Slashdot Mirror

http://www.bing.com/search?q=r...
http://tech.slashdot.org/story...
http://thestack.com/root-comma...
http://thestack.com/zyxeltech-...
http://threatpost.com/12-milli...
http://threatpost.com/dns-base...
http://threatpost.com/internet...
http://voices.washingtonpost.c...
http://www.cbc.ca/technology/s...
http://www.dshield.org/diary/+...
http://www.dshield.org/diary/2...
http://www.dshield.org/diary/5...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

The pfsense C2758 Appliance supports2 x 10GigE interfaces:
https://www.pfsense.org/hardwa...
Model C2758
Max Active Connections 8,000,000
Network Interfaces 4x Intel 1GbE
Network Expansion 2x Chelsio 10GbE

Supporting 10 gig interfaces is not the same as being able to filter 10 gig -- the specs on that box top out around 960Mbit (150mbit VPN) while the standard ASA 5500 line tops out around 4 gbit/second (700mbit VPN).

The 5585-X model line with the dedicated security processor will do up to 80Gbit of inspection and 5 Gbit of VPN. But that performance doesn't come cheap, you'll pay around $150K for each one.

Not YET. However, with the introduction of the 5506/5508, it shouldn't be long.

http://www.cisco.com/c/en/us/s...

How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

Cisco doesn't make it easy, but you can get ASA security updates for free (and for their routers too). Read the advisory: https://tools.cisco.com/securi... It says:

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/sup...

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

So call or email Cisco TAC (the contact info is at that link) and ask. They will give you the updates.

And since Cisco is so incompetent at selling, they won't even try to sell you a service contract.

How on earth are customers supposed to be secure if they make it so hard to keep up with patches ???

Cisco doesn't make it easy, but you can get ASA security updates for free (and for their routers too). Read the advisory: https://tools.cisco.com/securi... It says:

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):
http://www.cisco.com/en/US/sup...

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

So call or email Cisco TAC (the contact info is at that link) and ask. They will give you the updates.

And since Cisco is so incompetent at selling, they won't even try to sell you a service contract.

Yeah, because as we all know back doors don't exist in Cisco routers... oh wait

Well, at least their Linksys products have never been exploited... oh darn

Hmm, I am sure that their Call Manager has never been... damn it!

"The weapon .. is basically a big firewall designed to protect the .. network from hackers."

A basic firewall blocks connecting based on a table of IP address and port combinations. If the 'firewall' can't identify malicious connections then it's next to useless. So called 'stateful inspection firewalls' utilize a man-in-the-middle hack, only work by installing a fake cert on the client browser, decrypts passing data and supposedly identifies malicious code. Which begs the question, if the MITM firewall can decryption your communications, what's stopping some malicious third part doing the same. So basically here we have someone diluting security in order to increase security. If the 'firewall' can't identify malicious code then it's next to useless. Most of todays rich web applications can't function without running embedded code. Clicking on a URL that downloads and runs someone else's code makes the firewall next to useless.

stateful inspection firewall

This is also known as SIP + ENUM :)

http://www.cisco.com/web/about...

http://tech.slashdot.org/story...
http://thestack.com/root-comma...
http://thestack.com/zyxeltech-...
http://threatpost.com/12-milli...
http://threatpost.com/dns-base...
http://threatpost.com/internet...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://voices.washingtonpost.c...
http://www.bing.com/search?q=r...
http://www.cbc.ca/technology/s...
http://www.dshield.org/diary/+...
http://www.dshield.org/diary/2...
http://www.dshield.org/diary/5...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://tech.slashdot.org/story...
http://thestack.com/root-comma...
http://thestack.com/zyxeltech-...
http://threatpost.com/12-milli...
http://threatpost.com/dns-base...
http://threatpost.com/internet...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://voices.washingtonpost.c...
http://www.bing.com/search?q=r...
http://www.cbc.ca/technology/s...
http://www.dshield.org/diary/+...
http://www.dshield.org/diary/2...
http://www.dshield.org/diary/5...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

http://tech.slashdot.org/story...
http://thestack.com/root-comma...
http://thestack.com/zyxeltech-...
http://threatpost.com/12-milli...
http://threatpost.com/dns-base...
http://threatpost.com/internet...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://tools.cisco.com/securit...
http://voices.washingtonpost.c...
http://www.bing.com/search?q=r...
http://www.cbc.ca/technology/s...
http://www.dshield.org/diary/+...
http://www.dshield.org/diary/2...
http://www.dshield.org/diary/5...

