EOL equipment and hardware no longer supportable by vendor). Producing a design review document, our engineering teams consider availability, reliability, resilience, security, performance, and ease of management.
As part of our Audit service, we are often asked to validate 3rd party work, particularly by public sector bodies. There can be the feeling that a scope of works delivered by a 3rd party may not have followed Cisco Best Practice or has been configured inefficiently resulting in such things as QoS (Quality of Service) issues. There may be network issues or problems relating to certification, such as PCI DSS or ISO, or licensing; whatever the concerns we can objectively and impartially validate work and signpost areas for attention, as well as giving recommendation for remedial work – which we can also undertake if required. We can also act as your technical lead should you need, under contractual obligations, to use a 3rd party for your ongoing support and remediation.
What is a CCNA? CCNA = Cisco Certified Network Associate
The CCNA Certification demonstrates the competency of an Engineer in Network Installation, Operations and Troubleshooting. CCNA level Engineers are also known as Cisco SMARTHands as they are the boots on the ground who carry rack and stack physical Cisco equipment including installations, deployments and basic upgrades.
CCNA Specialisations:
What is a CCNP? CCNP = Cisco Certified Network Professional
The CCNP Certification demonstrates a more advanced level of competency in Networking Skills. CCNP is suitable for System Administrators, or those who work with (LAN/WAN) infrastructure. A CCNP Certification can only be achieved once an Engineer has gained the CCNA Certification.
CCNP Specialisations:
What is a CCIE? CCIE = Cisco Certified Internetwork Expert
The CCIE Certification is known as the most prestigious worldwide with an estimated 3% of all Cisco Engineers obtaining a CCIE Certification. The CCIE demonstrates the skills of Network Engineers to Plan, Operate and Troubleshoot complex, converged network infrastructures on a wide variety of Cisco equipment.
CCIE Specialisations:
Cisco/Meraki Wireless Networks
Wireless networks facilitate business in the modern world. Generally, they allow us wi-fi coverage no matter where they are situated. However, one downside is that many production networks perform at sub-optimal level.
Common problems include:
This does not mean that you need a new network – simply that your existing configuration might need some attention. To respond to this, we have put together a team of specialist engineers who can assist you by giving your WiFi a health check. This includes validation of what is already in place as well as troubleshooting problems and looking at new network requirements.
We also handle WiFi installations from greenfield site to office moves, cable deployment to delivery and validation reporting. If you want to ensure that your WiFi is giving you ‘best performance’ then why not call us and we can evaluate your business needs.
We also offer and AI Driven WiFi Automation Toll that will allow our team, or indeed your own IT Team, to proactively monitor and resolve issues. This can also identify cause of network performance issues up to 30 days prior to reporting. This is a tool that operates 24/7/365 and can save days of troubleshooting on poorly performing WiFi networks.
Partner with 4CornerNetworks to give your WiFi the best performance
The FMC (Firepower Management Center) has a critical vulnerability in the web-based management interface that allows unauthenticated remote attacker to bypass authentication and get admin privileges that allows the attacker to run arbitrary code.
The vulnerability is due to bad handling of LDAP responses when the latter is being used for External Authentication. The bad actor can run the exploit by creating a crafted HTTP requests effectively bypassing authentication and getting administrative privileged access to the Web GUI. To break this down – anybody with HTTPS access to the management IP of your current FMC and some skills would be able to get in and change config or stop the Firepower Sensors, effectively compromising your security controls and leaving you exposed.
Currently all unpatched FMC versions that use LDAP for external authentication are affected.
External authentication via LDAP is very common for Firepower clients due to the fact that Firepower is preferred choice for mid and large organization that tend to use central AAA to run its network (better security and scalability).
If you are running FMC and have LDAP enabled (how to check if you are using LDAP is mentioned inside the listed Cisco Advisory link), it is strongly recommended to patch the FMC as soon as possible.
Stop LDAP if possible, make sure you have a working local account before that.
Limit the HTTPS access to the management IP address of the FMC to only secure internal networks/addresses.
Used materials:
Microsoft RDP protocol is one of the main focuses of bad actors in these days. There are reports for numerous successful breaches in small and medium sized organizations with heavy use of RDP from outside. The reasons for that is the protocol has security flaws, this article will cover the latest of them, but also most of the time it was setup some time ago and the authentication for it is weak which means it is prone to brute-force-attacks. Most modern IPS do not catch RDP based brute-force-attacks without any additional tuning or professional SoC, none of which is usually present or indeed a priority in small and mid-sized business due to costs.
New vulnerability, CVE-2019-0708, was found in the “remote desktop services” component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008.
It also is present in older versions such as Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates, but they are still frequently in use within organizations.
