The Cisco IPS modules for the ASA's are pretty good actually.  The difference between this setup and another solution that offers "everything" in a box is that you have dedicated resources built into the card which helps A LOT on performance.  Automatic updates can be done.  The ability to prevent IP Telephony attacks can be done. 

Having an IPS in front of a perimeter firewall doesn't make much sense as it's analyzing every packet and payload rather than allowing a firewall perform analysis based on access rules, inspection engines, threat detection, and possibly VPN connections. 

An IDS in front is ok though for forensic evidence collection as long as it's not directly inline.  ISS makes good products though.

Does the A/V equipment need access to the Internet?  What about the internal network?  Just wondering about that.  Also, are you just running AP's autonomously, or is it in a Controller environment?

I would make sure access to the network is done within a DMZ off the firewall.  From there, they won't have access to the internal network without access rules allowing that.  If they're connecting onto a switch, you could always implement PVLANs to restrict interactions with any other servers there. 

If you need it to access internal network resources, you could set up rules through Modular Policy Framework (Cisco ASA's) which is much more granular than ACL's.

A great tool that focuses on these attacks is called Yersinia.  Here's a list of some of the attacks it can do:

Spanning Tree Protocol (STP)
Cisco Discovery Protocol (CDP)
Dynamic Trunking Protocol (DTP)
Dynamic Host Configuration Protocol (DHCP)
Hot Standby Router Protocol (HSRP)
IEEE 802.1Q
IEEE 802.1X
Inter-Switch Link Protocol (ISL)
VLAN Trunking Protocol (VTP)

You can also use Gobbler for DoS & DHCP starvation attacks against a switch. 

VLAN hopping was considered a "dead" attack that was almost a waste until IP Telephony converged together with an IP Network.  Now, there are several VOIP tools out there that take advantage of this because now this attack has re-emerged into a crippling one.  You could use VoIP Hopper for this.  Do a search for "vlan hopping tool" to find even more tools.

On the router, you could easily implement IOS IPS to have a fully-functional Cisco IPS on the router.  You could also setup IOS F/W to simulate an ASA and try to get past that.  There's much more you could do but it requires deeper understanding of routers which may take you down the path of network engineering. 

Data leakage is a huge concern in various vertical markets such as finance, healthcare, and public companies.  To combat that while teaching users on the importance of it is found in solutions that focus on Endpoint Security. 

There are several EPS vendors out there although I'm mostly familiar with Cisco Security Agent.  Apart from focusing on 0-day protection, it allows you to enforce acceptable use policies to end users such as preventing offloading info onto USB devices, screen capture extraction, data loss prevention (from tagging), and even data extraction through email (with Ironport email security also).

And when a policy is violated, a pop-up occurs when teaches the end user that this specific function is in violation of said policy, and may even require them to input info for auditing purposes.

I would add that in order to make a relevant case for WLAN security and HIPAA, you need to show how each security feature maps to HIPPA compliancy.  Otherwise, you're just talking WLAN security.

How about Network Admission Control (NAC) posture assessment and profiling for WLAN clients/equipment?  This is huge in Healthcare.  Also, what about monitoring AP's specifically designed to track rogue attacks? 

IPsec??  Not seeing how adding this overhead provides more security since it's primarily used now for site-2-site VPNs and remote-access VPNs.  Dump this.

TLS, PEAP, and Certificates is really just authentication means for 802.1x WLAN deployment, which could simply be covered in a paragraph or two.  More focus should be on 802.1x for AAA services than the means to authenticate.

I'm assuming you're going to be focusing on a Controller-based Architecture, right?  If so, it would beneficial to talk about many of the security features with the Controller which also adds other Layer 2 and 3 security measures depending on Controller vendor. 

That would be a good thing because there's so many security countermeasures you could do JUST with switches and routers.  In fact you could nix maybe 80+% of attacks through this!  Yup. 

And from the wireless side, it's pretty much hopeless to get into the network with 802.11n, NAC, IPS, MARS, and ACS integration.  Heck, I'd like to see them get through 802.11n using AES personal and CCX 5 cards (most Intel cards).  They provide a frame protection from AP attacks.  Unless of course the engineer puts in incredibly weak passwords to begin with like "cisco" or "password". 

THat's a sweet deal then.  If you could find another with a little more RAM, you would be set because you'll want to allocate more than 1GB per image for functionality.