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

Considering the user interface and programmability of cisco routers, I'd say 30 million lines makes sense. They handle per-port configuration of various OSI stack settings, link speed, subnetting, router tables, etc...

Check out their CLI to get a feel for what even some of the dumb switches can do. Some also have a GUI that can be tapped into as well.

I wonder if any American company will get to see any of China's source code.

Has happened:
"“Huawei provided our source code of our products to Cisco for review"
http://blogs.cisco.com/news/hu...

Of course it's anyone's guess if the code shown was 'the right code' but the old bait and switch could work for IBM in this case as well.

How would you spec "another pc, and not even a really good one" to do what http://www.cisco.com/c/en/us/p... can do?

Please enlighten everyone, in your not-at-all arrogant tone that you seem to be so fond of.

Cisco already published security advisory on that a month ago:
http://tools.cisco.com/securit...

Attackers required either valid admin credentials or physical access to device to replace firmware. Such attacks were understood for a long time.

Nevertheless it's interesting to observe increase in attacks against infrastructure itself, rather than bandwidth.

I think the first thing we all need to understand is that the button mentioned is NOT a reset button. It's the display button for the lights and is clearly labeled "mode". It cycles between the different information modes such as speed, duplex, stack ID, POE usage, etc. See this article from the Cisco Support forums detailing how to determine which stack ID the different switches are as one example: https://supportforums.cisco.co...

You'd better tell that to Cisco!

From the section on Entering the Rom Monitor in the manual

Entering the ROM Monitor
To use the ROM monitor, you must be using a terminal or PC that is connected to the router over the console port.
Perform these steps to configure the router to boot up in ROM monitor mode the next time it is rebooted.

(Emphasis Added)

Dirac low-latency ("Dirac Pro", aka SMPTE VC-2) may come back as a mezzanine compression for production video over IP (Snell showed this at NAB 2014).

But "long GOP" Dirac never provided enough quality per bit per second compared with H.264, and certainly not with HEVC. I don't think anyone at BBC R&D is actively working on it now.

I'd recommend you look at something like the Meraki MX64/MX64W at all three locations, it will do all of the necessary tunneling and filtering you need (with the advanced security license), as well as allow you to monitor what is happening on the network.

Additionally, it's all cloud managed so you can view and configure the device from anywhere.

I deploy these at work for our remote offices, and just purchased a similar setup at home (an MX64 and two MR18). I can filter what my kids get to as well as easily support remote backups and administration at my parents home.

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each. http://www.cisco.com/c/en/us/p...

Ubiquiti has a small router with enterprise level features for less than $100. A site to site VPN and VLAN support are just a few of it's features and all you need to solve this problem.

I'm still running a Juniper SRX-210 at home, but I've been happy with the UniFi APs and EdgeSwitches I have from Ubiquiti so this little router is definitely on the short list when the time comes.

Just use a couple of small business routers with built in VPN. They do all of the different subnets and wireless and all of that stuff. They're a few hundred bucks each.

http://www.cisco.com/c/en/us/p...

There's plenty of legacy stuff in intranets that require flash that is *not* easily upgradeable, or at least up to the user.

Case example on where I run every now and then in work, Cisco IMC controllers (server management cards).

http://www.cisco.com/c/en/us/t...

Their UI is based on Flash (and Java), for remote console, status data, and so on. If I point a browser to a CIMC server, the first thing I see is "Install flash player" if it's not already installed. Even if Cisco would release an upgrade *today*, how often are people interested in rebooting their servers for firmware upgrades as long as it's running ok?

"Talos has discussed domain shadowing before at a high level. It’s a technique where threat actors use compromised registrant accounts to create large amounts of malicious subdomains. This is what Talos has found Nuclear using in this most recent campaign. It has been effectively rotating IP addresses, subdomains, and parent domains at a relatively quick rate." ref

The infected client contains "Unidentified build, Nov 29 2013 21:41:02" on the about PuTTY page while the official has "Release 0.63". Cisco has a good article here: http://blogs.cisco.com/securit... by Robert Semans, Brandon Enright, James Sheppard, and Matt Healy.

No..... CCNA would be for a technical implementation expert, who could help support the technical work of implementing the security team's policies, not a security expert.

