Labor Day reflections

31 Aug , 2006  

Labor Day weekend is one of the holidays that signal change. Summer activities are over, kids are back in school (or college in my kids’ case), football is in the air (Husker football, most importantly) and my focus turns to the stretch to the end of the year. As a teen I spent most of my summers water skiing, scuba diving and sailing on Lake McConaughy at Ogallala, Nebraska. For a number of years Labor Day has been the time for the big sailboat regatta on McConaughy. This weekend I’ll be heading out of Colorado and cruising past “Big Mac” as I go to visit with family in eastern Nebraska.

One of the changes for me this summer was starting TheConvergingNetwork blog. I have to admit, I’ve really come to enjoy blogging. This blog has been up for about six weeks and already it has become a part of me. I am most amazed at how quickly the number of subscribers has grown. Though it’s not the reason I blog, I’m pretty shocked at the number of subscribers already. All of you are phenomenal and I am humbled you would follow along as I seek to better understand the security, networking and computing markets and technologies. I’ve even managed to raise a few hackles along the way so I guess that means I’m stretching my own thinking here and there too.

I really enjoy the various friends and acquaintances blogging brings you, both online and in person, controversial and supportive (and sometimes all at the same time.). Friends like Alan Shimel, Mike Rothman, Michael Franum, Brad Feld, and Chris Hoff; thanks for welcoming me to the blogging community. Whether you agree with me or not, keep it coming! The engagement is invigorating and I believe it helps move the ball down field for everyone’s benefit.

Recently Alan Shimel asked me to join him as co-host of the StillSecure, After All These Years podcast and I’m having a blast doing it. I told Alan the other day that podcasting is like when you were a kid and your dad brought home the family’s first tape recorder. Then you sneak down to the basement and secretly record you own version of a radio show. Next you listen to it and laugh at how funny your recorded voice sounds.

To top that, now Alan and I get to laugh at ourselves, have a good time discussing security news events, and interview real guests who have some really insightful ideas to share. I’m very grateful to all the guests that have taken an evening out of their week to join us for some security jousting. We are rapidly coming up on 2,000 podcast subscribers (actually, I think we are already there) which is really amazing to me. We both owe a debt of gratitude to our guests and to our listeners who take 45 minutes out of their week to listen to what’s happening “this week in security”. Soon we will be adding various music elements that I’ve written and recorded so that will be a fun milestone for me personally. We are always looking to keep the podcast show fresh so please keep those “cards and letters coming” with your ideas for the show.

Before I sign off on this entry in the blog I would like to ask for your support for cancer research. Various forms of cancer have touched many people I know, most importantly my wife who was diagnosed with stage 4 breast cancer 14 months ago. Thanks to the latest breast cancer research, very supportive family, friends and co-workers, and countless prayers from literally all over the world, my “miracle girl” Mary Ellen has been cancer free since January of this year. I’m certain there’s someone near you in your life touched by some type of cancer.

Targeted cancer treatments are relatively new on the scene but they are beginning to show up and can make a big difference. It was one of these drugs that helped Mary Ellen achieve such tremendous results. The rate of progress in cancer research and treatment has progressed significantly just in the past few years. Whether it is the Susan G Komen breast cancer foundation, Y-ME national breast cancer organization, the American Cancer Society or simply lending a hand to someone with cancer, any type of effort will make a difference. My thoughts and prayers go to those around my life and yours who are battling cancer.

Enjoy your Labor Day holiday weekend and please be safe in your travels. And oh yes, Phill did get his computer back together in one piece. He’s showing me up again, now with his new RAID 0 hard disk set up. I guess it’s time to upgrade again.


BOB’s under attack

30 Aug , 2006  

Microsofts announcment of the expanded relationship with Citrix is very interesting. They together will jointly develop and market a Citrix-branded branch office box (BOB).

The quotes from Gartner are very telling about this convergence of networking and security. The competition and overlap of markets continues to heat up.

“Cisco and Microsoft have avoided direct competition until recently, but the merging of networking, security, storage and applications made this confrontation inevitable.

“Microsoft is launching new networking capabilities within Vista and the ‘Longhorn’ version of Windows Server, and is pursuing partners in the voice arena, for example Nortel.”

