The new products, announced today and available for ordering in just a few weeks, are ProCurve’s first real foray into the world of holistic network security solutions. Yes- I said holistic- get over it. I say holistic because it’s the most accurate word. By holistic, we mean a solution that integrates all aspects of a system for a totally interdependent ecosystem. Holism comes from the Greek work holos, meaning “all, entire, whole.”

I’ve been a proponent of holistic technology systems since I stepped into the IT world. Just as in holistic health, in holistic security, we address underlying issues and integrate pieces of the infrastructure to remedy the problem instead of treating various symptoms individually.

Today, ProCurve Networking by HP is announcing its expanded security offering, including the very new ProCurve Threat Management Services Module, the ProCurve RF Manager and full version revisions of the ProCurve PCM+ and ProCurve NIM (Network Immunity Manager) software.

ProCurve Threat Management Services Module

This fun little piece of engineering is ALL new. It’s a physical module that plugs into the zl switch family (ProCurve’s 5400, 8212), hosts a high-throughput firewall (3+Gbps) and related services (IDS/IPS, VPN). The module could be used on the outside edge/WAN in competition with today’s leading firewall vendors such as Cisco, Juniper and Checkpoint, but I really see its sweet spot in the internal threat detection market, taking the place of expensive layered internal IDS/IPS sensors in the LAN. The sticker price of around $17k list might make you gasp, but it’s a small price in comparison to current LAN-based sensors available today.

In addition to the obvious advantages customers will get from firewall features, internal network zoning, IDS/IPS signature analysis and VPN support for remote offices or users, the TMS’s integration into the switching infrastructure gives it some unique use cases. The chassis integration means you can assign as many ports as you want to various firewall zones and push those zone rules out to other pieces of the infrastructure. Its high throughput processing power attached to the switch backplane means super-fast traffic analysis without the limitations of external connections (ie Gig links on interfaces).

Overall, the TMS Module offers great promise to customers and security integrators. If implemented properly, it will provide the firewall zoning functions and signature based threat detection many customers are seeking in their networks. I haven’t put my hands on the module yet, so I’ll stop here before attempting any further technical review.

ProCurve NIM (Network Immunity Manager) 2.0

This software plug-in to ProCurve’s PCM+ management platform is probably one of my favorites. NIM provides flow analysis from sFlow and uses a finely tuned anomaly engine to provide NBAD (network behaviour anomaly detection) analysis.

NIM 1.0 had a lot of potential, but, being version 1.0, it obviously also had room for improvement. In 2.0, it seems HP took all the technical and user interface feedback they received and put that into the MUCH improved PCM+ 3.0 platform.

The user interface, menus and dashboards in NIM 2.0 are leaps and bounds beyond what we saw in 1.0. Not only has the GUI been enhanced, but both the anomaly engine on the back end and the event analysis wizards on the front end have been improved greatly. Users less familiar with the threat types and anomalies can now easily walk through detailed wizard-driven analysis, explanation and recommendation processes. The result is a more user-friendly system with the intelligence built in to assist with smart decision-making for customization and training.

Oh yeah, and NIM integrates with the ProCurve TMS Module (as well as 3rd party Alliance Partner firewall/IDS solutions) for full IDS-based threat analysis. With this system, we have the power to examine traffic on the network and identify anomalous behaviour in addition to signature-based threats.

ProCurve RF Manager

To round out today’s security suite review, we have ProCurve’s RF Manager, a solution tweaked and updated from the legacy Colubris product line they purchased last year. Our experience so far with the wireless line (including the Colubris controllers and access points) has been great. We’re using it in our labs and offices and have transitioned a variety of customers to the new platform.

The new RF Manager offers complete wireless IPS capabilities including rogue AP detection (by 14 unique methods), protection against attacks on WEP, MAC address spoofing identification, spoofed SSID discovery and a suite of reporting options and location-based tracking.

Be on the lookout for more information - including screenshots and lab reviews - of the various security suite offerings. So far, I’m quite impressed with what I’ve seen - especially the new PCM+ 3.0 and NIM 2.0 software. Check back soon for more on the Threat Management Services Module and wireless ’stuff’.

# # #

To be quite honest, with the travel budgets as they are, we came into 2009’s planning with expectations of a much lower turnout than our previous two years (when we moved the event to the beautiful Grandover Resort). As it turns out, after opening registration for just a couple of weeks, we had about 130% of registrations over last year and they’re still coming in!

