Wednesday, December 27, 2006

Holiday Reading Round-up

During some holiday downtime I managed to catch up on some reading. Recently I mentioned the ISO/IEC 27001 standard. The November 2006 ISSA Journal featured an article by Taiye Lambo of eFortresses, an ISO/IEC 27001 consultancy. From what I read it seems ISO/IEC 27001 is a good option for organizations leaning towards related ISO standards like 9000.

After posting NAC Is Fighting the Last War, I read another ISSA Journal article titled Beyond NAC: The value of post-admission control in LAN security by Jeff Prince of ConSentry. Jeff uses the terms "Network Admission Control" and "Network Access Control" to both describe NAC, although I believe he meant to use the former throughout the article. Jeff discusses the importance of controlling a user's activity once he is allowed onto the LAN, hence the "post-admission" aspect. This function will eventually find its way into everyone's switches, so I wouldn't rush out to buy separate new gear. I think post-admission NAC is a cool idea, but I would be surprised to see operators spending the time necessary to define policies and traffic flows properly. Thanks to those of you who responded to my post Smart Cards Everywhere. It turns out the 23 November 2006 issue of NWC featured Analysis: Physical/Logical Security Convergence by Jeff Foristal. The article mentioned solutions from AMAG, CoreStreet, Gemalto, and Intercede.

Although I haven't talked about these topics in detail before, I found Jeffrey Young's article Enterprise WANs to be helpful. I had never heard of Virtual Network Operators like Vanco before. I think it would be neat to get involved with the security aspects of these sorts of carrier-level issues. Please email me (taosecurity [at] gmail [dot] com) if you think I could help your team!) The November 2006 issue of Information Security featured two interesting articles. The first featured a face-off between Bruce Schneier and Marcus Ranum on the effectiveness of federal security regulations. I thought Bruce's "characteristics of good regulations" to be worth memorizing.

He said:

  1. They're targeted at a specific externality.

  2. The penalties are large enough to make the alternative more attractive.

  3. They put the entity able to fix a security problem in charge of the problem.


The same issue also featured a great story by Sandra Kay Miller on tapping fiber links. The paper Optical Taps (.zipped .doc) from Oyster Optics is good reading. The December 2006 issue of Information Security featured several helpful articles too. All of you HIPAAns out there must read HIPAA-ocrisy by Joseph Granneman. Essentially, management has decided to ignore HIPAA because there's only been one HIPAA conviction in the three years since HIPAA "enforcement" started.

Finally, guru Dan Geer wrote a great piece called Playing for Keeps in ACM Queue. It's highly recommended as a survey of the sorry state of our security industry.


Copyright 2006 Richard Bejtlich

1 comment:

Brian Best said...

I also read the "Optical Illusion" article by Sandra Kay Miller. I found it to be interesting, but I thought her analysis was thin to say the least.

Tapping an optical network is certainly possible and is security concern, however, it is not trivial. Sure, if you are on a campus network and you know the transport is 1000BASE-X this is not a big deal.

Now imagine you are dealing with an unknond "trunk" line... Let's say that you know it is a 32 channel dwdm system. What filers is the system using? Is the feed pre-amp or post-amp? Signal/Noise Ratio? Non-linear effects? Some of these systems are non-trivial to optimize for normal operation. I can't imagine rolling up with the trusty optical tap and making short work of such a system. :-)

My .02.

Regards,

Brian