Microsoft director of incident response Simon Pope described the vulnerability with the following: “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,”
This vulnerability is marked as critical because of its nature – the vulnerability is at the pre-authentication level with means that strong credentials do not help, and it virtually requires NO user intervention. Also, the vulnerability in question is marked as wormable, which means when an exploit is created it can easily be incorporated into more complex malware and be used to automatically try to exploit and spread vertically inside an organization with RDP enabled and unpatched, quite similar to WannaCry EternalBlue SMB exploit. This scenario makes up for a potentially fast and wide spread malware.
Microsoft released 16 updates on the 19th of May targeting at least 79 security holes in Windows and related software — nearly a quarter of them earning Microsoft’s most dire “critical” rating. Critical bugs are those that can be exploited by malware or bad actors to break into vulnerable systems remotely, without any help from users.
Windows 7, Windows Server 2008 R2, and Windows Server 2008, Windows XP and older versions of Windows
Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.
If any of the three components outlined above is not available, then there is no way to perform a successful Amplification attack.
Simple steps can make a bit difference.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
At the end of Oct, Cisco announced a vulnerability in its ASA OS and Firepower FTP running products.
The vulnerability is based on the SIP inspection code that handles SIP signaling packets.
The FW do inspection on protocols for various reasons, NAT fixup, added security, discovery of dynamic port connections and allowing traffic to pass via the firewall etc. The SIP inspection is part of the default Global Inspection Policy that is enabled on the device, meaning all firewalls with default configuration for inspection are affected.
A bombardment of a high-rate specifically crafted SIP requests can impact the firewall (high CPU load) and cause legitimate traffic to cease hence causing a Denial of Service.
There is currently no software updates from Cisco to address this vulnerability. All mitigation options are based on additional configuration and listed below
This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later on both physical and virtual appliances if SIP inspection is enabled and the software is running on any of the following Cisco products. Worth noticing is that SIP inspection is enabled by default
NOTE: Older (EOL) Cisco ASA 5500 series are NOT affected (due to older code). Also the Virtual ASA (ASA 1000V) is not affected
Check your current running software versions
For ASA:
ciscoasa# show version | include Version
If version is above 8.4 then it is vulnerable
For Firepower FTD:
> show version
If version is above 6.0 then it is vulnerable
During an active attack you will be able to see large number of connections coming to your firewall on port 5060 (traditional SIP port and the one the Cisco devices are listening to in order to perform the inspection).
The following command will show the current SIP connections, they will be listed as incomplete as the source of the DoS only actively bombards the firewall without closing the SIP connection.
show conn port 5060
show processes cpu-usage non-zero sorted
This will show you the current cpu usage per process. Typical high CPU values will be observed during the attack. A continuous exploit of this vulnerability will cause continues high-CPU and could cause the device to crash and reload itself
Another indicator of compromise for this attack is a sudden reload after a network slowdown and the presence of a crashfile
show crashinfo
After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread
There are several options, all limiting the allowance of these SIP packets to reach or overwhelm the device
1. Disable SIP inspection
Have SIP inspection only if you are actively using it. Our experience with SIP inspection is that usually it is not required (not all customers are doing SIP trunks from inside the organization to a IP Telephony provider in the cloud). Even if SIP is in use, most SIP providers would actively ask you to disable the SIP inspection as Cisco is slow on updating it comparing to how fast SIP protocol changes. SIP providers would ask you just to open specific port ranges and not rely on this inspection due to multiple reasons.
To disable SIP inspection, configure the following:
For Cisco ASA Software
policy-map global_policy
class inspection_default
no inspect sip
For Cisco FTD Software Releases
configure inspection sip disable
Note: This command is issued from the FTD CLI.
2. Actively block IP address(es) of the attackers
You can always actively block (by ACL) the offending IP address that you are seeing via the show conn port 5060. You need also to clear the existing connection issuing clear conn address
Other option is the old shun command that blocks all traffic from certain source IP
shun
This does not survice a reload
3. Filter out based on the SIP attributes
Most observed attacks use an SIP attribute of Sent-by Address that is set to 0.0.0.0. That is not typical behavior for a valid SIP communication, the attack can also be confirmed by doing a packet capture and noticing the amount of packets arriving from a SIP address you are not expecting. You can read the packet captures, check for the Sent-by address and if values are set to 0.0.0.0 and previous methods of mitigation are not valid for your environment then you can proceed and implement this change
regex VIAHEADER "0.0.0.0"
policy-map type inspect sip P1
parameters
match message-path regex VIAHEADER
drop
policy-map global_policy
class inspection_default
no inspect sip
inspect sip P1
4. Rate limit all SIP traffic
Not a great option as that could also influence legitimate traffic, however SIP is the signaling protocol for setting up voip connections, so in nature it should not be very chatty.