CCNA Security is not the same thing as CCNA. And the curriculum (at least when I did it back in 2012) required an understanding of the usual concepts of social engineering, cryptography (i.e. symmetric vs assymetric, hashing, etc.)

In fact the NSA and CNSS both recognize having a CCNA Security certification as enough to be CNSS 4011 certified, which is a VERY good credential for anybody who wants to work in IT security.

http://www.cisco.com/web/learn...
http://www.villanovau.com/reso...

Per my subject: Add the C&C servers to your custom hosts file (as blocked using 0.0.0.0):

0.0.0.0 www.centozos.org.in
0.0.0.0 centozos.org.in
0.0.0.0 org.in

* They WILL "stall it" in its TRUE intended purpose: Data Theft (the destructive parts only apparently 'detonate' IF you attempt to debug/analyze it...) since those are the ones this malware uses.

PERTINENT QUOTE PROOF EXCERPT:

"Rombertik does not target any site in particular, such as banking sites, but instead, attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded to www.centozos.org.in"

Per the CISCO blog about it here that this article points to -> http://blogs.cisco.com/securit...

APK

P.S.=> Of course, lastly? For the BEST in protection for security (as well as more speed + reliability online) using hosts files for FAR MORE than just this threat?

Well - you know ('shameless plug', but true):

APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

... apk

Per my subject: Add the C&C servers to your custom hosts file (as blocked using 0.0.0.0):

0.0.0.0 www.centozos.org.in
0.0.0.0 centozos.org.in
0.0.0.0 org.in

* They WILL "stall it" in its TRUE intended purpose: Data Theft (the destructive parts only apparently 'detonate' IF you attempt to debug/analyze it...) since those are the ones this malware uses.

PERTINENT QUOTE PROOF EXCERPT:

"Rombertik does not target any site in particular, such as banking sites, but instead, attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded to www.centozos.org.in"

Per the CISCO blog about it here that this article points to -> http://blogs.cisco.com/securit...

APK

P.S.=> Of course, lastly? For the BEST in protection for security (as well as more speed + reliability online) using hosts files for FAR MORE than just this threat?

Well - you know ('shameless plug', but true):

APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

... apk

Per my subject line: Add these entries to your custom hosts file (as blocked ones using 0.0.0.0):

0.0.0.0 www.centozos.org.in
0.0.0.0 centozos.org.in
0.0.0.0 org.in

* They WILL "stall it" in its TRUE intended purpose: Data Theft (the destructive parts only apparently 'detonate' IF you attempt to debug/analyze it...)

PERTINENT QUOTE PROOF EXCERPT:

"Rombertik does not target any site in particular, such as banking sites, but instead, attempts to steal sensitive information from as many websites as possible. The collected data is then Base64 encoded and forwarded to www.centozos.org.in"

Per the CISCO blog about it here that this article points to -> http://blogs.cisco.com/securit...

APK

P.S.=> Of course, lastly? For the BEST in protection for security (as well as more speed + reliability online) using hosts files for FAR MORE than just this threat?

Well - you know ('shameless plug', but true):

APK Hosts File Engine 9.0++ SR-2 32/64-bit -> http://start64.com/index.php?o...

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

... apk

For starters, I have read up on it, and many many vendors agree that it IS security.
Sources:
Cisco (Top 2 paragraphs of intro)
http://www.cisco.com/web/about...
SANS institute (Page 5, 2nd paragraph)

And so on.

As to your solution, it has a massive issue. Route tables must use next hops as their gateway; you could not enter a command like that targetting my WAN, and have it work, because my WAN IP would not be a next hop for your computer. The only thing your route table can do is instruct your computer which IP on your broadcast domain will be willing to handle your datagrams. At that point, it is up to that router to figure out the next hops.

You will note I asked you what the L3 / L4 headers would be on your packet; this was specifically to demonstrate why such attacks would fail. You would have a source address of 9.9.9.9, and a destination of 192.168.50.5, and you would instruct your computer to pass that datagram off to a router at ethernet address 99:99:99:99:99:99 (your router), and he would promptly vomit and say "what the hell I cant route an RFC1918". Add the route on your router, and you've shoved the issue back to your ISP, whose router would either fail to find a route for that subnet, or (more likely) outright reject it as a violation of RFC.

