StillSecure, After All These Years

No guests tonight! Just Mitchell and I talking and laughing.  We had a good time talking about the ProtectPoint acquisition, Windows 7, NAC, Mike Rothman, what Mitchell is up to and anything else that popped up.

It is vintage SSAATY.  Hope you enjoy!

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

And what will be the big security story of 2009?  Do you think you have the answer to either one of these?  If so leave your answer in a comment to this post.  Mitchell Ashley and I will be doing our usual year end podcast around New Years.  We would love to talk about what our readers think the big story was this year and what the big story was last year. 

If you like leave your name and we will be sure to give you the plug for your answer.  Thanks and looking forward to hearing what you think!

Mitchell and I are joined by our friend Mike Rothman for this show taped on Thanksgiving Eve.  Mike has "taken off the objectivity suit" and is now a vendor puke for eIQ Networks.  Mike talks about his reasons for taking the job, what eIQ is about and what about the analyst gig.

We also discuss with Mike some of the latest news in security.  As always, Mitchell and I have a great time with Mike and the time goes by too quickly. I am sure you will enjoy what Mike has to say as well.

Mitchell and I had two shows taped, so rather than wait I released them both . We have another one ready to go in the next week or so as well, so stay tuned.

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Enjoy the podcast!

SSAATY #61 has Mitchell and I joined by Steve Goodbarn, CEO of Secure64, developers of a DNSSec solution. Mitchell and I get a well grounded technical background on DNSSec and what Steve is trying to do.

We so inspired Steve that he started his how blog shortly thereafter. His blog is at http://www.stevegoodbarn.com.

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Enjoy the podcast!

BTW, in case you are wondering the * is for the number 61. I just can't write 61 with out an * next to it,  here is to Roger Maris and the Babe.

Related articles by Zemanta

• StillSecure, After all these years, Podcast 58 - Bill Brenner
• StillSecure, After all these years, Podcast 59 - Mike Murray
• StillSecure, After all these years, Podcast 60 - Sam Van Ryder
• SSAATY - Podcast #56 - Michael Montecillo of EMA
• StillSecure, After all these years, Podcast 57 - Thomas Noonan

As some of you know, my friend Mitchell Ashley and his wife Mary Ellen have been battling against breast cancer for over 3 years now. It has been a roller coaster ride for both of them and I have seen first hand how much courage it has taken for Mitchell to deal with this scourge, let alone the courage that Mary Ellen has in battling this disease. Though Mitchell has never made a secret of it, he has not made it very public either. That has now changed with a new blog that Mitchell started call breastcancerforhusbands.com.

Mitchell wants to share his experience as the "other" spouse in this life and death battle that too many couples face. He is looking to make it a resource for others faced with a similar battle. But there is part of doing this which is therapeutic for Mitchell as well. Talking about what he is feeling and going through helps him deal with the emotions and toll it takes. At the same time he is providing resources to those who may be in need.

I applaud Mitchell for being brave enough to come forward and face these demons publicly. Though we do not work together every day, Mitchell and I still speak almost every day. I know that he and Mary Ellen fight this each and every day and am constantly amazed at their faith in God and courage. If you get a chance, check out the blog and support Mitchell, Mary Ellen and the rest of the people who do battle with this terrible disease every day.

OK, I must be getting old. I signed up for Twitter probably almost a year ago when I was at the cool festival in Austin.  Since that time I have probably updated my status maybe 4 times.  I keep getting these emails saying that this one and that one is now following me on Twitter.  I couldn't understand why anyone would want to follow me?  Last night I went to dinner with Mitchell and Scott Converse (who just launched a new company called Medioh, more on that later), after which we went back to Scott's studio and recorded a really fun podcast.  They both started talking about Twitter and how I am not active and am just missing the boat on this.

So bowing to peer pressure, this morning I have downloaded the twhirl desktop client and ceTwit for my Windows mobile phone and am all aTwitter.  I see some people I am following and will try to follow all the people who follow me.  Lets see what all the Twitter is about.  Will report back to you if I just don't get it or is it really that cool.  Until than feel free to Twitter me at ashimmy.

It is always fun recording a podcast in person rather than virtually. Mitchell is getting me the file to edit, but being live brings a whole new level to Mitchell and I interacting.  Plus Scott was our guest, so the three of us had a blast.  Afterwards I realized the diet Pepsi I was drinking was Pepsi MAX, so maybe the extra caffiene had something to do with it!

OK, here is a little known fact about me.  When I was a little kid one of my favorite shows that I never, ever missed was Happy Days.  Yeah, thats right I loved Richie, Potsie, Ralph Mouth, Howard and Marion and the rest of the gang.  One of the things that was amazing about that show was like All in the Family, it gave birth to so many spin off shows.  Joanie loves Chachi is an obvious one.  Laverne and Shirley was another, and here is one you probably don't know, Mork and Mindy was actually a Happy Days spin off. 