If BOB is a new term to you, BOBs commonly consist of a mix of some of the following components all on a single appliance or platform:
* multi-function router
* WAN/networking acceleration
* firewall
* VoIP/SIP gateway
* email
* printing
* file serving and caching

The Microsoft/Citrix BOB plans to deliver Windows Server 2003 Release 2 and Microsoft’s Internet Security and Acceleration (ISA) server on Citrix’s WANScaler WAN optimization hardware. The box will be sold under the Citrix brand but Microsoft is commiting marketing dollars to the product. (Understandable given Microsoft’s software is on it.) Product is slated for late 2007 so we’ll have to wait and see what pricing and product models will be introduced.

Citrix has a very loyal following in the mid and enterprise market, with good acceleration technology for remote offices. If the Microsoft software on a Citrix platform can deliver lower cost remote management, they together stand a chance at a run at Cisco’s market.


Thanks for making my point

29 Aug , 2006  

Ah, Chris… the sleeping giant has awoken! lol. Rothman was right, you do love big iron. You gotta love it when a hardware guy says “it’s not just about the hardware” to a software guy. You win, I agree.

Okay, seriously. I’ll give you your due about what advanced hardware architectures can do for carrier/enterprise UTMs, even though I’m still smarting from early claims some vendors made of how blazingly fast Snort could run on specialized hardware. (Frankly it makes a ton more sense to blade-ize multiple security apps on a scalable hardware frame than to stick Snort on every blade and turn on all the signatures.) Yes, there is a tier of problems for which specialized hardware (yes, like Crossbeam) is particularly well suited. Solving the UTM problem for carriers and large enterprises is a challenging one but not everyone operates those kinds of networks. (I believe the argument of multiple markets for UTM has been debated before.)

Now, back to the software. Is a UTM really a bunch of security apps thrown onto one box with a nice, pretty GUI slapped on? (Now, don’t go getting all personal on me – I not making any blanket condemnation of Crossbeam or X-Series. I’d love to see how you’ve approached the software problem.) So many UTMs are a reduced subset of each of their respective modules; a little bit of IDS/IPS, some filtering, etc. Particularly in the SMB market. Then put that on over priced OTS hardware with a shiny bezel and charge a nice price tag.

The hard and more interesting problem is how do we make these security apps intelligently cooperate and interoperate? Integrated logging and event management, intelligent cross-module threat correlation and response, the ability to dynamically plug in new security apps, and IDS/IPS becoming part of the post-connect NAC solution is a start. Now that’s an interesting UTM. Layer on some in-depth centralized management for monitoring, configuration management and real reporting, tone down the mark ups on OTS hardware and we’ve talking something interesting to the mid-market and SMB service offerings. Forget the set-and-forget low end SMBs. That’s not interesting. The value of bringing multiple security apps onto one platform is what we can do when they work together. That’s the challenge for UTM; delivering on “unified” not centralized. If we’re going to debate, let’s talk about all the catching up the software needs to do.

That said, these should be happy times in the UTM market with ISS fully distracted trying to figure out why IBM bought them, who will still have jobs and if IBM wants to keep the ISS products or not. At least now I know you read my blog. 🙂


Et tu, Brute?

28 Aug , 2006  

On last week’s podcast #12 with guest Bobby Dominguez we delved into the issues around threats posed by insiders within the organization. Coincidentally, the Secret Service completed a study looking into the specifics of this issue.

Rather than just the typical percentages every study sites, this one had some interesting twists. Here are some interesting findings; The Secret Service study concluded that the behaviors (negative) of perpetrators changed before the incident occurred in 80% of the cases.  A very large majority (92%) had experienced some negative work-related event prior to the incident occurring. 86% were in a technical job positions; 38% of them were system administrators, 21% were programmers, 14% were engineers and 14% were IT specialists (I assume this means desktop support people). Users’ computer accounts, backdoor accounts and shared accounts were the most common means of entry, accessing the accounts remotely in most situations. Infoworld did a nice article with some specific examples of insider incidents.

What’s telling about this study is that its the personnel who have the easiest means, and who we have to trust with access to the keys of the kingdom, that pose the greatest risk in many cases. Makes sense logically. Kind of brings new light to the idea of profiling, eh? Frankly, I’ve been fortunate to work with some very loyal and talented technical staff. Nearly all I would hire again if I had the opportunity. While security incidents occur, very few were from these insiders but they have happened. I even had one software developer attempt to walk out the door with source code for the product on his last day. It does happen.

Given this data though what would be good actions to take? Look for safeguards; checks in processes that bring accountability commensurate with the responsibilities of the position. One of the worse situations you could experience would be to falsely accuse someone. Having that audit trail of changes, processes that require preauthorization, and oversight not only protect your security but also to protect the integrity of honest employees.


