This week, I’m blogging from RSA Europe in London. The conference is dedicated to Alan Turing, the great British cryptographer and early computer scientist. The folks at Bletchley Park teamed with a local hobbyist to bring an Enigma machine and other cryptographic machines to the conference. I had a great time playing with the Enigma.

Attendance at the show was down a bit from last year, probably due to the poor economy. Still, there was a good crowd for my talk on “NAC 2.0″ this morning. I explained how NAC systems are starting to integrate with other network security systems like IDS and DLP. This trend is really starting to accelerate now that IF-MAP has been released, providing a standard way for these integrations to happen.

One more note. The Bletchley Park folks are appealing for donations to help save their historic site, an important part of cryptography and information security. If you’d like to donate, visit their site at http://www.bletchleypark.org.uk or stop by and see the machines for yourself. If you can’t make it to England, go to the U.S. National Cryptologic Museum in Maryland. They have a similarly amazing collection of spy gear albeit in a less historic setting.

Today’s panel on NAC was a blast! Mike Fratto mainly took questions from the audience. When there were slow spots, he asked some tough questions of his own. I prefer this approach to panels. Customers have the most interesting, real-world questions!

I was surprised how many of today’s questions focused on standards. The attendees were impatient with the delays in getting NAC standards implemented. I share their impatience. The TNC standards have been around for more than four years. They’ve been implemented by Juniper, Microsoft, and dozens of other vendors. Why don’t other vendors just implement them?

Steve Karkula of Nokia was a welcome addition to the usual cast of characters on a NAC panel: Cisco, Microsoft, and TCG. Steve is involved with Nokia’s SourceFire product. He pointed out the value of including behavior monitoring in a NAC system. I couldn’t agree more! These days, NAC is much more than checking the health of devices when they connect to your network. State-of-the-art NAC systems customize access for each user or role and monitor behavior so they can block misbehaving endpoints. Really cool systems link identity and behavior monitoring so that they know what behavior’s appropriate for each user!

An interesting followup question was how to monitor behavior when more network traffic is encrypted. The panelists had a variety of answers: doing monitoring on the servers, on the endpoints (only if you trust them!), or at the edge of the data center (if you terminate the encryption there, as is often done with load balancers, SSL offload devices, and such).

All in all, it was an interesting panel. I’m sorry if you couldn’t be there. I hope to see you at one of my upcoming talks!

I’m in NYC for Interop NY today. I’ll be speaking on a panel about NAC at 10:15 AM with Microsoft, Cisco, and Nokia reps and Mike Fratto as moderator. It should be entertaining and enlightening. At least, I hope it will be! I’ll blog about it this afternoon. If you’re at the show, please come by and say “Hi” or ask a question.

I wanted to point out Mike Fratto’s blog posting about the NAC Day panel. It sounds like a great discussion with customers pushing hard for vendors to support NAC standards. The TNC standards have been out for more than three years now and free for anyone to implement. Most vendors have done so or at least announced plans to do so. Cisco is the only holdout. I’m glad to see customers pushing hard for them to support these standards. I hope these words translate into actions. As they say, “money talks”! The only way to get some vendors’ attention is to put a requirement in your NAC RFP saying “must support the TNC standards”.

I was in Belgium this week for the tenth annual TERENA Networking Conference. This meeting gathers networking and security experts from research and education networks throughout Europe and around the world. My talk (titled “Network Access Control and Beyond”) was one of many at the conference that focused on the theme of pushing beyond the ordinary. The medieval town of Bruges provided a lovely setting for this cutting-edge networking conference, causing me to reflect on the balance between stability and innovation.

Research and education networkers operate on the edge between practice and theory, always balancing the dual goals of keeping their networks stable and pushing the envelope to develop next-generation services. This is not so different from corporate IT or anything else in life. There’s always a tension between stasis and change. Should we stick with the old reliable ways or move to the new? Of course, we must mix both. Without change, our networks and businesses will become obsolete. Yet uncontrolled change will make our networks unreliable.

