StillSecure, After All These Years

Mike Chapple over at SearchSecurity has a good article up on whether IPS are mature enough for enterprises to deploy.  Some may say that Mike has been asleep at the wheel, because certainly there have been plenty of IPS appliances sold over the last 3 to 4 years. Mike comes to the same conclusion I did almost 2 years ago in this article. Namely that the selling and marketing of IPS has far outstripped the actual performance of these devices. As Chapple says, "While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all." 

Just as I said back then. people today are still using IPS as IDS. In spite of what Richard Stiennon said back in 2003, it is still the fact. Those that have ventured beyond pure IDS do so on a limited basis. Mike lays out three best practices that most who are successful with IPS adopt:

1. Run the IPS in "monitor" mode until it's clear that the system is properly tuned. We have been recommending this with our Strata Guard IDS/IPS for years. In fact we have a tuning wizard which gives you a real leg up in getting started with your tuning.  In essence though this means that you start off not blocking anything,and only after seeing what is really happening on your network do you selectively start enabling blocking of specific types of attacks.  You don't just turn on every rule to block.  This advice is similar to what our best practices in NAC recommends as well.
2. Keep the number of "block" mode rules to a small, finely tuned set. Again this is something that has been the reasonable route for a while now.  Most IPS today runs in a hybrid IDS/IPS mode. Be selective in what you want to actually block verses what you just want to alert and/or log.  Too many rules set to block will lead to failure.  Being smart about which rules are set and grouping attacks to trigger a minimum amount of rules is key.  I have seen rule sets where one kind of attack can trigger multiple signatures.  This will fire more blocks than necessary and burden your system for no reason.  Don't overlap your rule sets if you are using Snort!
3. Consider using a fail-open device. In line devices are a single point of failure. If your IPS does not offer some sort of bypass or other fail open device, you are asking for trouble.  Also, don't settle for the sales guy telling you the software or appliance is designed to fail open. In a power failure that isn't going to help. Make sure it is a self-powered bypass to be sure.

All in all it was a good validation for me to read this article. I think IPS is at a critical mass of adoption today, I just don't think it has reached a critical mass of utilization yet.  But progress is being made.

Had to laugh reading this story about the three men charged with hacking and installing a packet-sniffer at several Dave and Buster restaurants across the US. The scam did result in hundreds of thousands of dollars of fraudulent bank card charges. However, the packet sniffer software was so buggy that when it was first installed at the first Dave and Busters, it did not even work and captured no credit card data.  The next version of the program worked a little better, but it seems the criminals had to continually go back to the restaurants and restart the program when it hung up!

I don't know what is more disgusting.  The lack of quality of the sniffer program or the apparent lack of any security at all by the folks running the restaurants.  In any event I see a bright future for the outsourcing of hacking programs to people who can do a better job than this Apple Dumpling Gang.

Saw the big news today about HP maybe buying EDS in a deal rumored to be in the 12 to 13 billion dollar range. That is a fat 35%+ premium over what it was trading at before rumors of the deal were announced. Most of the commentary I have seen positions this deal as HP making a move to better compete with IBM. While I agree that is certainly an angle to this deal, I think another important angle is keeping HP ahead of the pack of large Indian services firms that have been expanding world-wide over the last few years. In the global marketplace for IT services and consulting, HP and IBM may be the American based entries in a world-wide competition with Infosys, Tata, and other firms from India, China and the rest of the world.. For this reason I think it is a good move by HP to shore up a solid second place behind IBM.

I should mention that at StillSecure we partner with both companies and I have had a chance to work with both of them. EDS is certainly not the powerhouse it was 10 years ago, let alone in the Ross Perot/GM heyday. Like any company that size it is hard to make rapid change with the amount of inertia built into the system. However, they have been in turn around mode for several years and perhaps HP can make this buy with EDS on the way up. One thing for sure is Mark Hurd, HP CEO is remaking this company in his own wishes if not image. So far everything he has touched there has turned out well, so lets see what he can do with EDS's 2.8% average year to year growth. He will have to do better for this deal to be considered a success.

Mothers Day is always a tough one for me. My mom passed away 25 years ago and though time has passed to cover up a never healed wound, every Mothers Day the scab is torn off a bit and the regret and pain ooze through. Having our kids celebrate Mothers Day with my wife has made it better, but nothing takes the place of your own Mom. Fred Wilson reminded me of that today with this post about a Tom Friedman piece in the NY Times today.

