I’ve been promoted! Instead of just blogging about NAC here on my Got The NAC blog, I have been asked to join a team of Juniper bloggers on the new Networking Now blog .

The new blog will have a much wider scope than my Got The NAC blog. We’ll cover anything in networking and security. I’m glad that we’re breaking down these artificial walls. Forget the alphabet soup of IDS, NAC, DLP, etc. It’s all about providing a secure, reliable IT infrastructure for our customers and businesses.
The important issues go beyond any one technology.

Don’t worry. I’m still technical and deeply involved in all the new technologies being developed at Juniper and around the industry. I’m just expanding my scope a little bit.

So please click over to the Networking Now blog and check out our new content over there. You can subscribe to just my posts but I hope that you’ll enjoy posts from all the Juniper bloggers. Open your mind to some new perspectives. You’ll be amazed at the insights the new perspectives bring.

Tags: General, blog networking now

If you’re not growing, you’re dying. Which one is it for you? In this video, I explain how Juniper is growing the next generation of engineering leaders. Tune in and get some ideas for your organization. Or comment and share your ideas and best practices.

Tags: General, leadership engineering

Chris Hoff blogged yesterday about using TCG’s standard IF-MAP protocol to connect security functions throughout the cloud. I couldn’t agree more! That’s exactly what IF-MAP is for: helping security systems share the information they have gathered. That’s what I’ve been saying all along. Chris’ idea to extend it to include virtualized security functions is a great one. I wonder if the virtualization folks are listening in.

Chris asks which vendors are supporting IF-MAP in their products. I have found that standards adoption follows the classic innovation adoption lifecycle. Innovators are the vendors and customers that have the vision and foresight to see where things must go. They are the first to create and adopt new technology. For IF-MAP, that group includes the folks who developed the IF-MAP spec and demonstrated implementations at Interop Vegas in April: ArcSight, Aruba Networks, Infoblox, Juniper Networks, Lumeta, and nSolutions. Next come Early Adopters, Early Majority, Late Majority, and Laggards. It takes at least a year for each stage: six months to turn prototypes into products and six months for the next generation of adopters to catch on. That’s the timescale we’ve seen for the other TNC standards. So I expect to see Innovator vendors shipping products that implement IF-MAP in the next few months and Innovator customers deploying those products in the months after that.  Then will come Early Adopters and so on.

IF-MAP provides immediate benefits. False positives and false negatives are greatly reduced since sensors are now identity-aware. Fewer false positives and negatives reduces the cost and increases the benefit of monitoring IDS and SEIM systems. Automated response is another way to reduce costs. Reduced cost with stronger security will definitely draw some attention in today’s economic climate! I expect that it will quickly pull this technology across the “chasm” from Early Adopters to Early Majority, who are looking for successful ideas but open to new things. However, we still have a few years before we get to that point.

I have spoken about IF-MAP and coordinated security at several conferences and I have seen tremendous interest among customers and vendors. I’m not at liberty to give out names but some very large vendors and customers are excited about IF-MAP. As soon as IF-MAP products start shipping, I’ll announce it on my blog and link to them.

As Alan Shimel points out on his blog, the best way to increase the number of products that support IF-MAP is for customers to demand and buy those products. Vendors who are Innovators have the foresight and resources to lead the market. Early Adopter vendors are eager to lead but need to see customer demand before they can add features. Will you provide the customer demand needed to pull the next group of vendors along the adoption curve? If you’re interested, start asking vendors about IF-MAP support and examine the first generation of IF-MAP products when they ship.

Tags: NAC Standards, TNC, TCG, IF-MAP, standards

I recently returned from ISSE 2008 in Madrid, Spain. The conference highlighted some key differences between U.S. and European information security. Tune into this podcast and you’ll get some food for thought: lessons that you may be able to apply in your own work.

Click here to listen.

Tags: General, ISSE, madrid, spain

This week, I’m blogging from RSA Europe in London. The conference is dedicated to Alan Turing, the great British cryptographer and early computer scientist. The folks at Bletchley Park teamed with a local hobbyist to bring an Enigma machine and other cryptographic machines to the conference. I had a great time playing with the Enigma.

Attendance at the show was down a bit from last year, probably due to the poor economy. Still, there was a good crowd for my talk on “NAC 2.0″ this morning. I explained how NAC systems are starting to integrate with other network security systems like IDS and DLP. This trend is really starting to accelerate now that IF-MAP has been released, providing a standard way for these integrations to happen.

One more note. The Bletchley Park folks are appealing for donations to help save their historic site, an important part of cryptography and information security. If you’d like to donate, visit their site at http://www.bletchleypark.org.uk or stop by and see the machines for yourself. If you can’t make it to England, go to the U.S. National Cryptologic Museum in Maryland. They have a similarly amazing collection of spy gear albeit in a less historic setting.

