StillSecure, After All These Years

Dennis Fisher blogs over at SearchSecurity.com about a new critical flaw found in SNMPv3. I have blogged before how some NAC vendors that utilize SNMP have tried to fool unknowing sys admins that SNMP stands for security network management protocol, instead of simple NMP.

The SNMP zealots have always tried to counter the SNMP is not secure arguments by pointing to v3 as very security method and now this flaw is found. How many more will be found? In any event glad they found and fixed this. Now if they could just find someone using SNMPv3 it would be great!

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

This one is not all security related, but is the ScienceLogic Blog. One of my favorite persons in the IT field Dave Link is the CEO and founder of ScienceLogic. Several other friends from Interliant including Louis Dimiglio (sorry if I messed up the spelling Lou!), Richard Chart and Chris Cordray are also part of the team. They have done a great job of creating a network management product and in a hyper-competitive industry carving out a place for themselves. I am running into them more and more at shows, conferences and in the field. Now they have joined the blogging ranks and it looks like there will be several contributers. They are all smart folks and I am sure will have good things to say, so be sure to check out the blog!

In one article responding to a post I did about where is the interoperational in interop, Dave says that he and the ScienceLogic team had a very different experience at Interop this year. Due to their participation in the InteropNet and ILabs project, ScienceLogic was very involved in making sure the network at Interop was up and running and showing off the many different products and vendors working together. Certainly the work of the many people at Interop Labs and Interop Net show how heterogeneous equipment and technology can work together, but where those labs and network used to be the center of the show, I am not so sure that is the case any more. Many folks walk by the NOC at Interop, peak inside at the folks at the stations, smile and move on. How many actually take the tour compared to how many walk the floor or sit in on presentations. I think in Dave's view it is a case of when you are a hammer, everything looks like a nail.

More importantly though Dave challenges me to answer his questions of what StillSecure has done to promote interoperability with other vendors that we can promote. Great question and it deserves an answer. So at the risk of giving StillSecure a shameless plug, let me give you the three foundations that we have built our products on that allow us to excel at interoperability:

1. Using open standard software and hardware - All StillSecure products run on off the shelf x86 hardware or in VMware virtual machines. Additionally, our products all run on top of the StillSecure OS which is a hardened and stripped version of Linux, but still provides that standard command line programs and interoperability that the Linux OS allows. Additionally, we use standard and open databases such as MySQL and PostgresSQL that are SQL and ODBC compliant. Additionally, we have open data base schema's. Also, we use Java webservers and similar types of open standard software that makes it easier for us to work with other products and for our customers to feel comfortable with what is under the hood.

2. Support of industry frameworks and standards - Whether it be TCG/TNC or NAP in the NAC world or CVE and FDCC in vulnerability management, we support industry wide standards and frameworks which allow products to work with each other. SNMP traps, SMTP email alerts are all standard in StillSecure products.

3. Enterprise Integration Frameworks- StillSecure products all ship with our enterprise integration frameworks. These are a complete set of fully documented and functional APIs in XML and Java that allow for the bi-directional exchange of data with many 3rd party products. This is perhaps our greatest means of interoperabitility and integration.

Dave, I hope that answered the question for you. Now that we know about the blog, we will be reading. Good Luck!

As I have written before, I always laugh when I remember speaking to a potential NAC customer who had recently met with a NAC competitor of ours.  We got around to discussing enforcement options and the customer was hell bent on using SNMP to have his switches enforce access policies.  I explained to him that since he had switches from at least 3 different vendors and different models of switches from each of those vendors, the idea of scripting each of those switches and than updating each of them every time there was a change was a lot of work. He understood that but was willing to put up with the extra work for the added security that SNMP afforded him over 802.1x.  Amazed, I informed him that SNMP is not usually thought of as very secure and that 802.1x while not perfect, had many advantages in terms of security over SNMP.  Than the kicker! The prospect told me I must be mistaken, after all SNMP stood for Secure Networking Management Protocol, didn't it?  When I stopped laughing I asked him where he heard that.  He told me that the NAC vendor he spoke to before me told him that and touted how by using SNMP he was getting the most secure method of NAC.  After all SNMP was designed for security!  Well after some quick Google searching, he quickly found out that the other NAC vendor was feeding him a line and it made me and StillSecure golden in his eyes.

I never forget that story and am reminded of it every time I read about a security hole around SNMP. This week came two reports of SNMP vulnerabilities in DarkReading.  One by Kelly Jackson Higgins details a report that researchers doing a simple SNMP scan over the Internet turned up over 5000 devices that reported back with names, models and even patch levels.  The devices were not off brands either, but Cisco, Apple and Microsoft devices.  This underscores how leaky SNMP can be if you don't lock it down right. 

This report came on the heels of an earlier report by Kelly that researchers had discovered a new attack vector of using SNMP in a persistent XSS attack.  Just another reason to lock down your SNMP capable equipment. By the way, for those of you wondering, SNMP stands for simple networking management protocol.

With Junipers long awaited release of their EX switch line, many have said that there is just nothing distinguishing about the line up.  Just speeds and feeds.  Others are saying that the real secret sauce is the JUNOS.  That very well may be.  However, Tim Greene in this article says that Junipers built in NAC may be Junipers not-so-secret weapon. He quotes two analysts, Phil Hochmuth of Yankee Group and Rob Whiteley of Forrest-er.  The article rightfully points out that Junipers competition in the switch market is Cisco and HP ProCurve. 