Tom just lost his mom last year after a long bout with dementia it seems. She was 89. Tom reflects on her remarkable life and how she influenced him to be what he is. Can any of us say any differently? Weren't all of our Moms special to each of us. Isn't so much of the people we are today directly related to that woman who raised and nourished us? Of course. So on this day honoring Mothers everywhere, if you are lucky enough to have your Mom available to thank, do so and don't miss the chance because you never know when you might not be able to.

Happy Mothers Day Bonnie and to all of you mothers everywhere!

I was reading a review in the NY Times today about a new summer time show coming to CBS.  It is called Swingtown and I was originally attracted to it because it is a look back at the mid 70's.  That was the age of my adolescence, so it naturally attracted me.  Well this show is about the mid-70's OK, but the wilder side. It is set in a suburb of Chicago and is about wife swapping, partying and other hedonistic activity that is supposed to sum up the era.  And on CBS yet!  That's right, the folks who give us 60 Minutes, Murder She Wrote and Touched by an Angel, now bring us the swingers of the 70's. 

I grew up in a suburb in the 70's and while I do remember our parents hanging out drinking Harvey Wallbangers and some of them getting divorced, I don't think they were the type to pass around Quaaludes and engage in orgies, like depicted in this show.  But hey, maybe I am just naive. This certainly sounds more like an HBO series to me, but I have to admit I will watch and see it what it is about. Just the 70's clothes and hairstyles should be entertaining for me. I am You Tubing the official trailer:

If you like this trailer, here is a link to a longer video showing more highlights. Let me warn you that this one is a bit racy!

. . . and unto security vendors things that deal with security.  So it seems to be what Citrix CTO, Simon Crosby is saying in this audio interview on Search Security with Rob Westervelt.  I was all set to write an article on the operationalization of security and all when I noticed that virtuoso of virtual security, Hoff beat me to the punch with his call of BS on Simon.

Hoff is right on.  We can't afford the same old, same old of letting the OS or network vendor or in this case the virtual machine vendor build the product and have a separate security industry bolted on and clean up the mess.  People want secure virtualization, they don't want to think about what they have to buy and install to make their virtual machines secure, they want security designed in from the beginning.  I am surprised that Simon Crosby would even suggest this, it is frankly so 2001.  Lets hope someone over at Citrix takes a que from the VMsafe program and does a little more thinking about security before hand.  We can't afford any other option.

Matt Asay has a blog up on "OLPC's capitulation to Windows...". In it Matt waxes poetic about what a mistake Nicholas Negroponte is making by embracing Windows for the OLPC laptop project. Matt points to Groklaw, Richard Stallman and the rest of the Redmond revolutionaries who want to see Negroponte tarred and feathered and question his vision. Hey, lets face it the "m" word is toxic to that crowd. But I really think Matt is just plain twisted about this and about what OLPC is really about. Here is what Matt has to say, "OLPC is rather about liberating developing nations from their vassal status that continually keeps them at the mercy of the pricing and licensing of Microsoft and other proprietary vendors." No Matt, that is not what OLPC is all about and that is what the problem is! OLPC is about getting a laptop in the hands of every kid in the world. It is about giving these kids a chance to learn and grow up to compete in the global economy with the same tools that kids in this country have. It has nothing to with your views of Microsoft being a 21st century imperialistic empire.

Matt both of my boys have OLPC laptops, I know what it is like using them. The Sugar interface is tough. As Negroponte says, it is a amorphous blob. The command line structure of the laptop made it hard for me to retrieve and install files. File names are truncated and kept in non-standard directories. When kids are learning windows in school, this is difficult for them. The laptops are a tool for them to learn, it shouldn't be about learning the tool. It needs to be more main stream for kids to be able to leverage it across the world. It needs to be more standards based. I don't care if it is open source standards or closed source standards but it has to be better. Windows will give it that.

But ultimately Matt, I feel that the OLPC project was hijacked by the open source movement as a "Trojan horse" to overthrow Windows. If that was your intention great. Me, I was a lot more humble and noble in what I thought it was. I thought was about getting a computer in the kids hands and having them learn and contribute.

My friend Michael Farnum besides being a comic book nerd, blogs over at ComputerWorld. Michael writes today about his opinion that vendors have changed focus from concentrating on the tech geeks to focusing on the business decision maker. Michael's proof is rather subjective, but revolve around the fact that when he was a geek not in management, vendors use to wine and dine him to influence him to support their technology and tell his boss to buy their products. As he moved up to become a geek in management, he noticed the vendors shifting focus away from the technical stakeholder to the business stakeholder. Michael has a theory on some of the reasons for this shift of focus. The dotcom bubble, the evolution of IT, people making decisions on sound business principles, not on what technology is cool.