You can use the Cisco MPF (Modular Policy Framework) to create a policy and match the SIP traffic and then set a rate limit on this traffic so it would not cause the high cpu spike. Configuration can vary here, so it needs to be done by an expert on product or an external capable consultant.
https://www.theregister.co.uk/2018/11/02/cisco_sip_warning/
A new vulnerability was publicly announced last Friday (22th of June). It effects all current Cisco ASA devices (all models) and Firepower appliances (please see full list below).
It allows a remote attacker to execute a DoS (Denial-Of-Service) attack towards the vulnerable device and potentially extract sensitive data from the device (credential usernames and active sessions). It exploits the HTTP(S) service on the devices and uses directory traversal to try to gather sensitive data and potential reload the device. The vulnerability is possible due to lack of proper input validation of the HTTP URLs.
The discovery was made by a Polish Security researcher named Michal Bentkowski and was initially shared only with Cisco, giving time for Cisco to prepare patches and updates to its software. There have already been real-life attempts in exploiting this vulnerability due its lack of complexity and how easy it is to do it – there is already a couple of scripts on the internet to automate the process (see links below). Cisco states there is no work-around for this problem and all its customers are urged to upgrade to the patched software that Cisco has released prior to the unveiling of the vulnerability.
If you have not patched your devices since the 22th of June and are using ASDM/CSM or Anyconnect on a publicly facing interface then it is very likely you are affected.
Simple steps to validate if your devices are vulnerable
1. Check if your devices is listening on SSL ports
ciscoasa# show asp table socket | include SSL|DTLS
Look for open sockets on public facing interfaces
2. Check for presence of a process called Unicorn Proxy Thread, if this process is present, your device is considered vulnerable
ciscoasa# show processes | include Unicorn
Mwe 0x0000557f9f5bafc0 0x00007f62de5a90a8 0x0000557fa52b50a0
3632 0x00007f62c8c87030 30704/32768 Unicorn Proxy Thread 218
Look for open sockets on public facing interfaces
Customers should upgrade to an appropriate release as indicated in the following tables.
| Cisco ASA Software Release | First Fixed Release for This Vulnerability |
|---|---|
| Prior to 9.11 | Migrate to 9.1.7.29 |
| 9.1 | 9.1.7.29 |
| 9.2 | 9.2.4.33 |
| 9.3 | Migrate to 9.4.4.18 |
| 9.4 | 9.4.4.18 |
| 9.5 | Migrate to 9.6.4.8 |
| 9.6 | 9.6.4.8 |
| 9.7 | 9.7.1.24 |
| 9.8 | 9.8.2.28 |
| 9.9 | 9.9.2.1 |
| Cisco FTD Software Release | First Fixed Release for This Vulnerability |
|---|---|
| 6.0 | Migrate to 6.1.0 HotFix or later |
| 6.0.1 | Migrate to 6.1.0 HotFix or later |
| 6.1.0 | Cisco_FTD_Hotfix_EI-6.1.0.7-2.sh (all FTD hardware platforms except 41xx and 9300) Cisco_FTD_SSP_Hotfix_EI-6.1.0.7-2.sh (41xx and 9300 FTD hardware platforms) |
| 6.2.0 | Not vulnerable |
| 6.2.1 | Migrate to 6.2.2.3 |
| 6.2.2 | 6.2.2.3 |
| 6.2.3 | 6.2.3.1 6.2.3-851 6.2.3-85.02 |
If you would like any help or guidance please contact www.4cornernetworks.com today.
Malware has evolved so much in recent years and the trend is to keep evolving with ever increasing pace. Traditional Firewalls that use old technologies such as stateful firewalling are not capable of detecting / preventing most of the modern threats. The restricted use of traditional firewalls to lower the attack surface is not sufficient and not effective anymore. Vulnerabilities get discovered every day, many of them critical, server administrators often lack the required knowledge to protect/patch their devices. Endpoints (desktops/laptops/smartphones) are constantly at risk due to the fact bad “actors” are constantly coming up with clever ways to bypass traditional defenses and deliver malware, quite often exploiting the weakest link (the users), companies cannot cope with training users in the field of IT security quick enough.
