I've been promoted! Instead of just blogging about NAC here on my Got The NAC blog, I have been asked to join a team of Juniper bloggers on the new Networking Now blog .
The new blog will have a much wider scope than my Got The NAC blog. We'll cover anything in networking and security. I'm glad that we're breaking down these artificial walls. Forget the alphabet soup of IDS, NAC, DLP, etc. It's all about providing a secure, reliable IT infrastructure for our customers and businesses. The important issues go beyond any one technology.
Don't worry. I'm still technical and deeply involved in all the new technologies being developed at Juniper and around the industry. I'm just expanding my scope a little bit.
So please click over to the Networking Now blog and check out our new content over there. You can subscribe to just my posts but I hope that you'll enjoy posts from all the Juniper bloggers. Open your mind to some new perspectives. You'll be amazed at the insights the new perspectives bring.
Message Edited by SteveHanna on 02-02-2009 10:22 AM
If you're not growing, you're dying. Which one is it for you? In this video, I explain how Juniper is growing the next generation of engineering leaders. Tune in and get some ideas for your organization. Or comment and share your ideas and best practices.
Message Edited by SteveHanna on 11-18-2008 12:54 PM
Message Edited by SteveHanna on 11-18-2008 12:54 PM
Chris Hoff blogged yesterday
about using TCG's standard IF-MAP protocol to connect security
functions throughout the cloud. I couldn't agree more! That's exactly
what IF-MAP is for: helping security systems share the information they
have gathered. That's what I've been saying
all along. Chris' idea to extend it to include virtualized security
functions is a great one. I wonder if the virtualization folks are
Chris asks which vendors are supporting IF-MAP in their products. I have found that standards adoption follows the classic innovation adoption lifecycle.
Innovators are the vendors and customers that have the vision and
foresight to see where things must go. They are the first to create and
adopt new technology. For IF-MAP, that group includes the folks who
developed the IF-MAP spec and demonstrated implementations at Interop
Vegas in April: ArcSight, Aruba Networks, Infoblox, Juniper Networks,
Lumeta, and nSolutions. Next come Early Adopters, Early Majority, Late
Majority, and Laggards. It takes at least a year for
each stage: six months to turn prototypes into products and six months
for the next generation of adopters to catch on. That's the timescale
we've seen for the other TNC standards. So I expect to see Innovator
vendors shipping products that implement IF-MAP in the next few months
and Innovator customers deploying those products in the months after
that. Then will come Early Adopters and so on.
IF-MAP provides immediate benefits. False positives and false
negatives are greatly reduced since sensors are now identity-aware.
Fewer false positives and negatives reduces the cost and increases the
benefit of monitoring IDS and SEIM systems. Automated response is
another way to reduce costs. Reduced cost with stronger security will
definitely draw some attention in today's economic climate! I expect
that it will quickly pull this technology across the "chasm" from Early
Adopters to Early Majority, who are looking for successful ideas but
open to new things. However, we still have a few years before we get to
I have spoken about IF-MAP and coordinated security at several
conferences and I have seen tremendous interest among customers and
vendors. I'm not at liberty to give out names but some very large
vendors and customers are excited about IF-MAP. As soon as IF-MAP
products start shipping, I'll announce it on my blog and link to them.
As Alan Shimel points out on his blog,
the best way to increase the number of products that support IF-MAP is
for customers to demand and buy those products. Vendors who are
Innovators have the foresight and resources to lead the market. Early
Adopter vendors are eager to lead but need to see customer demand
before they can add features. Will you provide the customer demand
needed to pull the next group of vendors along the adoption curve? If
you're interested, start asking vendors about IF-MAP support and
examine the first generation of IF-MAP products when they ship.
Message Edited by SteveHanna on 11-21-2008 02:57 PM
Message Edited by SteveHanna on 11-21-2008 03:00 PM
Message Edited by SteveHanna on 11-21-2008 03:01 PM
Message Edited by SteveHanna on 11-21-2008 03:02 PM
returned from ISSE 2008 in Madrid, Spain. The conference highlighted some key
differences between U.S. and European information security. Tune into this
podcast and you'll get some food for thought: lessons that you may be able to
apply in your own work.
This week, I’m blogging from RSA Europe in London. The conference is dedicated to Alan Turing, the great British cryptographer and early computer scientist. The folks at Bletchley Park teamed with a local hobbyist to bring an Enigma machine and other cryptographic machines to the conference. I had a great time playing with the Enigma.
Attendance at the show was down a bit from last year, probably due
to the poor economy. Still, there was a good crowd for my talk on “NAC
2.0″ this morning. I explained how NAC systems are starting to
integrate with other network security systems like IDS and DLP. This
trend is really starting to accelerate now that IF-MAP has been released, providing a standard way for these integrations to happen.
One more note. The Bletchley Park folks are appealing for donations
to help save their historic site, an important part of cryptography and
information security. If you’d like to donate, visit their site at http://www.bletchleypark.org.uk or stop by and see the machines for yourself. If you can’t make it to England, go to the U.S. National Cryptologic Museum in Maryland. They have a similarly amazing collection of spy gear albeit in a less historic setting.
Message Edited by SteveHanna on 11-03-2008 08:47 PM
In Madrid for the ISSE 2008 conference, I found myself losing sleep over the state of our global economy. What a mess! With two free hours, I decided to visit the art museums. A quick cab ride brought me to the Reina Sofia Museum, which houses Guernica. No words or JPEG can do justice to Picasso’s masterpiece. Although the work was inspired by the brutality of war, to me today it spoke to the tragedy and beauty of life.
Our current financial crisis will bring years of pain on a small and large scale. We must do what we can to avoid such tragedies but they will inevitably happen. Still, a small flower grows at the center of the painting. New life and creativity will spring from this tragedy as it always does.
Please treat each other with kindness and patience for the next few months. Be an island of calm. Spread hope not fear. Nothing physical has changed in recent weeks, only a psychological change. Let’s keep it that way and support each other. We will come out of this crisis stronger and wiser than before.
The IETF’s NEA Working Group is (among other things) standardizing a set of “PA-TNC attributes” for use during NAC health checks. These standard attributes will be implemented in many network endpoints (laptops, desktops, printers, etc.) so that a NAC server can query an endpoint and obtain information about its health in a standard way. The tricky part is deciding which attributes are important enough to be in the first standard and which attributes can be left to future standards or vendor extensions.
I bet you have some ideas on this topic. Review the current draft list of attributes (below) and post your comments. I’ll bring them back to the NEA WG. Thanks!
A standard set of components are defined and then a standard set of attributes that describe aspects of those components. This avoids the need to define separate attributes for “OS Version”, “AV Version”, etc. Of course, some devices won’t implement all these components and attributes. No Anti-Virus on my printer (yet!).
Attributes: Product Information (vendor, name), Numeric Version, String Version, Operational Status (operational?, problems detected?, last time run), Port Filter List (for Host Firewall), Installed Packages (name, version)
Message Edited by SteveHanna on 10-03-2008 06:26 PM