Tags: General, NAC Standards, RSA, Appearances, NAC, standards, steve

In Madrid for the ISSE 2008 conference, I found myself losing sleep over the state of our global economy. What a mess! With two free hours, I decided to visit the art museums. A quick cab ride brought me to the Reina Sofia Museum, which houses Guernica. No words or JPEG can do justice to Picasso’s masterpiece. Although the work was inspired by the brutality of war, to me today it spoke to the tragedy and beauty of life.

Our current financial crisis will bring years of pain on a small and large scale. We must do what we can to avoid such tragedies but they will inevitably happen. Still, a small flower grows at the center of the painting. New life and creativity will spring from this tragedy as it always does.

Please treat each other with kindness and patience for the next few months. Be an island of calm. Spread hope not fear. Nothing physical has changed in recent weeks, only a psychological change. Let’s keep it that way and support each other. We will come out of this crisis stronger and wiser than before.

Tags: General, general

The IETF’s NEA Working Group is (among other things) standardizing a set of “PA-TNC attributes” for use during NAC health checks. These standard attributes will  be implemented in many network endpoints (laptops, desktops, printers, etc.) so that a NAC server can query an endpoint and obtain information about its health in a standard way. The tricky part is deciding which attributes are important enough to be in the first standard and which attributes can be left to future standards or vendor extensions.

I bet you have some ideas on this topic. Review the current draft list of attributes (below) and post your comments. I’ll bring them back to the NEA WG. Thanks!

---

A standard set of components are defined and then a standard set of attributes that describe aspects of those components. This avoids the need to define separate attributes for “OS Version”, “AV Version”, etc. Of course, some devices won’t implement all these components and attributes. No Anti-Virus on my printer (yet!).

Components: Operating system, Anti-Virus, Anti-Spyware, Anti-Malware, Host Firewall, Host Intrusion Detection and/or Prevention System, Host VPN

Attributes: Product Information (vendor, name),  Numeric Version, String Version, Operational Status (operational?, problems detected?, last time run), Port Filter List (for Host Firewall), Installed Packages (name, version)

Tags: NAC Standards, NEA, IETF, NAC, standards

Today’s panel on NAC was a blast! Mike Fratto mainly took questions from the audience. When there were slow spots, he asked some tough questions of his own. I prefer this approach to panels. Customers have the most interesting, real-world questions!

I was surprised how many of today’s questions focused on standards. The attendees were impatient with the delays in getting NAC standards implemented. I share their impatience. The TNC standards have been around for more than four years. They’ve been implemented by Juniper, Microsoft, and dozens of other vendors. Why don’t other vendors just implement them?

Steve Karkula of Nokia was a welcome addition to the usual cast of characters on a NAC panel: Cisco, Microsoft, and TCG. Steve is involved with Nokia’s SourceFire product. He pointed out the value of including behavior monitoring in a NAC system. I couldn’t agree more! These days, NAC is much more than checking the health of devices when they connect to your network. State-of-the-art NAC systems customize access for each user or role and monitor behavior so they can block misbehaving endpoints. Really cool systems link identity and behavior monitoring so that they know what behavior’s appropriate for each user!

An interesting followup question was how to monitor behavior when more network traffic is encrypted. The panelists had a variety of answers: doing monitoring on the servers, on the endpoints (only if you trust them!), or at the edge of the data center (if you terminate the encryption there, as is often done with load balancers, SSL offload devices, and such).

All in all, it was an interesting panel. I’m sorry if you couldn’t be there. I hope to see you at one of my upcoming talks!

Tags: NAC Standards, NAC Concepts, Interop, TNC, Appearances, concepts, NAC, standards

I’m in NYC for Interop NY today. I’ll be speaking on a panel about NAC at 10:15 AM with Microsoft, Cisco, and Nokia reps and Mike Fratto as moderator. It should be entertaining and enlightening. At least, I hope it will be! I’ll blog about it this afternoon. If you’re at the show, please come by and say “Hi” or ask a question.

I wanted to point out Mike Fratto’s blog posting about the NAC Day panel. It sounds like a great discussion with customers pushing hard for vendors to support NAC standards. The TNC standards have been out for more than three years now and free for anyone to implement. Most vendors have done so or at least announced plans to do so. Cisco is the only holdout. I’m glad to see customers pushing hard for them to support these standards. I hope these words translate into actions. As they say, “money talks”! The only way to get some vendors’ attention is to put a requirement in your NAC RFP saying “must support the TNC standards”.

Tags: News, NAC Standards, Interop, TNC, Appearances, NAC, standards

I recently returned from the IETF standards meeting in Dublin, Ireland. Watch this video to hear about the highlights of this meeting. Then come back here and leave a question or comment so we can discuss it more.

Tags: General, IETF