Every year has been filled with exciting additions over previous years. This year, we’re delighted to host a special opening keynote with renowned computer security expert and author, Johnny Long. Johnny is someone I have grown to know and respect greatly in the industry in the few times our paths have crossed speaking at various events. He’s about to embark on an exciting new journey and I’m hoping to hear more about that when we see him next week.

In addition to Johnny, some of your other favorite security pros will be presenting, including the world famous physical security specialist (and pen tester) Jack Wiles of The Training Co. and Trey Ford will also be present in his web app security and PCI hat for a special session.

There may even be a special appearance by Hoot the owl. More on that later…

Features for IT Hot Topics 2009

• Keynote by Johnny Long
• 16 Unique Technical Breakouts
• Industry Experts Hot Topics Roundtable
• Vendor Technology Spotlights
• One-on-Ones with Engineers
• CPE Automatic Registration
• Technology Showcases
• Lunch and Refreshments
• Private Directors Reception

Technical Sessions

Technology Spotlights

CAD’s 7th Annual IT Hot Topics Conference & Golf Tourney
May 7th & 8th, 2009
Grandover Resort & Conference Center
Greensboro, NC
www.HotTopicsConference.com

Partners for 2009 include

• Juniper Networks
• HP ProCurve Networking
• AirTight Networks
• Blue Coat
• Breach Security
• WinMagic
• Littler Law Solutions
• SonicWALL
• White Hat Security
• Splunk
• The Training Co.
• ISSA, InfraGard

The conference is hosted by our company (Carolina Advanced Digital, Inc.) and partners and is free to qualified attendees. Qualified attendees meaning current IT and security professionals who are not employed by a competitor or an unaffiliated organization. We welcome ISSA, ISACA, InfraGard and USSS ECTF members.

If you are a “qualified attendee” you may still register online at www.HotTopicsConference.com. Hope to see you there!

# # #

One of the great things about this industry is the opportunity it affords us to regularly interact with colleagues and peers to share ideas, learn and bounce ideas around. Recently I’ve been engaged in several of these types of conversations regarding NAC and where the market and technology is headed.

In the past couple of years I’ve had the opportunity to work with a variety of customers across many segments and interested in implementing NAC technologies for a variety of reasons. During this time, I’ve been fortunate enough to have worked with a wide cross section of NAC vendors at both the technical and strategic levels, giving me a strangely unique view of the market, customer needs and vendor solutions. Here’s where I should say this series is the product of my personal views and is not based on any information from my employer or partner companies.

These thoughts have been rattling around in my head for a while and I’ve finally managed to pull most of it into a cohesive document outlining the current state of NAC, why NAC has not seen widespread adoption and steps the industry can take to simplify NAC technologies for broad adoption.

What better time to launch this series than here at Interop, and specifically on the day we’re participating in the NAC panel hosted by Mike Fratto, titled “Network Access Control - Is It Ready for Prime Time?”

Generally, the series is loosely broken into five parts, outlined below. Of course, being presented in blog format, that certainly doesn’t preclude me from straying a bit.

Part I: The NAC Market & Adoption
Part II: Mapping NAC Functions
Part III: Reducing Cost & Complexity for Widespread Adoption
Part IV: Renaming NAC
Part V: Moving Forward

The full content will be made available as a single document at the conclusion of the series. If you’re signed up to receive email updates (see right side bar) you guys just may be receiving that document before it’s publicly posted.

I would love readers’ input on the topic, so please feel free to agree or argue and comment until your heart’s content!

If you’re at Interop, we’d love to have you stop by the NAC Panel (see next post). Otherwise, I hope you enjoy the series!

# # #

Session information from Interop.com

Network Access Control - Is It Ready For Prime Time?

Network access control (NAC) has been offered as the “Swiss Army knife” of IT security solutions. It promises to provide authentication, policy enforcement, identity and access management, ongoing security for the life of a connection, seamless usage in any NAC-enabled network, in addition to many other capabilities. If NAC is the answer, then what are the right questions to ask? This session will provide a realistic perspective on what NAC can and cannot provide in regards to information security. Concepts that will be discussed will include an update on vendor interoperability and standards; case studies of successful and not-so-successful implementations; an overview of what NAC truly can and cannot provide; discussion of both network and application requirements; and what the future holds for NAC.