The only scenario in which this attack makes sense is when the attacker IS the next hop, that is your ISP. And for 99.999% of users, this is not a realistic threat model they will face, and NAT will be "acceptable" security.

No one argues that a stateful firewall is BETTER (as it prevents attacks like you mentioned), but to say that NAT adds no security whatsoever is being silly; major infrastructure vendors disagree with you.

For starters, I have read up on it, and many many vendors agree that it IS security.
Sources:
Cisco (Top 2 paragraphs of intro)
http://www.cisco.com/web/about...
SANS institute (Page 5, 2nd paragraph)

And so on.

As to your solution, it has a massive issue. Route tables must use next hops as their gateway; you could not enter a command like that targetting my WAN, and have it work, because my WAN IP would not be a next hop for your computer. The only thing your route table can do is instruct your computer which IP on your broadcast domain will be willing to handle your datagrams. At that point, it is up to that router to figure out the next hops.

You will note I asked you what the L3 / L4 headers would be on your packet; this was specifically to demonstrate why such attacks would fail. You would have a source address of 9.9.9.9, and a destination of 192.168.50.5, and you would instruct your computer to pass that datagram off to a router at ethernet address 99:99:99:99:99:99 (your router), and he would promptly vomit and say "what the hell I cant route an RFC1918". Add the route on your router, and you've shoved the issue back to your ISP, whose router would either fail to find a route for that subnet, or (more likely) outright reject it as a violation of RFC.

The only scenario in which this attack makes sense is when the attacker IS the next hop, that is your ISP. And for 99.999% of users, this is not a realistic threat model they will face, and NAT will be "acceptable" security.

No one argues that a stateful firewall is BETTER (as it prevents attacks like you mentioned), but to say that NAT adds no security whatsoever is being silly; major infrastructure vendors disagree with you.

Dont correct people if its just gonna make you look like an ignorant ass.

http://www.cisco.com/c/en/us/s...

Q. What is NAT?

A. Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network.

As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments.

Like rowhammer, these are the serious type of attacks we should be aware of. Phishing is because people are stupid; you can't fix stupidity.

Cisco opened a priority 1 case with Microsoft yesterday as soon as we found out about this issue. We are continuing to escalate this issue with Microsoft for a resolution timeframe. We recommend that all customers open their own cases with Microsoft since the ultimate fix will need to come from them. You can feel free to reference Cisco's case # which is 115021112390273 in order to expedite having your ticket properly triaged by their support team.

https://supportforums.cisco.co...

Here's the white paper for Meraki's implementation of this feature (they call it "Air Marshall").

Go to Page 8, and Meraki's "Containment" protocol shows that they flood the non-approved hotspot, overloading their ability to function. They even note at the bottom of the page that doing this may put the user in violation of FCC regs, and that containment should only be done "in your airspace".

If you go into it, they regard it as a feature implemented so that "your" clients don't "accidentally" communicate with a "rogue" WiFi access point. In a corporate environment that has a prohibition on non-approved wireless communications, this makes sense. But the hotels are using this to force clients from using a legal alternative to their offered service. It seems you should only turn on this feature if you are inside a non-public building, and one that will not leak outside of the building.

I populate my custom hosts file via 12 reliable security community sources & articles + posts like yours (thanks) via APK Hosts File Engine 9.0++ 32/64-bit -> http://start64.com/index.php?o... to get more speed, security, reliability online & more (details shown in link as to those benefits specifically are enumerated there in that link).

* Courtesy "yours truly", 100% free & hosted + recommended by the BEST ( MalwareBytes ), on the planet per this very recent test of efficacyhttp://www.av-test.org/en/news/news-single-view/17-software-packages-in-a-repair-performance-test-after-malware-attacks/ on their website here -> http://hosts-file.net/?s=Downl...

Enjoy... & kudos to you for having the good sense to use hosts files where they apply (TONS of places for more speed, security, & reliability online) AND your pointing out the article source which has MORE DATA on blocking this malwares' C&C servers etc., here -> http://blogs.cisco.com/securit... specifically/for your & others' reference!

APK

P.S.=> IMPORTANT: ANOTHER EXCELLENT SOURCE (vs. CryptoLocker that's FAR MORE COMPREHENSIVE) -> http://garwarner.blogspot.com/... (Gar Warner's excellent - He posts here & did once, hence how I obtained his excellent works' analysis...)... apk

See subject: For specific payload + C&C Servers for cryptowall here -> http://blogs.cisco.com/securit...

