Ultimately, getting policy to reside in a central location is the key. Rather than many disparate systems with policy information, enterprises need to have a single policy store, intimately tied to the identity store, where the network infrastructure can apply and enforce policy on all traffic. Having policy management in the core-with control at the edge-is the only scalable model for pulling together network, identity, and policy.

It is great to see more folks in the industry coalescing around this idea. The only thing I might take issue with is his goal of a single policy store. While that might be the best-case design ideal, I think the real world will require a much more collaborative approach. This is part of the reason my company writes all its policies using XACML. We’re expecting the need to share policy over time.

Technorati Tags: identity, policy, security

Do you believe that the transition to IPv6 will change the existing security architectures? I have heard from other professional architects, that there will be a transition from perimeter security to host-based security.

While the paper Darrin Miller and I wrote is the best place for a complete answer to that question, I can provide a quick summary and some clarification. Here’s the section on maintaining host and application security from the bottom of page 23:

Although timely patching and host lockdown are critical elements in IPv4, they are even more critical during the early stages of IPv6 because many host protections (firewalls, IDSs, and so on) do not yet broadly support IPv6. Additionally, it is highly likely (though testing is necessary; refer to Appendix A) that the initial introduction of IPv6 into networks will result in some hosts not being properly secured. It is necessary to focus on maintaining host security to ensure that hosts that are compromised will not become stepping stones to compromise other end hosts.

There’s also some information in my book on IPv6. It starts on page 668, which is available on books.google.com.

I actually think the move toward identity-based controls (whether IPv6 or IPv4) will have more of an impact on security architecture than the transition to IPv6 will. The network will remain important as a security control–as will the endpoint–but the shift will be towards more dynamic authorizations based on the the identity of the individual. IPv6 leads to subtle changes in the security architecture and I agree that endpoint controls will increase in importance; I don’t think that network controls will go away though. Security has always been about defense-in-depth and relying only on the host for security puts all your security eggs in one basket.

Technorati Tags: IPv6, security

Technorati Tags: 802.1X

Technorati Tags: 802.1X

For some analysis, take a look at the blog posts from Jon Oltsik and Eric Ogren, two former-colleagues of one another in the analyst community. The two take very different views with Jon pointing to Lockdown’s retooling of their product as a reason for their failure (but maintaining that the NAC market is healthy) while Eric blames the NAC market in general and the difficulty competing with Cisco and Microsoft.

I think Jon has things more on the money. The classic device-centric NAC market is crowded and with so many players it is awfully hard to reinvent yourself and still stay competitive. Part of me is surprised it has taken so long for another vendor to fail. After all, Cisco announced its intent to purchase Perfigo back in October of 2004. Perfigo’s product became Cisco Clean Access (the giant of the fledgling device NAC market). Lockdown’s technology seems almost identical to Perfigo’s but the market has moved on since then.

When I talk to customers I continue to hear the same themes as I did back in 2005 when I joined Identity Engines:

• Organizations want to use the network enforcement gear they already have
• No one wants to deploy a new inline device in their existing network (support and cost issues are cited)
• User identity is far more important than device health because it allows for far more fine-grained access decisions
• Guests and contractors is the area of greatest security concern
• Proprietary clients are a no-no

802.1X is the natural antidote to these desires and now that the deployments are getting larger and the technical objections are being removed through better solutions, I think we’ll be hearing a lot more about 802.1X this year. In fact, tying back to the Lockdown news you can see evidence of this in the market as a whole. Lockdown’s non-Cisco competitors are now talking a lot more about 802.1X and trying to bolt-on more of this type of functionality into their existing non-802.1X offerings. For a sense of this trend, look at the acquisitions in this space since Perfigo. We have Juniper acquiring Funk Software in November of 2005 and Cisco acquiring Meetinghouse Data Communications in July of 2006. The main technology asset of both companies was, you guessed it, 802.1X capabilities.

Technorati Tags: 802.1X, NAC, security

Technorati Tags: 802.1X, iPhone

Technorati Tags: 802.1X, OpenSEA

Technorati Tags: 802.1X

1. I am presented with “GoogleWiFi” as an available SSID and select it.
2. I now have to open Safari and enter my Google ID and password before I get a connection.
3. From this point on, my iPhone will remember that I use GoogleWiFi but it won’t track when my password is requested.
4. So if I’m walking downtown and decide to check my email I’ll never know that Google wants my ID again without always loading Safari first. Want to check weather? Same problem. Essentially, the whims of Google prompting me for my password determine when my phone’s data connection works. If I’m sitting at a stoplight and want to check traffic on Google maps, that is a horrible time to be asked to enter an eight digit user ID and a 13-digit password (what can I say, I’m a security guy).
5. Also, the iPhone makes no attempts to determine the signal strength before joining one of your “preferred” networks. So if you happen to get a whiff of GoogleWiFi while at that stoplight and then drive away while your request is being processed, you may wind up in network limbo for far longer than it would take for EDGE to do the job.