Michael I say rubbish! I think that sales techniques haven't really changed that much from the 90's. Good selling always involved courting the three stakeholders - technical, business and financial. It is just as a green (meaning new, not environmentally friendly) geek, you were not even aware of the vendors courting you, also reaching out to your management team and the business and economic stakeholder. You were blissfully unaware that the vendors you were dealing with had a full court press going on. Instead you went to a nice dinner, a ball game and got some t-shirts and other swag and thought you were making it happen for them. In the meantime your boss was getting tickets to the game too (I bet even better tickets) and nicer schwag than you were! As you started to move up the chain, you just assumed that everyone must be moving up with you. That Ptolemaic or geocentric model of the sales process, with you at the center is just your view from the inside, but sales people have been multi-threading into accounts for a long time.

Yes during the dotcom era and even before that sales teams used to spend a lot more on wining and dining. I still remember fondly the EMC sales teams of the mid to late 90's partying with their customers like it was 1999 (it was 1999). I was on the receiving end of many of those great dinners and other perks. With new economic times, it became less fashionable to lavish money in trying to buy business. But that more economically austere model did fundamentally shift the focus in sales from the technical to the business stakeholder.

Some companies like Symantec for instance have always concentrated on the business stakeholder more than the technical stakeholder. But Michael in sales there is little new under the sun. Just because you have begun to become aware of it, don't assume it has not always been so.

No not Larry Ellison. StillSecure's oracle of NAC, Dave Greenstein, Chief Security Architect at StillSecure. I write and speak a lot about NAC, but Dave actually lives NAC.  He led our development team that developed Safe Access.  Now he is way out in front researching and designing the next generations of Safe Access and our other products.  Dave doesn't comment on my posts a lot. I am always bugging him to start his own blog.  The best I get is occasionally he will write an article or white paper.  So when he commented on Joel Snyder's article on NAC and my comments, I figured it would make sense to give it some main column play.  Here is what Dave had to say:

In order to use NAP you only need server 2008 for the NPS... Your domain and AD can still be 2003 so I think adoption of NAP will be faster for that reason. Also, XP SP3, which has NAP capabilities, adoption should be pretty fast compared to Vista.

On ACLs, I agree with Joel that ACLs are a great way to do things... But not with routers and DHCP enforcement. If you have HP switches or Extreme Switches then you can do dynamic ACLs per port. Similar to how you assign a VLAN via RADIUS attributes, you can assign ACLs for that port in addition to assigning a VLAN. This is great if you have the right switches. It helps protect the other endpoints within a quarantine VLAN and adds an extra layer of security. Cisco switches do not have this capability unless you’re running Cisco NAC and a Cisco ACS server (ugh). So, buy HP and Extreme switches!

What’s more likely to slow NAP adoption down is it’s total lack of endpoint administration... How do you keep track of what endpoints have which problems? How do you get an endpoint on the network in an emergency even if it has an issue? How do you update the SHAs on your thousands of endpoints? There are a whole host of issues not solved by NAP that make it unusable. That’s where products like StillSecure Safe Access come in.

BTW, if you think Dave makes some sense here and would like to hear more from him, let me know and I will coax him into writing some more! I should also add that I twisted his arm to give Safe Access a plug at the end there. Thanks Dave!

ebizQ published a podcast that Mike Rothman invited me on dealing with vendor consolidation and "big is the new small".  It is always fun talking with Mike and we had a good time.  I like that they also transcribed the podcast if you just want to read it.  You can get it here.

The Network World guys have a lengthy transcript of a webinar with Joel Snyder of Opus One and Interop Labs talking about his experience with NAC.  Joel says that Microsoft is leading the charge in bringing NAC to market. Not that NAP is a be all and end all of NAC but it is serving as a foundation that other NAC  vendors than build upon.  Joel also talks about his view that he likes to work with ACLs versus VLANs.

There is a ton of good stuff there but I disagree with Joel on two things.  I think NAP will lead to rapid and broad NAP adoption.  But right now Joel suffers from lab-a-titis.  Yes NAP is great in the lab, but who has Vista and Server 2008 in the real world up and running.  Until we see wider adoption of these platforms, NAP will not reach the masses.  Also, I think dealing with ACLs are a bigger pain than VLANs. This is based on hundreds of engagements by StillSecure engineers in setting up NAC environments.  But as I said, if you are interested in NAC have a read, there is lots of good stuff there.

