Cisco ASA uptime over 200 days? You may need a reboot

This field notice was sent out at the end of last month.
Updated:Mar 30, 2017
Document ID:FN64291

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.0
30-MAR-2017
Initial Public Release

Products Affected

Products Affected
CISCO FIREPOWER 6.1.0.1
CISCO FIREPOWER 6.1.0.2
CISCO FIREPOWER 6.2.0
ASA 9.1.7.11
ASA 9.1.7.12
ASA 9.1.7.13
ASA 9.1.7.15
ASA 9.1.7.9
ASA 9.2.4.15
ASA 9.2.4.17
ASA 9.2.4.18
ASA 9.4.3.11
ASA 9.4.3.12
ASA 9.4.3.6
ASA 9.4.3.8
ASA 9.4.4
ASA 9.4.4.2
ASA 9.5.3
ASA 9.5.3.1
ASA 9.5.3.2
ASA 9.5.3.6
ASA 9.6.2.1
ASA 9.6.2.11
ASA 9.6.2.13
ASA 9.6.2.2
ASA 9.6.2.3
ASA 9.6.2.4
ASA 9.6.2.7
ASA 9.6.3
ASA 9.7.1
ASA 9.7.1.2

Problem Description

All Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) devices that run the affected software versions do not pass network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

In the near term, immediately reboot the deployed security appliances in order to prevent this issue.

Background

On March 29, 2017 Cisco became aware of an issue that affects all Cisco ASA and Cisco FTD security appliances that run certain versions of software. The affected versions of software cause the security appliance to stop passing network traffic after approximately 213 days 12 hours (~ 5,124 hours) of uptime.

The issue detailed in this Field Notice is not a security vulnerability and there is no associated risk to the integrity of the security appliance.

Problem Symptoms

The Cisco ASA and Cisco FTD security appliances stop passing all network traffic.

Entering the show asp drop command over the console port will indicate that packets are being dropped due to the reason punt-rate-limit-exceeded.

Workaround/Solution

In order to mitigate the risk and impact of the device not passing network traffic, Cisco urges customers to proactively reboot their Cisco ASA and Cisco FTD security appliances that run affected versions of the software.

For customers with failover configurations, it is recommended to reboot the standby devices first, make them active after they complete booting, and then reboot the formerly active devices. Customers with clustering configurations should remove one slave at a time from the cluster, reboot them, and rejoin them until each slave has been rebooted. Then, move the master to one of the rebooted devices and then remove that device from the cluster, reboot it, and then have it rejoin.

The reboot of the security appliance must be performed prior to 213 days 12 hours of uptime. After the reboot, the security appliance avoids an encounter with this issue for another 213 days 12 hours.

Enter the show version | grep up command in order to display the uptime of the security appliance.

The output is shown here:

ciscoasa# show version | grep up
Config file at boot was "startup-config"
ciscoasa up 210 days 11 hours
failover cluster up 210 days 11 hours

The device can be rebooted with one of these methods.

For ASA security appliances:
CLI – Enter the reload command in privileged mode.
ASDM GUI – Choose Tools > System Reload.

For FTD security appliances:
CLI – Enter the reboot command in privileged mode.
Firepower Management Center – Choose Devices > Device Management, double-click FTD, then choose the Device tab. In the System section, click the Restart Device icon.

For both ASA and FTD security appliances, a physical power-cycle can be used in order to perform a reboot.

Updated ASA and FTD software versions that address this issue will be published in the coming weeks and will be available from the Cisco Software Download Center.

CDETS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

CDETS Description
CSCvd78303 (registered customers only) ARP functions fail after 213 days of uptime, drop with error ‘punt-rate-limit-exceeded’

 

http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64291.html

Backup versus Business Continuity

Data protection solutions are essential for businesses of all sizes to implement, regardless of size, industry and geographic location. In this article we discuss the importance of business continuity rather than simply backup.

Introduction

Downtime is real and it’s costly. How costly exactly? Depending on the size of the organization, the cost per hour of downtime is anywhere from $9,000- $700,000.

On average, a business will lose around $164,000 per hour of downtime.

The numbers speak for themselves. What causes downtime?

  • Network outages and human error account for 50% and 45% of downtime, respectively.
  • Meanwhile, natural disasters account for just 10 percent of downtime.
  • When you look at the cause of downtime by data volume, the #1 culprit is, once again, human error, at 58%.