* Enjoy...

APK

P.S.=> Gotta love the source articles & the folks producing the data for custom hosts files for blocking these malwares... apk

Yeah, rebellious stuff sold by upstarts like Cisco. Good chance they have done unified communications from Cisco that comes with jabber on the desktops.

I've been using Meraki MDM for a bit over a year now for managing my own devices, and have been quite pleased so far.

Sadly about a year back Cisco acquired them so there have been some changes in pricing and scope, but the free standard version is still available even if slightly hidden (most 'try now' links go to the enterprise signup page)
It now manages Cisco APs, Cisco switches, MDM, and a bit more random stuff.

Their main page is:
https://meraki.cisco.com/

MDM specific info is at:
https://meraki.cisco.com/solut...

Standard version signup is at:
https://meraki.cisco.com/form/...

Note that they now offer two versions, standard and enterprise. Feature wise they are pretty identical except for technical support.
Standard is free for up to 50 devices, then device 51 and after will run you $1/device/month.
I've no idea the pricing details on enterprise, other than the 30 day trial involves them sending you an access point that works with it. I assume even device #1 has a monthly cost.

-
If you run Spiceworks, their latest major-version provides basic access to MDM for free through IBMs MaaS360.
They have a free version that adamantly doesn't have near enough features, and a paid version that is $3/device/month.
The paid version has all the features of IBMs branded version, but is a little cheaper per device.

http://www.spiceworks.com/free...

-
If you want free and DIY, check out the "iPhone Configuration Utility" (mac/win versions available from apple) that let you create your own policy files - but you need to get them onto each iPhone "manually".
By manual this can be as easy as an email attachment or wifi-portal webpage download or something.
For devices you purchase and allocate to staff this is usually fine, but BYOD can be a problem without incentives for the user to install the profile themselves.

I used this method at work since I only had two profiles available then.
To get on the wifi network you needed to install our wifi profile, which grants access to the network and then enforces the network policy.
They didn't HAVE to install this policy, but then no wifi access at all.

I have a second profile to setup Cisco VPN client settings for users with VPN access, but my profile is more akin to a .PCF config (shared secret and IP stuff users don't need to worry about) and nothing else, so it just saves some typing for them. Not much arm twisting needed here.

http://theiphonewiki.com/wiki/...
(Download links at the bottom of this wiki, or just use Google)

-
Sadly all other MDM platforms I evaluated over a year ago either no longer exist or in the 'rather expensive' category.

The list I used at the time for the higher end providers was
http://www.enterpriseios.com/w...

I found 2-3 good gems in that list at the time (Meraki and MaaS360/Spiceworks being the best priced then)
Might still be worth a look for you.

I've been using Meraki MDM for a bit over a year now for managing my own devices, and have been quite pleased so far.

Sadly about a year back Cisco acquired them so there have been some changes in pricing and scope, but the free standard version is still available even if slightly hidden (most 'try now' links go to the enterprise signup page)
It now manages Cisco APs, Cisco switches, MDM, and a bit more random stuff.

Their main page is:
https://meraki.cisco.com/

MDM specific info is at:
https://meraki.cisco.com/solut...

Standard version signup is at:
https://meraki.cisco.com/form/...

Note that they now offer two versions, standard and enterprise. Feature wise they are pretty identical except for technical support.
Standard is free for up to 50 devices, then device 51 and after will run you $1/device/month.
I've no idea the pricing details on enterprise, other than the 30 day trial involves them sending you an access point that works with it. I assume even device #1 has a monthly cost.

-
If you run Spiceworks, their latest major-version provides basic access to MDM for free through IBMs MaaS360.
They have a free version that adamantly doesn't have near enough features, and a paid version that is $3/device/month.
The paid version has all the features of IBMs branded version, but is a little cheaper per device.

http://www.spiceworks.com/free...

-
If you want free and DIY, check out the "iPhone Configuration Utility" (mac/win versions available from apple) that let you create your own policy files - but you need to get them onto each iPhone "manually".
By manual this can be as easy as an email attachment or wifi-portal webpage download or something.
For devices you purchase and allocate to staff this is usually fine, but BYOD can be a problem without incentives for the user to install the profile themselves.

