Got the NAC

I've been promoted! Instead of just blogging about NAC here on my Got The NAC blog, I have been asked to join a team of Juniper bloggers on the new Networking Now blog .

The new blog will have a much wider scope than my Got The NAC blog. We'll cover anything in networking and security. I'm glad that we're breaking down these artificial walls. Forget the alphabet soup of IDS, NAC, DLP, etc. It's all about providing a secure, reliable IT infrastructure for our customers and businesses.
The important issues go beyond any one technology.

Don't worry. I'm still technical and deeply involved in all the new technologies being developed at Juniper and around the industry. I'm just expanding my scope a little bit.

So please click over to the Networking Now blog and check out our new content over there. You can subscribe to just my posts but I hope that you'll enjoy posts from all the Juniper bloggers. Open your mind to some new perspectives. You'll be amazed at the insights the new perspectives bring.

If you're not growing, you're dying. Which one is it for you? In this video, I explain how Juniper is growing the next generation of engineering leaders. Tune in and get some ideas for your organization. Or comment and share your ideas and best practices.

 

 

Chris Hoff blogged yesterday about using TCG's standard IF-MAP protocol to connect security functions throughout the cloud. I couldn't agree more! That's exactly what IF-MAP is for: helping security systems share the information they have gathered. That's what I've been saying all along. Chris' idea to extend it to include virtualized security functions is a great one. I wonder if the virtualization folks are listening in.

 

Chris asks which vendors are supporting IF-MAP in their products. I have found that standards adoption follows the classic innovation adoption lifecycle. Innovators are the vendors and customers that have the vision and foresight to see where things must go. They are the first to create and adopt new technology. For IF-MAP, that group includes the folks who developed the IF-MAP spec and demonstrated implementations at Interop Vegas in April: ArcSight, Aruba Networks, Infoblox, Juniper Networks, Lumeta, and nSolutions. Next come Early Adopters, Early Majority, Late Majority, and Laggards. It takes at least a year for each stage: six months to turn prototypes into products and six months for the next generation of adopters to catch on. That's the timescale we've seen for the other TNC standards. So I expect to see Innovator vendors shipping products that implement IF-MAP in the next few months and Innovator customers deploying those products in the months after that.  Then will come Early Adopters and so on.

 

 

IF-MAP provides immediate benefits. False positives and false negatives are greatly reduced since sensors are now identity-aware. Fewer false positives and negatives reduces the cost and increases the benefit of monitoring IDS and SEIM systems. Automated response is another way to reduce costs. Reduced cost with stronger security will definitely draw some attention in today's economic climate! I expect that it will quickly pull this technology across the "chasm" from Early Adopters to Early Majority, who are looking for successful ideas but open to new things. However, we still have a few years before we get to that point.

I have spoken about IF-MAP and coordinated security at several conferences and I have seen tremendous interest among customers and vendors. I'm not at liberty to give out names but some very large vendors and customers are excited about IF-MAP. As soon as IF-MAP products start shipping, I'll announce it on my blog and link to them.

 

As Alan Shimel points out on his blog, the best way to increase the number of products that support IF-MAP is for customers to demand and buy those products. Vendors who are Innovators have the foresight and resources to lead the market. Early Adopter vendors are eager to lead but need to see customer demand before they can add features. Will you provide the customer demand needed to pull the next group of vendors along the adoption curve? If you're interested, start asking vendors about IF-MAP support and examine the first generation of IF-MAP products when they ship.

I recently returned from ISSE 2008 in Madrid, Spain. The conference highlighted some key differences between U.S. and European information security. Tune into this podcast and you'll get some food for thought: lessons that you may be able to apply in your own work.

 

Click here to listen.

This week, I’m blogging from RSA Europe in London. The conference is dedicated to Alan Turing, the great British cryptographer and early computer scientist. The folks at Bletchley Park teamed with a local hobbyist to bring an Enigma machine and other cryptographic machines to the conference. I had a great time playing with the Enigma.

 

 

Attendance at the show was down a bit from last year, probably due to the poor economy. Still, there was a good crowd for my talk on “NAC 2.0″ this morning. I explained how NAC systems are starting to integrate with other network security systems like IDS and DLP. This trend is really starting to accelerate now that IF-MAP has been released, providing a standard way for these integrations to happen.

One more note. The Bletchley Park folks are appealing for donations to help save their historic site, an important part of cryptography and information security. If you’d like to donate, visit their site at http://www.bletchleypark.org.uk or stop by and see the machines for yourself. If you can’t make it to England, go to the U.S. National Cryptologic Museum in Maryland. They have a similarly amazing collection of spy gear albeit in a less historic setting.

 

In Madrid for the ISSE 2008 conference, I found myself losing sleep over the state of our global economy. What a mess! With two free hours, I decided to visit the art museums. A quick cab ride brought me to the Reina Sofia Museum, which houses Guernica. No words or JPEG can do justice to Picasso’s masterpiece. Although the work was inspired by the brutality of war, to me today it spoke to the tragedy and beauty of life.

Our current financial crisis will bring years of pain on a small and large scale. We must do what we can to avoid such tragedies but they will inevitably happen. Still, a small flower grows at the center of the painting. New life and creativity will spring from this tragedy as it always does.

Please treat each other with kindness and patience for the next few months. Be an island of calm. Spread hope not fear. Nothing physical has changed in recent weeks, only a psychological change. Let’s keep it that way and support each other. We will come out of this crisis stronger and wiser than before.

The IETF’s NEA Working Group is (among other things) standardizing a set of “PA-TNC attributes” for use during NAC health checks. These standard attributes will  be implemented in many network endpoints (laptops, desktops, printers, etc.) so that a NAC server can query an endpoint and obtain information about its health in a standard way. The tricky part is deciding which attributes are important enough to be in the first standard and which attributes can be left to future standards or vendor extensions.

 

I bet you have some ideas on this topic. Review the current draft list of attributes (below) and post your comments. I’ll bring them back to the NEA WG. Thanks!

---

A standard set of components are defined and then a standard set of attributes that describe aspects of those components. This avoids the need to define separate attributes for “OS Version”, “AV Version”, etc. Of course, some devices won’t implement all these components and attributes. No Anti-Virus on my printer (yet!).

Components: Operating system, Anti-Virus, Anti-Spyware, Anti-Malware, Host Firewall, Host Intrusion Detection and/or Prevention System, Host VPN

Attributes: Product Information (vendor, name),  Numeric Version, String Version, Operational Status (operational?, problems detected?, last time run), Port Filter List (for Host Firewall), Installed Packages (name, version)