Over the weekend I wrote an article about what a Yahoo shareholder would do with a copy of Steve Ballmer's letter to Jerry Yang. Well, it didn't take very long for a class action law suit being filed, led by two pension funds. Attorneys for the pension funds said, "The actions taken by Yahoo's CEO this past weekend confirm that the company's board of directors pursued all manner of value-destructive third-party deals to fight off Microsoft's bid". The attorneys further claim that Yang never negotiated with Microsoft in good faith.

Not everyone thinks this way about the deal though. Steven Vaughan-Nichols over at ComputerWorld thinks that business textbooks in 2025 will show that Microsoft's slow collapse will be accelerated by Steve Ballmer blowing the Yahoo deal. I think he is wrong. I think business classes will look at Yang's failure to lock this deal up for such a premium over current price will be studied as not only a blunder but a classic case letting ones pride and ego get in the way of what is best for the shareholders. I think in addition to the lawsuits, look for Wall Street to now start punishing the stock as well. I stick with my prediction, Yahoo has no where to go but down. They will wind up getting acquired for significantly less within 24 to 36 months.

For those who read my blog via feed reader and not on the web site itself, you may not have noticed the new ads and member badge from the Forbes Business and Finance Blog Network. I received an invitation to join an elite list of 400 blogs handpicked by Forbes. They will syndicate content and sell advertising for the site. There are some other cool benefits that go along with the membership. I was very proud to be selected for this, but frankly was worried about too many ads. If you get a chance, check out the site and have a look. I know it means I am going commercial, but am hoping it will lead to a broader audience.

Frost & Sullivan is the latest analyst firm to note that NAC is coming on through to the other side. They say, "As common misperceptions are dispelled and NAC gains acceptance as a key part of network security, these technologies become the center of a highly competitive and lucrative market ..". They have released a new report according to this article in Trading Markets. The report further states, "NAC has made its mark in the market to such an extent that more participants have entered the NAC space. In the near future, this growth phase of the market will get a strong boost from the entry of major participants."  The report goes on to say, "NAC has proved its worth as an enterprise security product that can effectively enforce security policies. Now that many third-party product evaluations and customer reviews are available, customers can make well-informed decisions and purchase a superior NAC product. This also expects to help drive the market."

OK, enough quotes from the article.  My point is that despite the ramblings of the naysayers like my friend Stiennon, there is a gathering storm of evidence and commentary showing NAC is real, it works and it is valuable.

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security.  I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care.  Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone.  From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September.  It was ambulatory surgery where she went in the morning and went home that afternoon/evening.  Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k!  When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could.  I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation.  We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger.  Plus the insurance company covers less and less.  This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back.  Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it.  My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area.  So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist.  This one is perhaps the worst of all and really gets my goat.  My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later.  OK, great lets do it, right?  Wrong!  Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600.  That leaves a balance of $2400 that I have to pay.  However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket.  What is wrong with that picture. Whether I have insurance or not, it still costs me $2400!  This is fundamentally what is wrong with our health care system.  The dentist is willing to accept $2400.  He should take the $1200 from my insurance and I should pay him another $1200.  Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either.  Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

As you probably know Microsoft has officially withdrawn their offer for Yahoo.  I had a look at the letter Steve Ballmer sent to Jerry Yang officially withdrawing the offer and offering his reasons why. Must say that it is rare that a document like this is made public.  I must also say that if I were a Yahoo shareholder, it would be a key piece of evidence when I sued Jerry Yang and the rest of the Yahoo board and management for not accepting Microsoft's generous offer.

What I found particularly disturbing (as did Ballmer and Microsoft evidently) was Yahoo's threat to basically outsource their search advertising to Google if Microsoft pursued proxy fight takeover.  Talk about cutting off your nose to spite your face!  That would be suicidal for Yahoo, but just goes to show you that Yang and gang had a no Microsoft at any cost strategy.

With the passage of time I think this will be looked on as a terrible mistake by Yahoo and at some point in the next 24 to 36 months they are going to be acquired for a lot less money.  They cannot compete with Google alone, they have not executed well for years and this will force Microsoft to do something else to become more competitive in search. 

Took the kids to see Iron Man tonight with our cousins Jeri and Danny.  I generally like Robert Downey, Jr and he acted very hard in this movie. However, I just didn't get the story. I remember watching Iron Man cartoons when I was little and reading the comic books, there was some special thing about Iron Man's blood the way I remember it that gave him super hero powers.