It is obvious that additional security on the network layer is mandatory. But the controls that are to be used must meet certain criteria, they must be what the industry call Next-Generation Firewall, meaning the device should be able to identify users, applications, do advanced threat protection using different methods (signatures, reputation, sandboxing) and provide detailed reports/logs for pro-active and reactive (forensics) purposes. All current high-end vendors on the market provide this Next-Gen FW capability. Cisco has done something very clever, it decided many years ago (after the purchase of Sourcefire) that it would integrate the Sourcefire functionality into its Firewall technology and is dominating the market with its next generation ASA products. The result was a very flexible solution, albeit a bit cumbersome to configure. The client has the option to enable just the ASA functionality and hence have only a stateful Firewall, or also add the advanced Sourcefire Next-Gen FW capabilities. Cisco even sells all current devices (the 5500 X series) with a built in Firepower (Cisco rebranded Sourcefire into Firepower) capability. A significant number of customers are actively replacing the older ASAs with new X series ones. Many without enabling the Firepower capability. As mentioned briefly above, the reasons for this decision vary but the main one was the added complexity and the separate management that the Firepower needed. This translates into added cost, as usually these skills are not available internally and had to be sourced from outside consulting companies. Also, the Firepower product cannot just be configured and forgotten about but needs small adjustments and manual intervention from time to time, again adding to the operational costs.
With more customers adopting and embracing the Firepower solution, the solution has matured, especially after the introduction of Firepower 6.1. Installation, integration and support have become more user friendly. Which meant operational costs have reduced significantly. Transition between pure ASA and ASA + Firepower was streamlined and could be done within days and without any downtime for the customer. A small investment in purchasing the licenses for Firepower, as customers already had the hardware, and the additional consulting services could in fact be the difference between a secure network and a compromised one. We all know that this is a very bad and expensive experience. This investment made would immediately start to pay off and ensure a completely different way of securing your network that cannot be compared to the archaic traditional firewalls. In the future Cisco and many other vendors will completely get remove stateful only Firewall devices. Cisco is going to replace all ASA with the new appliances capable of running a united operating system – the Firepower Threat Defense. The switch to this is inevitable, so there are no benefits whatsoever for waiting. The work for the transition/migration must be done and the sooner the better. Simply put, there is more protection and security provided to all resources behind the Firewall.
We urge to our customers not to wait until it is too late. Don’t be reactive to a compromised network, take the initiative today and avoid the inevitable.
If you already have the ASA X series deployed there are just a few simple steps to attain all the benefits from the most advanced Intrusion Prevention system at the moment.
Why wait? Contact 4CornerNetworks today to discuss.
https://4cornernetworks.com/contact/
The Russia bear is having a snack out of Ukraine it seems but also more than 100 other countries are involved. Cisco devices are NOT vulnerable but for me that is a valuable marketing as it shows the value of actually having a nice vendor and not a cheap one.
→ https://blog.talosintelligence.com/2018/05/VPNFilter.html
On the 29th of March a company that deals with security in embedded devices, called Embedi published their discovery about a critical vulnerability in most Cisco Switch devices (both running IOS and XE).
The vulnerability (CVE-2018-0171) is based on stack buffer overflow and is possible due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily. The service is running on TCP 4786, opened by default and listening when service is enabled (which is by default).
Yet again a new functionality that is meant for easier deployment and potential less operational costs during deployment poses a serious security risk. The vulnerability is deemed as critical because it gives complete access to the device or be used to do a DoS on the device, meaning it can crash the device. What makes the case even worse is that the Smart Install Client functionality is enabled by default.
Initially researchers believed that the vulnerability could only be used for attacks inside an enterprise network due to the communication ports usually not exposed to the Internet or to the fact that many of switch or other devices are only internal, because in a securely configured networks because the recommendation is that Smart Install technology participants should not be accessible through the Internet.
However during a short scan of the Internet, researchers detected over 250,000 vulnerable devices and 8,5 million devices that have a vulnerable port open.
The vulnerability was proven to work on the following devices: Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches.
And here are all devices that may fall into the Smart Install Client type and can be considered potentially vulnerable:
The original researchers reached Cisco with their finding before going public with it and the vendor had enough time to patch their software. Official releases after March have been patches against the vulnerability and available for download.
The attackers send a large number of very small requests from a high-bandwidth pipe behind ISP(s), that allow ip spoofing, destined at a large list of publicly accessible application servers. The attacker is spoofing the source IP on all these requests to the target public IP address. All servers are made to respond with much larger packets to the requests, wrongfully directing all that traffic towards the unsuspecting target. The idea is to cripple either the target server/device or to congest its internet pipe, both causing Denial of Service.
Issue the following command:
show vstack config If the output shows that SmartInstall is enabled then proceed with the checks
Check your current running software versions
show version
Use a Cisco official tool to check the vulnerabilities on your Cisco IOS/XE via the following link:
https://tools.cisco.com/security/center/softwarechecker.x
https://thehackernews.com/2018/04/cisco-switches-hacking.html
https://embedi.com/blog/cisco-smart-install-remote-code-execution/
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