Just look at the recent Amazon AWS outtage: http://www.geekwire.com/2017/amazon-explains-massive-aws-outage-says-employee-error-took-servers-offline-promises-changes/

As it turns out, businesses should be more wary of their own employees and less of natural disasters. If you’ve been putting off data protection because your organization is located far from any inclement weather, be warned: the bigger threat to your data is inside of your company, not the great outdoors.

What’s at stake?

2.5 quintillion bytes of data are generated daily. And 90% of the total data in existence was created within the past few years, a significant portion of which has been generated by small businesses. Considering all the servers, desktops, and laptops that the typical SMBs manage, it adds up to a lot of data to protect. Yet nearly 75% of SMBs operate without a disaster recovery plan and only 25% are “extremely confident” that they can restore data if it was compromised.

Only 50% of SMBs back up less than 60% of their data. The remaining 40%? No protection for it whatsoever.

How much does this cost? Over the past few years, 35% of SMBs lost as much as $500K due to downtime. An unlucky 3% lost over $1 million.

 

What to look for in a business continuity solution

To sum up what we’ve learned today, here are some key things to look for when seeking a business continuity solution:

  • Hybrid cloud backup—A hybrid approach fixes the vulnerabilities that a cloud-only or local-only possess.
  • Superior RTO and RPO—Think in terms of business continuity rather than simply backup, and calculate how much downtime your business can endure and still survive (RTO) as well as how much data you can afford to lose (RPO).
  • Image-based backup—Make sure that the backup solution takes images of all data and systems rather than simply copying the files.

Forte, in conjunction with our business continuity partner, Datto, can help your company meet it’s disaster recovery targets. No matter if your downtime was caused by a hardware failure, ransomware or the inadvertent keystroke of a well meaning employee.

Microsoft will be ending support for Office 2013 at the end of February.

Microsoft has made an announcement, informing Office 365 users, that the 2013 version of Office will no longer be supported as of February 28th, 2017.

Users who are running the 2013 versions of Office 365 client applications after February 28, 2017 will have to upgrade to the latest version of Office 365 client applications to continue to receive support from Microsoft. The following is a list of products for which support will end:

  • Office 365 ProPlus (2013)
  • Office 365 Small Business Premium (2013)
  • Office 365 Business (2013)
  • Project Pro for Office 365 (2013)
  • Visio Pro for Office 365 (2013)

After February 28, 2017 the following apply:

  • All 2013 versions of Office 365 client applications (32 and 64-bit) and all language packs will no longer be available for installation from the Office 365 Admin Center.
  • An updated 2013 version of the Office Deployment Tool will be released that will no longer support the installation of Office 365 client applications.
  • Microsoft will not release any feature updates for these versions of the products.
  • Microsoft will no longer provide support for these versions of the products through Customer Service and Support (CSS) or Microsoft Premier Support.
  • Microsoft will continue to release critical and important security updates for these versions of the products until April 10, 2018. See the following Microsoft website: Security Bulletin Severity Rating System.
  • Microsoft will not provide notification before implementing potentially disruptive changes that may result in a service interruption for users of the 2013 versions of Office 365 client applications. See the following Microsoft website: Microsoft Online Services support lifecycle policy.

If your company needs support in updating your volume license for Microsoft Office, or migrating to Microsoft Office 365, please contact us, at sales@forte-systems.com .Cloud Computing Lab Top

InfoWorld – MongoDB ransomware attacks sign criminals are going after servers, applications

The tremendous success of ransomware infections over the past year showed cybercriminals that holding data for ransom is the key to making money from online attacks. Ransom-based attacks are evolving, and if enterprise defenders aren’t careful, they are going to soon see more ransom notes popping up on their servers, databases, and back-end applications.

Consider last week’s events: After Victor Gevers, a security researcher and founder of GDI Foundation, reported several hundred instances of publicly exposed MongoDB installations had been wiped and held for ransom over the previous two weeks, several other attackers joined in, bumping the number of compromised databases from several hundred to more than 10,000.

The attackers didn’t need to bother with malware to gain access to the database or the information saved within—the door was wide open since these MongoDB installations used the default configuration, which allowed unauthenticated connections via port 27017. These databases were fully accessible from the internet, and anyone connecting via that port had full administrator rights to read, create, update, and delete records.

While compromising a few systems and encrypting the data in large enterprises will continue to be lucrative—healthcare facilities paid out thousands of dollars in 2016 to regain control of their data and systems—attackers are going to change tactics to keep their income stream flowing. Databases, web servers, application servers, enterprise resource planning (ERP) systems, and other enterprise applications all contain valuable information that can disrupt business operations if stolen.

