TaoSecurity Blog

My post on the IETF Network Endpoint Assessment Working Group elicited a comment that suggested I expand on my thoughts, namely that Cisco Network Admission Control (NAC) / Microsoft Network Access Protection (NAP) / Trusted Network Connect (TNC) "are all fighting the last war." Let's see what the comment poster's own company has to say about NAC. (Please note that although I use NAC in the text that follows [as used by my sources], I could just as easily say NAP or TNC or NEA. I only single out Cisco because they are investing so much effort into NAC.) Network Admission Control (NAC), a set of technologies and solutions built on an industry initiative led by Cisco, uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and P...

July's been a great month for controversy on this blog, so I thought I would continue that them by posting word of my Amazon.com review of Endpoint Security . Yes, I've been reading a lot, and it's been keeping me up past midnight for a few weeks. I've been intensely interested in these recent books, so staying up late has been worthwhile. Unfortunately, as you'll read in my three star review , you can skip Endpoint Security : I really looked forward to reading Endpoint Security. I am involved in a NAC deployment, and I hoped this book could help. While the text does contain several statements that make sense (despite being blunt and confrontational), the underlying premise will not work. Furthermore, simply identifying and understanding the book's central argument is an exercise in frustration. Although Endpoint Security tends not to suffer any technical flaws, from conceptual and implementation points of view this book is disappointing. I just finished this...

ShmooCon 2007 ended today. Only four talks occurred today (Sunday), and only two of them (Mike Rash, Rob King/Rohlt Dhamankar) really interested me. Therefore, I went to church with my family this morning and took lead on watching the kids afterwards. I plan to watch those two interesting talks once they are released as video downloads. (It takes me 1 1/2 - 2 hours each way into and out of DC via driving and Metro, so I would have spent more time on the road than listening to speakers.) I also left right after Bruce Potter's introductory comments on Friday afternoon. If it hadn't been for the NoVA Sec meeting I scheduled Friday at 1230, I probably would have only attended Saturday's sessions. I heard Avi Rubin's 7 pm keynote was good, and I would have liked to watch Johnny Long's talk. Otherwise I thought spending time with my family was more important. That leaves Saturday. I spent the whole day at ShmooCon, from the first talk to the end of Hack or Halo ...

During some holiday downtime I managed to catch up on some reading. Recently I mentioned the ISO/IEC 27001 standard. The November 2006 ISSA Journal featured an article by Taiye Lambo of eFortresses , an ISO/IEC 27001 consultancy. From what I read it seems ISO/IEC 27001 is a good option for organizations leaning towards related ISO standards like 9000 . After posting NAC Is Fighting the Last War , I read another ISSA Journal article titled Beyond NAC: The value of post-admission control in LAN security by Jeff Prince of ConSentry . Jeff uses the terms "Network Admission Control" and "Network Access Control" to both describe NAC, although I believe he meant to use the former throughout the article. Jeff discusses the importance of controlling a user's activity once he is allowed onto the LAN, hence the "post-admission" aspect. This function will eventually find its way into everyone's switches, so I wouldn't rush out to buy separate n...

I didn't exactly "read" Self-Defending Networks: The Next Generation of Network Security by Duane DeCapite. Therefore, I won't review the book at Amazon.com. I definitely didn't read a majority of the text, which is a personal requirement for a book review. However, I'd like to discuss the title here. The book has a ton of screen shots and is essentially a big marketing piece for Cisco's Self-Defending Network gear, which includes: Cisco Traffic Anomaly Detector for DDoS identification Cisco Guard for DDoS mitigation Adaptive Security Appliance for firewalling (including IPS) Incident Control System for malware containment with Trend Micro 802.1X for port-based security; note to Cisco: it's not "802.1x" Network Admission Control (NAC) with NAC Appliance or NAC Framework Cisco Security Agent (CSA) for host protection Cisco Security Manager Cisco Monitoring, Analysis and Response System (MARS) for alert management Why do I mentio...

Over the last several months I've accumulated several pages of notes after attending a variety of conferences. I thought I would present a few cogent points here. As with most of my posts, I record thoughts for future reference. If you'd rather not read a collection of ideas, please tune in later. I attended the 28 Nov 07 meeting of the Infragard Nation's Capital chapter. I found the talk by Waters Edge Consulting CEO Jeffrey Ritter to be interesting. Mr. Writter is a lawyer and self-proclaimed "pirate" who works for the defendant by attacking every aspect of the adversary's case. As more lawyers become "cyber-savvy" I expect to encounter more of his type. Mr. Ritter offered three rules of defense. That which is unrecorded did not occur. That which is undocumented does not exist. That which is unaudited is vulnerable. He also said "Litigation isn't about the truth... it's about getting money." He offered three questions to...