As a result, I turned off the “Ask to Join Networks” feature since it mostly wastes my time. Apple needs to do a couple things to really improve the iPhone WiFi capability:

1. Add 802.1X Support (Google has an 802.1X option that would largely address my inconsistent authentication concerns). This would also make office connectivity much easier.
2. Add a selection when joining a WiFi network to “Join once, then forget.” If you join a pay-to-play open wireless network, you don’t want to rejoin this every time as you won’t have connectivity the next time without reentering your credit card info. This makes the Tmobile Starbucks iTunes connectivity almost more nuisance than novelty. If you connect to Tmobile for free to use the iTunes WiFi store, the rest of your data services stop working until you disconnect from that WiFi network, or pay them some money.
3. Be able to set a minimum signal strength prior to joining any previously known wireless network.
4. Instead of showing which wireless networks are locked in the “ask to join” screen, instead show which allow network connectivity (i.e. giving out DHCP addresses and not asking for HTTP authentication). I realize this is probably unsolvable as the battery life involved in joining and probing all those wireless networks is probably far too high. Additionally, probing networks is probably a bit unsportsmanlike. I suppose you could implement an “active scan” option on the “ask to join” screen and have a confirmation before you allow it to happen. This would address the battery issue and also perhaps keep Apple out of any direct culpability.

Until then, I’ll deal with EDGE. I actually have been pleasantly surprised by EDGE’s performance. After turning off “ask to join” on WiFi, the phone can get right to making the request, speeding things up considerably.

Technorati Tags: 802.1X, Supplicant, wireless

First, security is a system. While I have no doubt that there are individuals with the ability to secure their home systems, the vast majority do not. Having WPA encryption raises the bar for attack against a home system (regardless of its security) just like having a firewall limits your exposure to Internet-born attacks. If the controls are easy to use and enable, why take the added risk? As an analogy, In scuba diving it is possible to dive with completely redundant systems thus substantially reducing the risk of underwater failure. I have seen many divers carry elements of such a system with them on a dive. However, the overarching principle in scuba is that you dive with a buddy. This is to ensure that if something unexpected should happen to you, there is another person there to help bail you out. I’ve been diving since the age of 13 and can count on one finger the number of divers I know of (outside the military) that engage in the dangerous act of solo diving.

Second, Schneier seems to think that the risks to him are as follows: someone breaks into his machine or someone does something illegal using his network. There is a significant third risk he doesn’t cover: the increased risk of identity theft / profiling. Watching the Internet use and search habits of a machine is very easy over an open wireless network. Watching that use over a long period of time could be very revealing (and profitable, just ask Google). What I find borderline hilarious is that the blogosphere proponents of open networks are the vary same folks that rightly went a bit bonkers when AOL released the search data of 650,000 users. This data was partially anonymized by removing the screen name of the searcher but as the New York Times and others reported, it is fairly trivial to analyze searches and derive identity. I wrote about how the same techniques might apply to enterprise Identity. What I find funny is while the damage done is at least self-inflicted in the open wireless case, the repercussions could be even more disastrous. With a persistent log of not just your searches but your internet traffic in total over a period of time, it would be very easy to tell an awful lot about you. If you think the bad guys need to be parked out front to do this, you haven’t spent enough time looking at snack-food wireless antennas.

Either your privacy is important or it isn’t. If your argument is you have nothing to hide or that you aren’t important enough for anyone to care about you, that’s your decision. (As an aside that was the government’s position as well when everyone was in arms over the Patriot Act library fiasco.) I myself will put in place simple privacy controls and quietly wait to read the facebook and myspace profiles of presidential candidate’s younger selves in the 2040 elections and beyond. As the Internet Archive has proved, the Internet is forever.

Schneier may, as Glenn assumes, encrypt traffic from his PC to some sort of VPN gateway at his network perimeter. If so, he’s covered against this risk (though I would argue as wifi connected devices proliferate doing the client VPN solution will get tedious). However, I completely agree with Glenn that it is irresponsible to not explicitly state that this is the case. Your average user with a Linksys router has no idea how to do such a thing and most consumer-grade routers do not even support it. Also, since a VPN solution operates above layer 2 it is tedious to enable and prevents easy communication with non-VPN enabled IP devices on the same network. I want my other wifi gadgets to quickly communicate with one another and my home PCs.

Finally, Schneier implies that giving a guest Internet access and having a secure network are mutually exclusive. In the time it takes him to ask “one sugar or two” as he’s preparing his guest’s tea he can easily give them the password to his wireless network. Alternatively, you can run multiple SSIDs giving open access to guest systems and secure access to his personal devices.

I keep things very simple at home: WPA with a strong password that I can easily relay to a guest without writing it down. I should probably change that password now and again but until I see some decent attacks against WPA or make an enemy out of one of my friends I’m not too worried. Of course I do my best to secure my hosts as well but I don’t count on it. When I’m at a hotel or a wireless hotspot I have secure connections for all my email accounts and I avoid doing anything in the clear that I wouldn’t want posted for all to see.

So in summary, can you make an open wireless network secure for your machines? Of course. Is it worth the risk and trouble? Probably not.

Technorati Tags: security, wireless