What can we learn from the TERENA researchers about living with change? Here are some of their techniques, which I think we can apply well to our own networks and organizations:

1. Start with a grand vision but stay open to new ideas and surprises. Without high hopes, you will never go far. But having a vision can blind you. All great ideas start out as one person’s crazy brainstorm so keep an open mind. TERENA is full of wild ideas and grand visions. Nobody expects them all to pan out but everyone’s happy to dive in and discuss them (not how to kill them but what they could do and how to fix the problems with them).
2. Favor broad, enabling technologies. Technologies like TCP/IP and the World Wide Web (developed in research and education networks) are simple but very powerful because they allow anyone to come up with a new idea and try it out.
3. Deploy incrementally. TERENA is a federation of national networks, which in turn consist of many universities and other institutions. New ideas are piloted on a small scale before they are considered for wide adoption. This lowers the barrier to trying new things.

All of this comes down to creating a culture that encourages innovation while managing risk. TERENA has mastered this lesson and it’s a great one for IT organizations. Innovation is the lifeblood of any enterprise. IT is a natural source of innovation. Master the lessons above and you’ll make sure that your network is reliable but not obsolete.

Last week, I was at the RSA Conference in San Francisco, a global gathering for information security folks. This event has already been covered by hundreds of bloggers and journalists so I won’t cover the basics. However, I do think it’s useful to highlight a few NAC-related events.

First, I was glad to see that NAC vendors are converging on IF-TNCCS-SOH as a standard client-server protocol. This addresses several concerns that customers have had about NAC: complexity, compatibility, and cost. Now that everyone is agreeing on one client-server NAC protocol, customers won’t have to worry about whether their NAC system is compatible with their PCs, their non-PC devices, and their contractors’ and customers’ devices. Support for the TNC protocols will just be built into the client operating system. This will reduce complexity and therefore cost by eliminating the need to install a special NAC agent on the device. Of course, the nirvana of universal NAC support is not here yet. Macs, older PCs, and many other devices don’t yet come with NAC support built-in. But the trajectory is clear. In a few years, NAC support will be as ubiquitous as DHCP is now.

Second, I participated in a panel session with Cisco and Microsoft on NAC. This is the third year we have done this panel at RSA. The first year, there was blood everywhere. The second year was a bit more restrained. And this year, I’m happy to say that everyone agreed on the value of the TNC standards. Even Cisco is on board, now that IETF has pick up the TNC specs. I still don’t agree with Cisco about everything. We had a few tiffs on the panel. But we agree on the need for NAC standards and the fact that the TNC standards are those standards. That’s the essential bit.

Finally, NSA (the U.S. National Security Agency) was demonstrating the High Assurance Platform, a multi-level secure workstation built on the TNC and TPM standards. This is really important. For one thing, it shows how open standards are being used to build super-secure systems out of inexpensive, commercial parts. For another, it will provide a big benefit to U.S. warfighters. Today, they must carry three laptops: one for secret materials, a second for top secret, and a third for unclassified. With HAP, a single laptop with a secure hypervisor (based on VMware) runs separate VMs for the separate classifications. This will literally lighten soldiers’ load, allowing them to be more agile or carry more arms and armor. Commercial road warriors and infosec teams may not carry guns but we are at war with cyber criminals. If TNC and TPM are strong enough for the NSA, they must be strong enough for your organization.

2008

October 7: ISSE 2008 at 3:15 PM on Tuesday, October 7 in Madrid.
The topic is “NAC 2.0 - Unifying Network Security”. For info on the conference, see http://www.isse.eu.com

October 27: Speaking at RSA Europe  as part of Trusted Computing seminar

October 29: At RSA Europe, I will be speaking twice: once in the TCG Seminar on Monday and once in an individual talk on Wednesday, October 29 at 10:30 AM. The topic for the second talk is “NAC 2.0 - Unifying Network Security”. Also, the URL for the TCG seminar has change to http://www.rsaconference.com/2008/Europe/Agenda/Trusted_Computing_Group_Seminar.aspx

November 18: keynote speaker at CSI 2008. I’ll be speaking at 8:30 AM on Tuesday, November 18. You can link to this URL for the conference: http://www.csiannual.com

Past Appearances:

April 28: Panel from 1315 to 1415 at NAC Day at Interop Las Vegas

May 20: Plenary speech on “Network Access Control and Beyond” from 0900 to 1030 at Terena Networking Conference in Bruges, Belgium

June 12: Speak on “Open Standards for Network Access Control” from 1615 to 1700 at Interop Tokyo

June 18: Present on “Open Standards for Network Access Control” at Network World IT Roadmap in Boston