In the movie incarnation, Tony Starks is the son of a weapons designer and a brilliant weapons designer himself.  However, he has some serious character flaws. He is kidnapped by some sort of mid-eastern terrorists and take some shrapnel in his chest.  A doctor attaches an electromagnet to a car battery on his chest to keep the shrapnel from going into his heart. Downey then designs some sort of mini-power source to power the electromagnet,  He uses the power source to power a metal suit he builds (long story) and escapes from the terrorists.  From there the movie is fairly predictable and frankly in my opinion not very good.  I didn't understand how he got the superpower, it was just a powered suit and how it worked was pretty silly. 

The ultimate thumbs up or down for me was that both of my sons fell asleep in the movie theater.  The good news is that this is the start of the summer movie season. I am really looking forward to Indiana Jones and the kids want to see Speed Racer!

That gadfly of the security world, Richard Stiennon says NAC is dead. In fact he says NAC actually never was and never will be. Of course, this is the same Richard Stiennon who said IDS was dead so many years ago. If NAC is only half as alive as IDS has been, I would be very happy. Why do I call Richard a gadfly? Because Richards MO is trying to find what the next hot thing is and to jump on it, then another hot thing comes by he runs to that and so on and so on. He thought anti-spyware was big and joined Web Root, after a relatively short time there he left. He than took a whirl at his own analyst firm, when a few others were forging a new breed of analyst firm and after a short time doing that moved on again. He then was CMO at Fortinet and again after a short time left there too. Now he is the CEO of an MSSP (hey, I hear SaaS is the next big thing), how long this will keep his attention or the powers that be keep him on is anybodys guess. But if past track record is any indication, Richard will hop on the next big thing sometime next year. I mention this because fundamentally I think Richard's attention span or maturation horizon is why he does not see that NAC is marching on.

As you can probably guess I strongly disagree with Richard's opinion on this one. However, to understand why, some clarification is necessary:

1. Richard is mixing metaphors with Network Admission Control and Network Access Control. Both are NAC. Admission control was coined by Cisco, access control was first used by Gartner I believe. Richard seems to indicate that admission control is bad, access control or at least some definitions of it are OK. More importantly, Richard uses admission control as a code word for pre-connect health checks, access control for identity based and post-connect control. I think both are very important and as I have said many times a good NAC solution needs all of these.

2. NAC vendors being depressed, etc. Yes Richard some NAC vendors not making it are depressed and having lay offs and hard times. That is the way of capitalism and competitive markets I am afraid. There are winners and losers. I would bet that even in the $500 million /year UTM market that you spent a whole year in, there are some vendors who are just not making it and would be classified as depressed.

3. Gartner says several NAC vendors are getting traction. They recently released a marketscope on NAC and sorry Richard, but StillSecure is one of the few out of 17 vendors which was given a positive rating, the highest rating Gartner gave. BTW Richard in that same marketscope your "buddies at Gartner" estimated the NAC market at $225m for 2007 and expect 100 percent growth in 2008. In case your calculator is not handy Richard, that should put NAC around the $450m mark in 2008. Not that different than the number for the UTM space that you use in your article. Hopefully that will allow you to put your "magnifying spectacles" away, unless there is something else that you would want to make look bigger than it is.

4. NAC being created by Cisco in 2003 to solve the worm problem. Richard, perhaps that is why Cisco did NAC. BTW, they announced in like November or December, 2003. We released Safe Access in April 2004. It was under development for at least 12 months before that. We did not call it NAC of course, our working title was endpoint policy compliance. Richard today Safe Access solves that same problem, endpoint policy compliance. We have not deviated from our original plans around this from day one. It is purpose built to solve a problem that customer after customer told us was they wanted a solution to. Maybe that is why we have had success with the product.

We did not jump on the latest, hottest thing bandwagon. In fact I have found that companies and people who jump on the latest big thing, inevitably fail. You cannot time the stock market or the technology market. The NAC market is a perfect example of this. Companies who have taken products that were not successful in another incarnation and morphed them into a NAC product are the companies that are failing. Maybe I am more of an EF Hutton type than you are Richard, but I believe in building a company the old fashioned way. Find a problem that customers are willing to pay for a solution for. Then build that solution and bring it to market and work hard making it the best it can be. If you did your research right and you built the right product, the market will come to you. It may take longer than you think, but if you keep at it, cream always rises to the top and quality always wins. You cannot win running to the next big thing, see through what you start to the finish. Richard if you want to consider that some free advice, take it!