Well today I am proud to link to the first "spin off" of the StillSecure, After all these years podcast.  Mitchell Ashley, my long time co-host has started up his own podcast on his Network World Microsoft SubNet blog.  Mitchell is taking the lessons learned on our podcast and is venturing forth on his own.  Here is the link to the podcast.  Good luck to Mitchell on the new show.  Of course I was smart enough to sign Mitchell to a long term contract to be my co-host (but not exclusive I guess), so he will still be doing our show together regularly.

We should be posting a new episode next week by the way.  Again, Good Luck Mitchell on the show! Now my only question is: if this makes Mitchell Chachi, does that mean I am the "Fonz"? Nah, no way. I was never that cool ;-)

It seems my article the other day commenting on Matt Hines article on Andy Jaquith's report on security companies relying on "the safety in numbers" approach to security to protect the herd as a whole has invoked some feelings strong enough for people to comment. Currently there are three comments which I want to highlight.  The first is from Mike Fratto.  The Syracuse whiz I think agrees with me that this type of approach is pragmatic and ultimately delivers more results and protection than all of the so-called zero day protection that we have heard so much about.  Mike calls it dead on when he says bad guys make malware, good guys then have to find it and protect against it.  That is the way it is and the way it will always be.

Next is the middle approach from Shawn.  Shawn agrees that this is a logical first step, but sees the risk to the individual as a member of the herd. Can we truly trust the herd to protect us?  Do the ones keeping the herd have our best interests at heart? Is giving up some of our privacy and individuality worth the protection we potentially get?  All good questions by Shawn.  Whether we are talking about security or any other threat to a group, I think these are the questions that the herd mentality raises.  I think nature has already answered these questions and by by its frequent use of the herd behavior the answer is that it is worth the sacrifice and the risk for the greater common good.

Last and I think most disturbing to me is Mitchell's reaction.  I don't know, maybe since Mitchell left StillSecure he has been drinking heuristic Kool Aid.  Mitchell, I think says that the bad guys will always be faster in this "flawed model of security".  However, what I think Mitchell misses is that the bad guys are always faster anyway.  The security industry is always re-active to the bad guy almost by definition.  So why do Mitchell and those who agree with his view feel this way?

I think that in their quest to "win the war" on security they think they will move from reactive to proactive.  That they will outsmart the bad guys and be able to anticipate the next bad guy move.  They want to think they can win.  I think it is in what you define as winning.  I don't think we ever are faster than the bad guys or act before they do. I think a much more pragmatic approach is to do what we can to harden our systems against attack and mitigate the risk of attack, but assume a new type of attack can succeed because we just cannot anticipate everything the bad guys do.  Therefore in an analysis of the greater good, a pragmatic approach that leverages a "neighborhood watch" as Mitchell calls it offers real world, real protection, rather than pie in the sky, wishful thinking about out thinking the bad guys.

Another eWeek article I read yesterday was by Brian Prince about Cisco's new Network Admission Control Guest Server (that sounds so new, that not even a marketing person has gotten hold of its name yet).  Mitchell blogged on this one too (now that he is doing his own thing, it is easier for him and I to blog on the same stuff). Mitchell liked the idea of allowing designated users to set up guest access for visitors, but Mitchell questions who will be given this responsibility in many organizations and if they recognize that it literally is the keys to the kingdom.  Mitchell also brings up a good point that the article at least doesn't say anything about whether or not these guests machines are checked for policy compliance or anything like that.  It is just a guest account set up on a portal and allows a user to move on to a guest VLAN or segment.  Their usage and presence on the network is noted, so that there is a trail of their presence.

So here is the Shimel view on this.  While I think the guest server has some limited benefit from an auditing and reporting prospective, I don't think it is what the market wants.  Increasingly I hear from customers about guest access that all they want is this:

1. Identify a guest user from an employee/managed user.
2. Test the managed user/employee and if they pass, give them their regular access
3. Move the guest into a "dirty" guest VLAN that has web and email access and little else.
4. They don't want to test the guest, as long as he is kept off the "real" network and don't care about what he does to other guests.

Frankly, they view the guest VLAN as almost outside their own network. If they can accurately identify guests, they have no desire to authenticate them, test them or anything else.  They just want to move them to the guest VLAN and forget them. To me what the customer wants is simple white listing/ black listing. Frankly, this was a hard lesson learned by us here.  We kept banging our head on the brick wall of insisting that they check the guests device too.  But people don't want that additional effort.  So as usual the market wins and we have made it easier than ever to set up guest VLAN access for our NAC product.  I am not sure I would call this out though as a separate server.  Clearly this is just a feature.  But I guess from Cisco's prospective it is another SKU they add to the quote, with another dollar amount in the column.