Infonetics Research published a synopsis of a recent report they authored. I'd like to highlight a few points. Growth in the network security appliance and software market is expected to slow to the single-digits after 2007 as content security gateways and NAC products begin to infringe on network security product budgets. “The most important appliance category to watch over the next year is secure routers. Sales were up 25% in 2006 and this year will pass $1 billion in worldwide sales, representing a significant portion of the overall network security market..." Secure routers account for 29% of the total integrated security appliance market in 2006 and will continue to increase their share of the market through at least 2010... Cisco continues to lead the overall network security market, with 38% worldwide revenue share in 2006, posting growth in all network security market segments tracked by Infonetics Juniper and Check Point are tied for second, each with 9% worldwide ...

If you've read this blog for a while, or even if you've just been following it the last few months, you might be saying "Fine Bejtlich, we get it. So what do you want?" The answer is simple: I want NSM-centric techniques and tools to be accepted as best practices for digital security. I don't say this to sell products. I say this because it's the best chance we have of figuring out what's happening in our enterprise. NSM means deploying sensors to collect statistical, session, full content, and alert data. NSM means having high-fidelity, actionable data available for proactive inspection when possible, and reactive investigation every other time. NSM means not having to wait to hire a network forensics consultant who brings his own gear to the enterprise, hoping for the intruder to make a return appearance while the victim is instrumented. I'd like to see organizations realize they need to keep track of what's happening in their enterpri...

Dark Reading posting an article on the new Network Endpoint Assessment (nea) IETF working group. The description says, in part: Network Endpoint Assessment (NEA) architectures have been implemented in the industry to assess the "posture" of endpoint devices for the purposes of monitoring compliance to an organization's posture policy and optionally restricting access until the endpoint has been updated to satisfy the posture requirements. An endpoint that does not comply with posture policy may be vulnerable to a number of known threats that may exist on the network. The intent of NEA is to facilitate corrective actions to address these known vulnerabilities before a host is exposed to potential attack. Note that an endpoint that is deemed compliant may still be vulnerable to threats that may exist on the network. The network may thus continue to be exposed to such threats as well as the range of other threats not addressed by maintaining endpoint compliance. I have ...

Earlier this year I covered Check Point 's attempt to purchase Sourcefire . Well, Check Point bought another vendor -- NFR -- for $20 million. Talk about market valuation; Sourcefire's sale price was $225 million. NFR is also down to 22 employees, according to the press release. Although the FAQ says Check Point intends to continue to sell, support, and develop an independent NFR Security product line. I doubt that will last. It doesn't make sense to buy the technology but not integrate it into Check Point's firewalls, and then discard the separate box. At this point it seems we're left with the following IDS/IPS vendors: Cisco 3Com (via Tipping Point ) Juniper Enterasys (Dragon) IBM (via ISS ) McAfee Sourcefire Let's see how that relates to the idea that all network security functions will collapse to switches . The first four sell switches, so I expect them to lead that drive. The fifth (ISS) is owned by IBM, who is more interested in services thes...

Just now I was reading David Cowan's blog . David is a partner at Bessemer Venture Partners . This means he is paid to gamble with rich people's money by helping to fund new companies. If a start-up succeeds, the investors get a nice return on their investment. One of David's funding recipients is Determina , whose CTO is Saman Amarasinghe . So why does anyone care? I think this ad from the Determina Web site is interesting: I've heard of an intrusion prevention firewall , a database firewall , and even a human firewall , but this is the first memory firewall . The technology has been public for about a year, but it's starting to make new appearances in articles like this . Clearly Determina is following the standard start-up model. Invent product. Brand product to create a new market not filled by others, even though product is similar to others. Claim market leading product in newly created market. Profit! In other words, a "memory firewall" is m...

Last night I started working on my next book: Extrusion Detection: Security Monitoring for Internal Intrusions . The goal of this book is to help security architects and engineers control and instrument their networks, and help analysts investigate security events. Extrusion Detection is a sequel to my first book , The Tao of Network Security Monitoring: Beyond Intrusion Detection . Extrusion Detection explains how to engineer an organization's internal network to control and detect intruders launching client-side attacks. Client-side attacks are more insidious than server-side attacks, because the intruder targets a vulnerable application anywhere inside a potentially hardened internal network. A powerful means to detect the compromise of internal systems is to watch for outbound connections from the victim to systems on the Internet operated by the intruder. Here we see the significance of the word "extrusion" in the book's title. In addition to watching c...

Two days ago Cisco announced a new set of Integrated Services Routers , including the 1800 , 2800 , and 3800 series. For historical comparison, the 2600 was announced in March 1998 and the last enhancements to that line, the 2600XM series and 2691, were announced in June 2002. The press release shows an interesting bias; emphasis is added: "Cisco Systems today announced a new line of integrated services routers, the industry's first routers to deliver secure, wire-speed data, voice, video and other advanced services to small and medium-sized businesses (SMBs) and enterprise branch offices, as well as service providers for managed network services offerings. Founded on 20 years of routing innovation and leadership , the new Cisco 1800 Series, Cisco 2800 Series and Cisco 3800 Series integrated services routers are the first to provide customers with an infrastructure that enables fast, secure access to today's mission-critical business applications with optimized s...