5. NAC is only for the .edu market. Again Richard take some time to dig in here. Yes the edu market is a big adopter of NAC. But let me give you some other examples. Any network that will have a large number of unmanaged visitors or guests is going to be fertile ground for NAC. That includes the government sector, where many users are contractors or visitors. I know you have much disdain for the federal governments IT security practices Richard, but if you spend a little time (there is that phrase again) digging in to what they are doing, you will see that NAC does indeed solve a real security problem for them and is why we have had a great deal of success in the government vertical.

Richard no one ever claimed that NAC is a reason to avoid other security tools. Just the opposite, NAC should work with and leverage your existing network infrastructure and security technologies.

6. NAC does not tie you down to one vendors eco-system if you don't want it to. The TCG/NAP interoperability and now the new IETF standards are bringing one standard to NAC. It does not tie you down, but frankly in case you haven't noticed with all of the moving around, Microsoft already has you pretty tied to one vendors eco-system and frankly Cisco has you pretty tied to another. Don't be so naive Richard.

BTW, I notice you like what ConSentry and Nevvis do without quarantine. While neither of those companies are apparently setting the world on fire as secure switches, you should check out our white paper on a phased approach to NAC that talks about NAC being more than quarantine. You can get it here.

Authors note: BTW Richard while I am chief blogger here at StillSecure, my official title is chief strategy officer and I have been working here for about 7 years now.

Its no secret that over the past year it has been quite fashionable to bash NAC.  It has not lived up to the hype.  It is not the promised silver bullet.  Some companies in the market went belly up.  Yes, yes and true.  But as I have said all along this was I think just the natural evolution of a technology as it matures.  There was no way it could live up to the over hype that it was saddled with.  Those who spoke about it realistically always said it was not the next "great white hope" of security, just another arrow in the quiver. However, the reason that people got excited about NAC was that at a rather simple level it was very easy to describe the problem it was trying to solve.  As it turns out, solving that simple problem takes a rather complex solution, no matter how you slice it.

In the end though what we have seen in the NAC market is textbook hype cycle.  The technology triggers for NAC were unseen before numbers of guests having legitimate reasons to access the network.  The spread of malware not through downloading via the Internet, but by introduction via devices logging on and the need for compliance or otherwise to enforce access policies with the network technologies to make it happen.  With Cisco announcing their Network Admission Control program in December, 2003 and Microsoft announcing NAP that summer (interesting that it would be years before either one was actually available) NAC buzz went through a big bang expansion to the very height of inflated expectations. What goes up, must come down and NAC certainly has been dragged into the trough of disillusionment. However, the inherent appeal of the problems it can solve continue to drive customers and interest.  Now we are seeing real signs of NAC emerging into the slope of enlightenment on the way to the plateau of productivity.

What has got me so optimistic?  It is a variety of things.  Let me list them:

1. Network Computing's 3rd annual NAC survey which while it shows demand is down for NAC from past years, it is still substantial and appears to be deeper if not as wide. It also has several other metrics that show people are being more realistic in what they want to accomplish with NAC and have more confidence that it will work.

2. Forrester's new report that shows that customers think NAC is mature enough to be ready for more wide scale deployments. Remember this is the same Forrester who said that NAC as we know it would fail last year. Has NAC changed so much in a year or has Forrester?

3. That Ebenezer Scrooge of NAC, Mike Rothman, actually admits that maybe we are seeing some progress with less inflated expectations with NAC. What could be next, the NAC Grinch, Richard Stiennon admitting it might be OK as well. Here is my prediction: When Rich's new MSSP can make money offering a managed NAC service, Richard will jump on the NAC bandwagon with bells on.

4. My own observations at Interop, RSA, SANS and other events where I spoke to real live potential customers.  I have personally seen a marked upturn in the amount of real NAC projects that we see coming into both our partners and our sales pipelines. I assume that other NAC products are seeing the same pick up.

All of this is very gratifying to see after the bashing NAC has taken.  Now it is onwards and upwards to the plateau of productivity.   See you there!

Here in Atlanta waiting for the red eye connection home to Florida and wanted to quickly jot down some reflections on Interop.  The show seems to have settled in nicely at the Mandalay Bay venue.  It seems the right size and not too crowded.  In fact Vegas itself was not very crowded this year. I guess the economy is hurting the town. It used to be said that Vegas was rescission proof.  The worse the economy got, the more people gambled.  But with so much of Vegas not about gambling, I guess the economy has a big effect.  Anyway, back to Interop. 