“Attackers are always looking to increase the value of what they steal,” said Jeff Schilling, chief of operations and security at cloud security provider Armor.

It’s a safe bet that even if the enterprise doesn’t use MongoDB, which is widely used in big data and heavy analytics environments, it may be running other servers or applications that are accessible from the internet and vulnerable to attack. Criminals can easily shift their attacks to those servers and applications. Already, last spring, researchers from Cisco’s Talos Security Intelligence and Research Group found that attackers were exploiting vulnerabilities in JBoss application servers to spread SamSam ransomware.

New targets, new victims

The data contained on those systems don’t have to be something the attacker can sell on the black market—it just needs to be valuable to the owner. It doesn’t matter if the database or back-end system doesn’t have financial data or transactional information. Application source code, personnel files, organization data, and entire application servers are all valuable.

“As long as it’s valuable to someone, attackers can target it for ransomware in order to make a profit,” said Jordan Wright, an R&D engineer at authentication company Duo Security.

Ransoms are most effective when there are no backups to restore the data. While most enterprises typically have some kind of backup strategy in place for databases and critical enterprise applications, they may still be forced to pay because of the perception that it will take too long to restore from backups.

In the case of those enterprises with compromised MongoDB installations, at least 20 victims sent the 0.2 BTC ransom (about $220 at current prices) to the BitCoin address used by the initial attacker between Dec. 21, 2016 and Jan. 6, 2017, according to information available on Blockchain.info.

Imagine being an Oracle or SAP administrator and one day finding that an attacker had copied all the data and then wiped the systems.

In case the idea of data stolen from code repositories and databases wasn’t scary enough, software-as-a-service applications could become the next ransom target, Schilling said. An attacker could demand the ransom from the SaaS provider by successfully breaking into the network and disrupting operations, or from the SaaS customer by preventing the customer from accessing the data. A network breach on the provider side seems unlikely, but not impossible, since SaaS companies tend to invest heavily in securing their infrastructure.

But then, the massive DDoS attack against DNS provider Dyn affected SaaS providers adversely, without even touching their networks. That ransom demand could have gone sky-high, had the attackers gone that route.

Customer-side ransoms sound even more likely. There are already ransomware strains capable of encrypting data on cloud storage sites by infecting a computer that had a synced folder. Attackers can use stolen or compromised credentials to gain access to the customer’s SaaS instance and all the associated data. Whether the customer would pay would depend on how quickly—and completely—the provider would be able to restore the data.

All kinds of attacks, not just malware

It will be a mistake to keep focusing on the malware. Yes, there are reports of ransomware on Smart TVs, and malware will continue to encrypt data stored in enterprise networks. However, ransomware isn’t the only way cybercriminals have extorted enterprises in the past, and it isn’t going to be the only approach going forward.

Remember that the attackers behind Sony Pictures demanded “monetary compensation.” And ProtonMail and Feedly both were slammed with distributed denial-of-service attacks when they refused to pay.

Cybercriminals are going to make money however they can, and if it is easier to compromise the database by exploiting unpatched remote code execution vulnerabilities and escalation of privilege flaws, or through spear phishing, they aren’t going to bother to try to infect the server with malware. Or they may use a combination of scripting languages such as PowerShell and JavaScript to compromise systems, which doesn’t leave behind any malware samples for defenders to detect.

Defender checklist

Attackers are trying to figure out which types of data companies consider valuable, and which organizations are more likely to pay. The initial MongoDB attacks were originally nondiscriminating and compromised any open MongoDB installations, but security researchers believe the latest attacks are more selective, targeting healthcare providers, telecommunications companies, data brokers, and electric utility firms.

IT teams need to expand their focus and look at all the various ways their data could be stolen. Don’t get bogged down looking for malware samples or signs of infections, because the attacker demanding the ransom may use other methods to hold the data.

Attackers connected to vulnerable MongoDB installations via port 27017. Organizations using the default installation of MongoDB should update their software, set up authentication, and lock down port 27017.

That advice applies to other databases, servers, and applications as well. ERP systems such as SAP need to be configured to consider security. Database ports should be locked down. Software updates should be applied as soon as possible. Restrict remote access and require strong authentication for any user accounts that require remote access rights.

Administrators need to control and limit access to their organization’s data stored in their servers as well as in cloud applications. “Without mitigating controls like two-factor authentication, attackers can take over the data a user has access to by simply sending a phishing email,” Wright said.