PCI for everybody – SMBs too

28 Aug , 2006  

I was joined by Rick Dakin, President and Senior Security Strategist of Coalfire Systems, for an interview in IT Business Edge about Visa’s PCI.

Some of you may have already been through a PCI audit. For others one is scheduled or you are a small enough business that you fall under the auditing guidelines for SMB merchants. Maybe you don’t handle purchases through Visa transactions and it would seem PCI doesn’t apply to you.

While Visa PCI was initiated to audit larger credit card transaction handlers, I think PCI is especially valuable to smaller businesses. (Visa recently changed how merchants are classified and the requirements they need to meet.) If you don’t have a security person on staff or you are doing security as a portion of your “other job”, the PCI audit checklist is an extremely valuable guide to follow for network security. The basic PCI audit interview for SMBs and other audit questionnaires can be found at Visa‘s site.

The audit is composed of twelve requirements:

  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored data
  • Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security

If you look into it you’ll see that very little of these requirement are limited to cardholder data, and where they are just replace cardholder data with customer, confidential or internal data.

Take a look at PCI. (Warning; self promotion!) Here’s a StillSecure whitepaper on the topic too. I think you will find PCI very useful in any situation.


The pulse of NAC: TCG, NAP and CNAC

28 Aug , 2006  

Joel Synder of Opus One, a frequent speaker, Network World Test Alliance partner and expert on NAC, is getting the pulse of the NAC market. Joel recently appearred on our podcast #11 discuss his definition of NAC and how others might approach understanding how it can aid in network security and compliance. Joel’s heading up the interoperabilty demonstration lab for NAC at the upcoming NYC Interop show on September 18-22.

There’s a lot more activity by vendors getting involved and supporting the TCG industry initiative and I think we’ll see this in New York. Its most interesting to me the vendors Joel mentions in his article that are very active with Microsoft Long Horn; Aruba Wireless Networks, Avaya, Cisco, Enterasys, Extreme Networks, HP and Nortel, along with software from Lockdown, Microsoft and Trend Micro. My own company, StillSecure, is active with supporting NAP as well as TCG. Microsoft is working hard to make a strong statement NAP and its support by other vendors.

On the otherhand, that’s more difficult to say for Cisco. Key anti-virus vendors, Symantec and McAfee, are direct competitiors as is StillSecure and most of the other CNAC program partners. With Cisco’s transition in strategy to sell the vision, CNAC, but deliver it with Clean Access, it’s not likely the Cisco sales rep is going to loss account control by bringing in another competative partner. Cisco customers tend to look at Cisco first and then look elsewhere when Clean Access doesn’t meet their needed requirements. More evidence of Cisco’s go-it-alone strategy. And frankly there’s a benefit to customers in that it strengthens TCG. Microsoft stands to be a winner is this way as well.

Cisco and Microsoft are to demonstrate in the coming days how their technologies can work cooperatively. Maybe that will show some promise of CNAC interoperatiblity.


A walkon part in the war

28 Aug , 2006  

Okay, I can’t stand it. Even at the risk of brain damage I have to comment on this whole UTM, BoB, integration by friends Rothman, Hoff and Shimel. Yes, best of breed will continue to be utilized for point solutions, where less advanced or scaleable solutions fear to tread. Uber hardware boxes may make it easier to deliver raw horsepower to the problem but you still have to deal the device’s proximity within the network consider what each UTM module needs to perform. Uber appliances like Chris Hoff’s Crossbeam bring to the problem new hardware architectures (which Alan seems to be so enamored by). Okay, so much for the nicey-nicey.

While useful, the problem isn’t just to solve this by throwing special uber hardware at it. We’ve seen pretty disappointing results doing this with IDS technologies by current non-ASIC IDS/IPS vendors. Yes, we need more scale but OTS hardware is a very viable option. If you can pimp your laptop with a dual core CPU running and PCI-Express in the low $1000’s, you can buy or configure a 1U rack mount box that will chew threw almost any security software problem. Are you getting these new hardware architectures and the advantages they bring? Its likely many network box manufactures are updating their configurations with new OTS features now.