I used this method at work since I only had two profiles available then.
To get on the wifi network you needed to install our wifi profile, which grants access to the network and then enforces the network policy.
They didn't HAVE to install this policy, but then no wifi access at all.

I have a second profile to setup Cisco VPN client settings for users with VPN access, but my profile is more akin to a .PCF config (shared secret and IP stuff users don't need to worry about) and nothing else, so it just saves some typing for them. Not much arm twisting needed here.

http://theiphonewiki.com/wiki/...
(Download links at the bottom of this wiki, or just use Google)

-
Sadly all other MDM platforms I evaluated over a year ago either no longer exist or in the 'rather expensive' category.

The list I used at the time for the higher end providers was
http://www.enterpriseios.com/w...

I found 2-3 good gems in that list at the time (Meraki and MaaS360/Spiceworks being the best priced then)
Might still be worth a look for you.

I've been using Meraki MDM for a bit over a year now for managing my own devices, and have been quite pleased so far.

Sadly about a year back Cisco acquired them so there have been some changes in pricing and scope, but the free standard version is still available even if slightly hidden (most 'try now' links go to the enterprise signup page)
It now manages Cisco APs, Cisco switches, MDM, and a bit more random stuff.

Their main page is:
https://meraki.cisco.com/

MDM specific info is at:
https://meraki.cisco.com/solut...

Standard version signup is at:
https://meraki.cisco.com/form/...

Note that they now offer two versions, standard and enterprise. Feature wise they are pretty identical except for technical support.
Standard is free for up to 50 devices, then device 51 and after will run you $1/device/month.
I've no idea the pricing details on enterprise, other than the 30 day trial involves them sending you an access point that works with it. I assume even device #1 has a monthly cost.

-
If you run Spiceworks, their latest major-version provides basic access to MDM for free through IBMs MaaS360.
They have a free version that adamantly doesn't have near enough features, and a paid version that is $3/device/month.
The paid version has all the features of IBMs branded version, but is a little cheaper per device.

http://www.spiceworks.com/free...

-
If you want free and DIY, check out the "iPhone Configuration Utility" (mac/win versions available from apple) that let you create your own policy files - but you need to get them onto each iPhone "manually".
By manual this can be as easy as an email attachment or wifi-portal webpage download or something.
For devices you purchase and allocate to staff this is usually fine, but BYOD can be a problem without incentives for the user to install the profile themselves.

I used this method at work since I only had two profiles available then.
To get on the wifi network you needed to install our wifi profile, which grants access to the network and then enforces the network policy.
They didn't HAVE to install this policy, but then no wifi access at all.

I have a second profile to setup Cisco VPN client settings for users with VPN access, but my profile is more akin to a .PCF config (shared secret and IP stuff users don't need to worry about) and nothing else, so it just saves some typing for them. Not much arm twisting needed here.

http://theiphonewiki.com/wiki/...
(Download links at the bottom of this wiki, or just use Google)

-
Sadly all other MDM platforms I evaluated over a year ago either no longer exist or in the 'rather expensive' category.

The list I used at the time for the higher end providers was
http://www.enterpriseios.com/w...

I found 2-3 good gems in that list at the time (Meraki and MaaS360/Spiceworks being the best priced then)
Might still be worth a look for you.

Cisco's General Counsel has a blog on the subject.

From another article:

Arista was founded by former Cisco employees, many of whom are named inventors on Cisco's networking patents. Among others, Arista's: 1) founders, 2) President and CEO, 3) Chief Development Officer, 4) Chief Technology Officer, 5) Senior Vice President for Customer Engineering, 6) Vice President of Business Alliances, 7) former Vice President for Global Operations and Marketing, 8) Vice President of Systems Engineering and Technology Marketing, 9) Vice President of Hardware Engineering, 10) Vice President of Software Engineering, and 11) Vice President of Manufacturing and Platform Engineering all were employed by Cisco prior to joining Arista. Moreover, four out of the seven members of Arista's Board of Directors were previously employed by Cisco.

If you're studying for the entry-level Cisco certifications, you can use older routers and switches in your hardware lab. These require a rolled cable for the console.

The log matches a Cisco firewall attempting to block malware and such being sent out.
It replaces all unknown / unsupported smtp commands with XXXXXX.

http://www.cisco.com/c/en/us/t...