IT teams need to stop thinking of ransomware as a malware infection and start thinking of a broad range of attacks that have an extortion component. This means beefing up data breach detection capabilities, securing systems so that data can’t be easily obtained, protecting the data even when defenses fail, and improving incident analysis so they can investigate thoroughly when something goes wrong. The attacks against MongoDB installations are just the beginning.

http://www.infoworld.com/article/3155435/cyber-crime/mongodb-ransomware-attacks-sign-criminals-are-going-after-servers-applications.html

Meraki Wireless Announces New Solutions for Hospitality

Like many other industries, hospitality is undergoing a digital transformation. Guest WiFi access has gone from being an amenity–and something that would simply enhance the guest experience–to being just one of many services that are critical to meeting guests’ needs. Today, properties are swarming with devices, having grown more than 3X since 2012 to an average of 3.5 devices per room. Today, Cisco Meraki is announcing an expansion to our wireless and switch portfolio and solutions designed specifically for the hospitality industry, as well as new products applicable to the broader market.

In hospitality, it’s not enough to simply support the increased device density. Properties must differentiate by developing services such as rapid, personalized check-in, location-assisted experiences, and increased guest attentiveness. WiFi in particular, and the network in general, provide the critical backbone to innovate and deliver these services.

The new Meraki MR30H simplifies wireless for hotels, dorms, and multi–dwelling units. 802.11ac Wave 2 technology delivers robust wireless access in challenging RF environments, and its small form-factor with integrated four port gigabit Ethernet switch enables deployments in a range of environments without the need to deploy an additional tabletop Ethernet switch. Additionally, integrated location analytics deliver insights into client behavior such as foot traffic, dwell time, and repeat visit rates, and Bluetooth low energy (BLE) powers advanced location applications such as those leveraging beacons.

Meraki launch blog image 12_2016

The new Cisco Meraki MR30H Cloud Managed Wireless Access Point

Along with the MR30H, we are introducing the MR33, an 802.11ac Wave 2 2×2 MIMO access point. It’s similar to the MR32 (including built-in location analytics and Bluetooth low energy), but in a smaller form factor and at a lower price.

Meraki is also announcing a major expansion of our switch portfolio, with the introduction of the MS225 and MS250 families. Available in 24-port and 48-port models, both families support physical and virtual stacking, PoE+, and feature 10 GbE SFP+ uplinks. Both are fully compatible with previous generation Meraki switch families, and additionally the MS250 supports the same layer 3 routing technology featured in the Meraki MS350 line. Naturally, these new switches are ideal to support the increased device density seen in hospitality and many other industries.

All of these new products are available to order today. If you’re curious to learn more about them, register for a wireless webinar or switch webinar and see what they’re all about!

– December 6, 2016

Original blog post here: http://blogs.cisco.com/wireless/meraki-new-solutions-hospitality

Wireless image

How & Why Wireless Networks Can Be the Safer Solution

The transition from wired to wireless networks is happening across the business world, especially as the technology underpinning wireless advances. Besides the convenience factor, wireless is also increasingly preferred over wired networks due to the security benefits available through proper implementation. However, many IT departments and companies are unfamiliar with the security advantages of wireless, especially given its shaky reputation in the past. Here is what you need to know about the wireless of today and how it stacks up against wired networks.

Read more

data center blue image

5 Data Center Trends Changing Business as You Know It

Many of today’s sleekest, most sophisticated data centers have the humblest of beginnings. Whether you are upgrading your existing facility, building a new one, or considering outsourcing your data center to one of the growing number of hardened hosting facilities, here are five things to think about while preparing for the future.

Read more

network security experts

10 Things Every Small Business Should Know About Network Security

We like to think of the world as a safe place, and that the likelihood of harm coming to your small business via cyber attack is low. However, the truth is that there are individuals out there who would like nothing more than to access your company’s sensitive data for their own gain. It’s the modern equivalent of bank robbery, and hundreds of businesses each year fall victim to this type of theft. Read more

Forte Data

The Dawn of SDN: Who is Adopting and What Will it Change?

Software-Defined Networking, or SDN, has, in the last few years, experienced a meteoric rise to prevalence. Read more

Forte binary

How to Meet your (Large or Small) Business Objectives by Putting IT to Work For You

Nearly all businesses today depend heavily on information technology to function, it is simply a question of degree.  In call cases, you want to be sure you invest in the solutions that bring the biggest returns for your business.  Here are some guidelines to follow. Read more