Better appliance hardware’s not the only solution to the customer’s problem (Sorry Chris and my other hardware friends.) They want solutions that bring needed value by; intelligently identifying and communicating information events, taking action when specific security actions occur, integrating the functions on the box for me, and make it manageable and easy. Will I need a log aggregator software (on a separate box) to analyze the logs of the different parts of my UTM box? Even worse, what if I have multiple UTMs? Integrated doesn’t mean co-located businesses with a common receptionist. Yes, it needs a shiny GUI (well, at least a GUI any way) but the functions really need to be integrated. And what if the customer want to expand what the box can do? Make it run other network software. Our paradigm needs some changing.

Come on, if we keep running over the same old ground, what have we found? The same things I fear. We need some fresh thinking about UTMs or we run the risk of customers thinking the lunatics are on the grass, or something worse.

Network, Security

802.1X, open source it should be

26 Aug , 2006  

With Meetinghouse and Funk getting gobbled up by Cisco and Juniper respectively, some are becoming concerned that standards compliant 802.1X supplicants could become as uncommon as the Jedi after the clone wars. Certainly Cisco has signaled that possibility with their proprietary extensions to 802.1X and their withdrawal of Meetinghouse from TCG. This could be less of an issue with Juniper who is still a strong supporter of TCG but Funk’s assimilation into Juniper still makes many nervous enough for this to be of concern.

Microsoft fits into this picture given they have the most widely deployed supplicant in Windows. I think its less likely MS will go the way of the dark side on this one as they their supplicant needs to work with multiple network vendors’ gear. That could leave non-Windows OS devices out in the cold though and that’s probably where the greatest concern is.

Enterprise Strategy Group has called on Cisco, Microsoft and Juniper to maintain standards based 802.1X products versus taking the dark path of relying on proprietary extensions. While it’s not clear how ESG’s initiative (pdf) will actually get any formal participation from the network gear vendors, their heart is in the right place for giving needed attention to this issue. John Olstik of ESG has blogged about this issue in the past.

Who’s left to fill in this void? This is a perfect case for open source. Open1x looks to be the leading open source 802.1X project as far as I’m concerned. Supported out of the University of Utah, Bryan Payne, Chris Hessing, Arunesh Mishra, Nick Petroni and Terry Simons are connected with the project. Open1x seems to have picked up some steam. It is also the basis for wire1x another .edu project focused on wireless.

As most of you know, I’m a strong supporter of open source initiatives. Give it a try and let me know what you think. They have both a supplicant and an authenticator. Most importantly, give the Open1x development team your feedback. I sense The Force growing in this one.

Podcasts, Security

Weekly podcast #12 w/ Bobby Dominguez

24 Aug , 2006  

I’m proud to announce our next installment of the StillSecure, After All These Years podcast #12, co-hosted by Alan Shimel and yours truly.

This week we interview Bobby Dominguez, director of corporate security and risk management at Sykes. I first met Bobby years ago during his days at Lycos. Bobby has hands on and leadership experience in network security and has a wealth of knowledge to share. In our interview we focus on the threat within; various aspects of insider threats, from the disgruntled employee to the unsuspecting typhoid Mary bot carrier. Bobby has some practical suggestions for anyone concerned about these threats and could benefit from some practical suggestions.

In our This Week In Security segment, Alan and I discuss the controversy surrounding eEye’s early announcement of the latest Microsoft vulnerability, IBM’s purchase of ISS (see my earlier post about ISS X-Force) and the “fall on your sword” departure of AOL’s CTO due to their recent search data disclosure.

Our podcast subscriber count is over 1,000 now and I deeply thank all of you for taking the time to gain some valuable information from our guests, and listen to what two old security salts like Alan and me have to say about security. Please keep your feedback coming – we appreciate you very much.


And the winner is… X-Force?

24 Aug , 2006  

Everyone is abuzz about the IBM purchase of ISS this week. $1.3 billion (that’s with a b) does get your attention. Most are waxing on about how this is really a purchase of the services business of ISS (pretty obvious) and how IBM doesn’t belong in the security hardware business. (They dumped their firewall business about five years ago.) Sourcefire and Qualys could easily be casualties at IBM as well.

There’s a side of this acquisition no one is talking about; X-Force. Why do I think they might be the real winner here? Lets face it. In acquisitions mature products get milked for their cash flow and leading edge products usually get squashed up in the process. As other security vendors have rushed to grab whatever limelight possible by blabbing about the latest vulnerability, X-Force often gets overlooked.

But IBM does great research and X-Force may find a real home at IBM. Let’s hope that IBM embraces X-Force and finds new and innovative ways to offer services through the talents of X-Force. Maybe that will shut down some of the self-serving vulnerability promotion of security vendors.