Not only that, but this could also be a platform for you to either get your RHCE or MCSE if you want which is why I suggested more RAM.  Either way, it's a sweet deal.

Just went out and bought a new server with 16GB of RAM (< to 64GB!) and with 2 Quad-core processors.  It cost around $1500 but I have different network images that works for customer demos or even training.  Thought about also using it to do a deeper dive into Redhat (very familiar already) and maybe even get my RHCE.  Or I can just stick with security images like NAC, ACS, MARS, and CSA.  Been also interested in voice too and should look into Cisco Call Mgr, Unity, Presence, and other ones for solid VOIP familiarity, and assessments.

Damn, not sure where I'm gonna find the time for all this!  Haha.  Unless I get laid off due to all these cutbacks everyone.  

Cisco just had ACS 5.0 come out which is a complete overhaul for AAA services.  What used to look like Windows 3.1 now looks sheek and slick.  Much more functionality too. 

Also waiting to get my hands on their new Spam & Virus Blocker product which was designed by Ironport for ALL Cisco partners.  It's supposed to have a 99% accuracy catch rate and -1% false positive rate which is shocking!  Hopefully we'll get one within a month to play with before selling.  Blows Barracuda away!

The thing with pentesting, is that you need SOMETHING to assess whether it's a service or network.  What I mean for service is whether it's a web server, database server, data center, web services, or even an IP voice solution.  By assessing the network, I mean attempting to assess targets through a real switch, real router, and multiple other security controls.

Hence my point is that you'll need to either team up with someone who knows how to configure servers, or a network guy unless you want to learn either one (or both!).  Not knowing how to do one at least leaves you at a major disadvantage I feel.

What kind of images are you planning to run on it?  Sounds like fun. 

Excellent post Simon!  You're right that most web app f/w's work off blacklists which doesn't allow much room for proactive thinking.  Although you can enter in your custom scripts, most wouldn't know how to do that nor have the time to look into that.

Pretty cool vid.  The NERV truck was high-speed as hell! 

GCIH is primarily focused on Incident Handling which is a solid subject to focus on, although you may be better off focusing on GPEN (Network pentesting) and GWAPT (Web Application Pentesting) which is more of what you're looking for.

Now of course most of these tracks assume little to no security to pull these off so I would also suggest strong familiarity with security infrastructure that supercedes a simply firewall and IPS.  As part of PCI compliance now (since 7/08), it requires a web app firewall to address top 10 owasp vulnerabilities which can also focus on web services security.  Plus there's endpoint security, network admission control for posture assessment, email & web content filtering, network security management (event correlation & mitigation), and more.  Many networks are bound to have at least one of these, if not more.

Have any of you had a chance to see some of the latest and greatest in IP Surveillance?  Had a chance to see it this week as it was integrated directly into a data network running voice systems. 

Imagine being able to access it remotely across sites?  Imagine being able to access it through your mobile phone and see video feeds?  Imagine having IP Surveillance, voice, data, video, and mobility on the same IP network?  Very cool stuff.

Saw the Cisco Nerv truck with some cool solutions that really took physical security to the next level.  Have any of you seen some of this new technology?

Silxp gave a great response.  You said that you have 24 months to learn?  Wow!  You should be able to knock out the RHCE, RHCSS, CCSP, and either CEPT or LPT for a position into the security realm.  Once there, then go forth and conquer!

As for the possible bankruptcy, that will kill your clearance even though they "say" it's a case-by-case deal.  Had that problem 5 years ago and couldn't even get a secret clearance for a position in a hotzone! 

Just as silxp mentioned, there's so much to learn and consider because this is an ever changing field that requires solid understanding of multiple vendor products, architectures, varied solutions, and tons more which requires time.


**Easiest way to get into pentesting?  Pick up a hardware vendor cert that has several security solutions (like CCSP) but REALLY know how to implement them and not just PASS a test, work for a partner that implements those solutions in a small state or one with less population, and begin offering FREE network & security assessments to qualify security sales.  This option will most likely be a drop in salary for the first year or two, but will give you an opportunity to gain some experience along with how security controls work.  I've seen a couple of people do this not even realizing it!  LOL  And they had no prior experience, nor degree.  From there they jumped to another partner for a better position doing the same, but for better pay obviously.  Soon they'll have enough knowledge and experience to do pentesting full-time along with a deep understanding of security architectures too. 

Outside of government work, it's ALL about sales.  Especially engineers.