After posting NAC Is Fighting the Last War, I read another ISSA Journal article titled Beyond NAC: The value of post-admission control in LAN security by Jeff Prince of ConSentry. Jeff uses the terms "Network Admission Control" and "Network Access Control" to both describe NAC, although I believe he meant to use the former throughout the article. Jeff discusses the importance of controlling a user's activity once he is allowed onto the LAN, hence the "post-admission" aspect. This function will eventually find its way into everyone's switches, so I wouldn't rush out to buy separate new gear. I think post-admission NAC is a cool idea, but I would be surprised to see operators spending the time necessary to define policies and traffic flows properly. Thanks to those of you who responded to my post Smart Cards Everywhere. It turns out the 23 November 2006 issue of NWC featured Analysis: Physical/Logical Security Convergence by Jeff Foristal. The article mentioned solutions from AMAG, CoreStreet, Gemalto, and Intercede.
Although I haven't talked about these topics in detail before, I found Jeffrey Young's article Enterprise WANs to be helpful. I had never heard of Virtual Network Operators like Vanco before. I think it would be neat to get involved with the security aspects of these sorts of carrier-level issues. Please email me (taosecurity [at] gmail [dot] com) if you think I could help your team!) The November 2006 issue of Information Security featured two interesting articles. The first featured a face-off between Bruce Schneier and Marcus Ranum on the effectiveness of federal security regulations. I thought Bruce's "characteristics of good regulations" to be worth memorizing.
- They're targeted at a specific externality.
- The penalties are large enough to make the alternative more attractive.
- They put the entity able to fix a security problem in charge of the problem.
The same issue also featured a great story by Sandra Kay Miller on tapping fiber links. The paper Optical Taps (.zipped .doc) from Oyster Optics is good reading. The December 2006 issue of Information Security featured several helpful articles too. All of you HIPAAns out there must read HIPAA-ocrisy by Joseph Granneman. Essentially, management has decided to ignore HIPAA because there's only been one HIPAA conviction in the three years since HIPAA "enforcement" started.
Finally, guru Dan Geer wrote a great piece called Playing for Keeps in ACM Queue. It's highly recommended as a survey of the sorry state of our security industry.
Copyright 2006 Richard Bejtlich