From the article:

A WiFi monitoring system installed at the Gaylord Opryland would target access points with de-authentication packets, disconnecting users so that their browsing was interrupted.

Looks like 802.11w (include in 802.11-2012 maintenance release of the 802.11 standard) might have a way to make you immune to deauthentication attacks.

Here is Cisco's documentation on it back when it was still proprietary to them.

Reportedly Win8 includes it and so do recent linux and bsd kernels. But OSX may not.

As much as I dislike Mariott's practice here, this is clearly outside the scope of the FCC's regulatory powers and as far as I know isn't even in violation of their own regulations. First of all, WiFi operates on UNREGULATED spectrum, which means anyone can use, and anyone must accept interference from other users.

Not quite true, the ISM bands are Unlicensed bands, not unregulated. In order to sell equipment used to transmit on these bands, the systems must be type approved. Part of this type approval process includes ensuring that the equipment in question will not cause undue interference to other users on the band. To me, sending rogue de-auth packets constitutes interference.

In Meraki's Air Marshal Whitepaper, they explicitly state on page 8 that Unauthorized containment is prosecutable by law (subject to the FCC’s Communications Act of 1934, Section 333, ‘Willful or Malicious Interference’)..

I actually had this particular issue affect me. As a volunteer, I operate a community-wide network, including a widespread wifi network, at a retreat centre high in the mountains of WA. At this time, there is a significant mine remediation project going on in our valley, so we have leased out several buildings to the construction companies, who setup their own Meraki system. Unfortunately, they enabled Air Marshal, which then went on to attack our wireless network. Despite running WPA-Enterprise on our network, it was still successful in attacking our networks, and rendering them nearly useless. In the end, we had to flex our muscles as the landlord to get the feature disabled.

In my mind, the ability to attack adjacent networks should be illegal, and Cisco and the others should not be permitted to sell this technology to the general public. Rather the systems should simply alert on the presence of other wifi networks, and assist in locating them. Also, the wifi standards should really be updated to fix this type of vulnerability... in a WPA-Enterprise environment, clients should only respond to a de-auth packet encrypted/signed with the session key between the client and the AP its connected to.

You showed that you have no clue about programming, computer and network security or how computers actually work and you rip on someone else that is more intelligent and educated than you?

When I worked at Google in 2008, I had to demonstrate to a software engineer how to turn on his computer because his intelligence and education never prepared him for the real world. Most software engineers are really clueless when it comes to working with hardware.

You should go get another AA to boost your cred.

I'm working on the CompTIA Security+ certification for my government job as a security support specialist. After that I'll get my ITIL Foundation certification since I'm working for an ITIL organization. The next step after that is the Cisco Certified Network Associate (CCNA) and the CCNA Security certifications. Just because I have two associate degrees doesn't mean that my education is over.

You showed that you have no clue about programming, computer and network security or how computers actually work and you rip on someone else that is more intelligent and educated than you?

When I worked at Google in 2008, I had to demonstrate to a software engineer how to turn on his computer because his intelligence and education never prepared him for the real world. Most software engineers are really clueless when it comes to working with hardware.

You should go get another AA to boost your cred.

I'm working on the CompTIA Security+ certification for my government job as a security support specialist. After that I'll get my ITIL Foundation certification since I'm working for an ITIL organization. The next step after that is the Cisco Certified Network Associate (CCNA) and the CCNA Security certifications. Just because I have two associate degrees doesn't mean that my education is over.

It's the Internet of Everything. Get with the program.

What disingenuous cunt you are!

https://www.google.com/search?...

First result: http://www.cisco.com/web/partn... -- That title is, specifically, a Cisco certification.
Second result: The reference to the sheriff's office you mentioned.
Third result: http://www.simplyhired.com/sea... -- 31 jobs looking specifically for that title.
The rest of the results on the first page of google results bring you to a host of job sites, to listings that seem to be hiring technical people - most with an emphasis on networking, which I can only assume means they're looking specifically for people with the aforementioned Cisco certification.

So are you admitting that you - with all your big opinions about Computer Science and college degrees - don't know how to use Google? Or are you admitting that you're trying (and failing) to make yourself look smart by talking shit about someone else?

Maybe your 15 years would be better spent listening, instead of sharing your ignorant-ass, retarded opinions with the rest of the world?

I'd avoid using Fog Computing because Cisco already claimed that phrase.