At one time this show was called Networld+Interop.  The Interop portion was very much about how different networking technologies inter-operated with each other and how you could use products from disparate vendors to run and manage your network.  The labs and noc at Internet was full of engineers from different companies having their products working together.  I don't think that is what the show is about anymore.  It is all about network infrastructure for sure, but the vendors care less how their products work together and more about why you want to buy them.  Even the NAC vendors don't seem to be as focused on it anymore.  Yes, Joel Snyder and his Interop labs NAC team do a nice job of showing how the frameworks work well, but frankly that is a small percentage of the NAC vendors.  Juniper and Microsoft, Microsoft and Cisco and than a bunch of other vendors who try to show how their equipment can fit into the NAC equation.  Some like the switch vendors who are integral to the process and some like Arc Sight how are trying to move beyond SIM and think SSH'ing into switches is a scalable way to perform NAC enforcement, but really don't fit.  Most of the other NAC vendors frankly don't even give much lip service to interoperability.  The same is true for many of the networking vendors as well.  What is the shiny new box from Foundry or HP ProCurve.  Who has a bigger booth, whose booth is smaller than last year? How many people has this company laid off and how much run way do they have left? Who is giving away the best stuff and where is the cool party to go to tonight.  These are the questions of the show.  BTW, the Network World folks threw a great party at the Ghost Bar at the Palms Hotel.  Anyway, Interop has become a great show, but I seriously question how much of it is about interoperability anymore.  There is nothing a matter with it not being so interoperability focused by the way, I think it is just the evolution of this show taking on a life of its own.  Now if it were just not so close in time to RSA.

One thing about this show versus RSA, is that a lot of the attendees are buyers.  End users who come looking for solutions.  They have projects and budgets and want to find the best solutions for their needs.  This is in contrast to adult trick or treaters and business development meetings that have become standard at many other shows.  We saw a marked increase of people with NAC projects stopping by the booth this year, which is encouraging to say the least. 

Anyway, I have had my fill of Vegas, at least until Black Hat this summer.  Will be interesting to see if the casinos are more crowded then.

The folks over at Cisco Subnet (not sure if this is still my friend Brad Reese writing this over there) had an interesting blog yesterday about an announcement we made here at Interop. We announced that we will throw our support behind Cisco's AXP. That is the blade extension to turn a Cisco ISR into a Linux app server. You may remember that I blogged on this earlier here and here in relation to an article by Don Marti on LinuxWorld. Well this announcement, as the Cisco subnet article points out, put our money where our mouth is on this one.

As the subnet article points out as well, I think the real question is not whether we in IT are going to run more apps on our router boxes, but whether or not these "God boxes" will be expensive, proprietary black boxes like Cisco routers or low-cost standards based off the shelf hardware. With this announcement, we are covering all of our bases and saying you pick the platform of your choice, we will support it. That is the StillSecure way.

I know it is Vegas, but overall the booth babes were not out in force at Interop.  The biggest defender was Blue Cat networks, who once again had a frat boy set up with girls dressed in very skimpy skirts and leggings inviting giddy geeks in to play some virtual golf.  Of course this follows past years where Blue Cat had girls dressed in skin tight jump suits putting you in flight simulators.  Of course the girls scanned your information while they strapped  you in.  This sort of exploitive behavior from Blue Cat has become expected.  I don't know if I were a woman, if I would want to work at that company.  For the most part, the booth babes are employed by companies looking to put fannies in seats at presentations.  These woman are usually good looking but not dressed to crazy and try to to get you to sit down, listen to a presentation and maybe win a prize. I don't have a problem with this, depending on how they are dressed.

In the you never know category though is my experience with this potential booth babe from D-Link.  A quick look at the picture to the right would indicate, yes a booth babe for sure. However, I had a chance to speak with this young lady and was surprised to find out that she was an expert on 802.1x.  She knew all of the potential radius attributes supported by every single Cisco switch.  She also was able to set up the DHCP server on the D-Link Routers and to top it off explained to me exactly how D-Link was using the data stored in a MAP server to provide greater security utilizing the new TCG IF-MAP standard. Of course you believe all this right and know she was not just a booth babe.  What do you think?