It then goes on from there to talk about Junipers new ability to perform access control at layer 4 with identity based access control with ACLs in addition to VLANs. You can perform QoS as part of a users access rights and they can mirror traffic and send it to a Juniper IDP for post-admission NAC. Juniper wants to evolve NetScreen Security Manager into a central policy-control platform.  This is all great stuff, however it ain't new.  My research shows that HP ProCurve (the 2nd leading switch vendor) actually does much if not all of this right now. Using the ProCurve IDM (identity driven management) application which is now bundled on ProCurve's NAC appliance  with their NAC application, they can do this already. They can do the QoS thing as well as sending the traffic to several IPS brands.  In fact a close reading of what ProCurve's security capabilities show that there is little if anything ground breaking in what Juniper is advocating and what these analysts seem to be eating up.

Yes, Junipers entry I think does spell C-O-M-P-E-T-I-T-I-O-N for the likes of Nevis and ConSentry (sorry Dan and Dom), but that is not what Juniper is in this game for.  They have to keep their eye on the prize. And the prize is taking market share from Cisco and HP ProCurve.  If this is all they got, I am going to have to agree with those folks who are asking Juniper "where's the beef?"

Hot on the heels of Cisco's announcement of Nexus switch line, Juniper announced its own entry into the high performance Ethernet switch market, with its EX-series of switches.  Junipers entry into the switch market has been rumored for a long, long time. The only question was would they buy an existing switch vendor (for a time Extreme Networks was a rumored target) or would they roll their own.  Well it seems they rolled their own and these EX switches sound pretty hot.  I had heard the name was going to be Hurricane, but maybe that was an internal code name. 

My buddy Chris Harrington over at Infosecpodcast.com reports on this as well and asks what if any effect this will have on their NAC strategy. From the press release, "To mitigate the impact of security risks on network operations, Juniper Networks has integrated its Unified Access Control (UAC) solution with the new EX-series switches to provide businesses with the ability to control user access to mission critical applications and company assets through the enforcement of end-to-end policies."  Sounds to me like the switches fit hand in glove with their NAC. I would imagine they are TCG complaint as well. 

This could be a real boon to Juniper in both security and the bigger switch market. It will be interesting to see how some of the other switch vendors respond to keep up with Cisco and now Juniper.

Lt Gen Steven Boutelle was the CIO (or G-6 in Army speak) for the US Army for the past few years.  As such, Gen Boutelle led IT modernization and upgrading of the Army's network.  As is often the case with our military, Gen Boutelle who just retired, today started his new gig as VP of the Global Government Solutions Group at Cisco!  Now I know what you are saying: "Whoa, what is this"?  The guy who was in charge of buying all of the network and security gear goes to Cisco right after retirement and will be back selling Cisco to his friends in the government? What is wrong with that picture?  Well before you go to far, you should know that Cisco did not announce the hiring of Gen Boutelle until shortly after the Senate confirmed his successor.  Well, that makes me feel better.  At least they didn't announce his hiring before someone was appointed taking his place, but I wonder when they actually hired him, not when they announced it.  But that and the whole idea of retired government employees selling into the government can be the subject of another blog, another day.

All of the above was reported by the way, in this article on GCN.  It seems from the article that Gen Boutelle is very excited about one of his tasks which is leading Cisco's internet routing in space initiative or IRIS (you have to love military acronyms, but I thought eEye already had that one).  Supposedly by using IP routing on space communications you can get a 7 to 10 times bump in throughput.  That is nothing to sneeze at and could have huge implications beyond just military uses.  Cisco has already used a modified a router on a NASA satellite in 2003 and is expecting to have a router it will put into orbit (didn't know Cisco had orbital launch vehicles) in the 2nd quarter of 2009.  This could open the floodgates to a major shift to IP based communication in the satellite industry.  

Can you picture William Shatner (surprised Cisco has not hired him too) right now saying., "Space, the final IP frontier.  This is the voyage of the self-defending network, going where no router has gone before."

In reading Michelle McLean's blog today I was led to a great article by Jim Duffy over at Network World.  For a long time I have said that though the old adage of "no one ever got fired for buying Cisco" may be true, I also question whether anyone gets promoted for buying Cisco.  Jim takes a similar tact asking "can someone get fired for staying with Cisco?" 

Jim's article highlights two schools who have recently switched out some Cisco gear for other vendors. One school in NC seems to have taken out some Cisco switches for NAC switches from ConSentry.  Interestingly, though the school apparently had a terrible experience with Cisco's Clean Access (now called NAC appliance, and frankly who hasn't) and was given a cold shoulder by the Cisco team, they still have only replaced a fraction (about 20%) of their network switches with ConSentry gear (still a sizable deal for ConSentry and proving the adage that some NAC vendors can get fat with the crumbs from Cisco's table). In fact the school still considers itself a "Cisco shop" and their IT guys says "I wouldn't give up Cisco, especially at the core. I don't think there is anything out there that could beat a Cisco router and a lot of the core switches".  I ask, how many times do you have to be burned before you wake up and smell the coffee.  They take your money and charge a premium, deliver products that don't work and don't give you great support unless you spend more and you are still committed to them?  After this guys experience, why isn't he looking at substitutes for the rest of his Cisco gear? I guarantee he will find them. And if he doesn't look at other options, why isn't his job in jeopardy?

In fact the 2nd school highlighted does exactly that. St. Francis High School is replacing virtually all of its Cisco equipment with HP ProCurve gear.  In case you don't know, HP ProCurve is probably the fastest growing vendor in the network market and is clearly positioned as number 2 to Cisco.  What got the St. Francis folks to finally give up the ghost on Cisco was ProCurve's lifetime warranty, industry standard, open architecture, support and price.  They are going to be 95% ProCurve.

These two studies show the problem in competing against Cisco.  Too many folks are just too willing to put up with less and take the perceived "safe way" out to stay with Cisco.  There are too many good choices out there for anyone to have to settle for less and it is time the IT world realizes it!