The big news at Interop yesterday was the new IF-MAP specification and standard announced by the Trusted Computing Group/ TNC group. Some may call it TCG NAC 2.0 but it actually goes way beyond just NAC. IF-MAP represents a method that allows disparate security technologies to talk to each other and leverage the information gathered from multiple sources to make better and more secure decisions about network devices, users and traffic. It has huge implications for not only NAC, but IDS/IPS, vulnerability management, SIMs, etc. Also, it represents a real opportunity for the TCG/TNC to move out beyond the shadow of NAP and really become a dominant standard for the network and security industry to rally around.

The idea behind IF-MAP is that data is stored in a central container called a MAP or meta-data access point. This data can be called upon or supplemented with more data from a wide variety of sources. You can publish, search or subscribe to the data. The format is XML. The diagram (which you can click on for a bigger version) on the left shows a sample multi-vendor configuration, but the combinations are endless. To get a better flavor for what you can do you can click here to see a PDF presentation by the TCG of IF-MAP.

I had a chance to speak about IF-MAP with Steve Hanna and Mike Fratto. If it does indeed become widely adopted this can have a profound impact on our industry. Also, Steve and the TNC is very much looking to diversify and distribute the administration of the MAP among many vendors so that it does not become a single vendor steered standard. I applaud Steve and the rest of the group for working so hard on MAP. I challenge the rest of the industry to take a look at it and work towards adopting it. It truly can help be a win for all security vendors, but most of all a win for security administrators who would finally be able to use best-of-breed products from different vendors and have them talk to and work with each other.

My wife Bonnie and I don't get out to the movies as much as we used to. When we do it is often with the kids, so we miss out on many of the adult (no, I don't mean those kind of adult) themed movies that come out. We wait for the DVD, but even than I miss many. I compensate by watching movies on planes a lot. Recently I caught The Kingdom with Jaime Fox and We Own the Night with Marc Wahlberg and Joaquin Phoenix. Both good, powerful movies. However, last night on my way out to Vegas for Interop I watched a movie that will change my life. It is the Kite Runner, based on the book of the same title by Khaled Hosseini.

The movie tells the story of two boys growing up in pre-Soviet invasion Kabul, Afghanistan all the way up to the year 2000, with a pre-9/11 Taliban regime in charge. You can read the Wikipedia article I linked to or better yet go rent the movie or read the book (I am going to read it next) for all of the dramatic details. However, let me talk a bit about my take away from this film. First of all, like many Americans I had a pre-concieved notion of Afghanistan as a poor, backwater, backwards place that welcomed a repressive regime like the Taliban to power and were part of the Muslim world that runs from the Med through to Pakistan. Nothing distinctive and in fact lets face it, I am not sure we humanize the people who live in that part of the world, as we do Europeans or our fellow Americans. I knew little to nothing of Afghan history or lifestyle. Our American view of the world makes it hard for us to remember that children are children the world over and their lives are special. Whether it be something as simple as flying a kite or aspiring to be a writer, all children share the same dreams, hopes and challenges. Yes, in a place like Afghanistan with its ethnic tensions, there is room for a level of violence we don't often see here (but even that is BS, me living in Boca doesn't see it, but live in an inner city bad neighborhood in the US and is life any better for a child?). But parents are parents the world over and they love their children and have hopes for their children the same way you and I do. People have values they believe in and may not be the most religous, but are never the less good people.

The movie made me think about my role as a father, husband and American. The whole American immigration experience is such a great influence on the world. We have the ability to take people from anywhere and they become Americans. The father in the movie goes from being a man of power and wealth in Kabul, to working in a gas station here. The father-in-law was a general in Afghanistan, but just a lower middle class worker here. But they don't lose their identity or the pride and sense of who they are and most of all their values. They don't lose their identity into the melting pot, but we add their identities to our tapestry of life here in this country. That is the real special sauce in what makes America

That part of the world is not just full of religous extremists. There are real live human beings there who think and feel very much like we do. Yes there are incredible challenges with religous extremism to overcome, but there is a core of real people who are worthy of our efforts. At the end of the day, that is what the movie has succeeded in doing for me. It has made the Afghan people real.

When I work from my home office I usually keep CNN on in the background to keep up on the world. However, I have to say that it is just too damn depressing. A sample of today's news:

1. Gas prices continue to go up about a penny or two a day, over 30 cents in last few weeks!
2. Oil hit new highs
3. Credit card companies are raising interest rates and fees drastically
4. Food staples like wheat, rice, etc. are up from 10% and up
5. Some crazy nut in Austria locked his daughter in a dungeon for 24 years and fathered 7 children with her, one who died and he disposed of the body (This is just a disgusting story)
6. Home prices remain depressed and foreclosures remain high
7. Airlines either have to merge or go out of business