Moderator - Mike Fratto, Managing Editor, Labs, Information Week

Speaker - Alok Agrawal, Manager, Product Marketing, Cisco
Speaker - Jennifer Jabbusch, CISO, Network Security Specialist, CAD, Inc.
Speaker - Khaja Ahmed, Windows Networking Security, Microsoft
Speaker - Mauricio Sanchez, Chief Security Architect, HP ProCurve Networking
Speaker - Stephen Hanna, Distinguished Engineer, Juniper Networks
# # #

If you work in networking, this is beyond hilarious, listen to the lyrics for full enjoyment.

And if you want to sing along, you can read the lyrics here http://www.db.ripe.net/whois?searchtext=POEM-RIPE55-SONG. 

Happy Friday!

# # #

It should be fine for me to ask, Priceline does…

I’ve seen references to a ‘popular travel site’ using this question from years ago, but I certainly never expected to see this in 2009. When you log in to the Priceline.com site, it asks for your email address and your security question (or as they call it, your sign in question). I was shocked when I used Priceline to book recent travel to the West Coast and had to set my login preferences.

One of the options under personal information is to set your security question to “What is your preferred internet password?”. I’d have to say that’s irresponsible AT BEST.

Well, at least it’s a secure https page, right? ;)

# # #

Several weeks ago I walked in to a major chain hotel around 9:00 or 10:00pm. When I approached the front desks (there was a grouping of them) I wasn’t met with a hotel receptionist. I was greeted instead with what seemed to be the entire hotel guest list printed (in alphabetical order by surname) and left on the top of the counter.

It took several mintes (specfically, just over four minutes) for a hotel representative to realize I was there and come from an office they were tucked into somewhere behind the desks. I didn’t mind the extra wait, it gave me time to look over the list, giggle and even take some photos. One of which is provided in a blurred format below. (And no, there was no two-way mirror giving them a view to the front check in.)

This post and the “What’s Your Preferred Internet Password?”  post are a tribute to Johnny Long and the Security FAIL image project.

I wasn’t familiar with ITKE, so I took a few minutes to check it out and found some nice information, posts and product reviews over there, as well as other featured blogs you should definitely check out, including:

• Lori MacVittie
  http://devcentral.f5.com/weblogs/macvittie/Default.aspx
• Vjekoslav Babic
  http://navigateintosuccess.com/
• Chris Hoff
  http://RationalSurvivability.com
• John Policelli
  http://www.policelli.com/blog/ 
• ITKE Blogger of the Week List
  http://itknowledgeexchange.techtarget.com/itke-community-blog/tag/it-blogger-of-the-week/

If you find a few free moments, take a stroll through the listings and see if you find a few gems with content that solves a problem for you!

# # #

Conversations about NAC frequently start with basic information gathering: What features are you looking for? What operating systems and switches are in the environment? How do you want to handle non-compliant devices? And, of course, the sales guy will slip in the ol’ “What’s your budget?” line.

Take this set of Q&A with a grain of salt. When making decisions about NAC, there’s another set of primary questions that should be addressed first: What are the primary drivers for implementing NAC? What organizational policies need to be enforced? Where is your organization’s trade off between security and productivity?

The Technology of Policy

For the network administrators, IT directors and technologists these questions are the equivalent of that mandatory legal jargon in size 6 font on a page footer; superfluous at best and an impediment at worst. And so here comes the catch-22 we face in every NAC implementation — the struggle of finding the equilibrium between the policies of management and the technology of security.

When we talk about network access control systems, we start talking about segmenting, VLAN-ing, quarantining and isolating devices and/or users from the various network resources. We’re stopping users from accessing the Internet, we’re stopping laptops from accessing the primary database servers and maybe we’re even preventing a critical billing or HR system from accessing the resource it needs to cut the weekly paychecks. We are, as technologists, implementing a control that will, in effect, be playing God on the network.

And yes, I know the prospect of total supreme network domination is exceptionally appealing to you all. Aside from sounding cool, it does give us complete purview over the network and control over any objects that may become security risks for the organization. For those of you who have spent your entire career protecting the network from dumb users and protecting those same dumb users from themselves, NAC can be a key tool for you; however, implemented without controls and proper planning, it can also be the bane of your (and everyone else’s) existence. Why? It’s pretty simple, the first time a critical system or critical employee gets zapped from the network, either you or your NAC solution will disappear — and quickly.

I get dirty looks every time I say this, but it’s true - network access control is a BUSINESS DECISION, not a technology decision. We put the technology in place ONLY for the purpose of supporting and enforcing an organizational policy that is already in place. When organizations do it the other way around and start making policies around the technology, they’ve doomed the project before it began.

There are a host of reasons to not set access policies Willie-nilly on the network. Aside from the obvious ones, there’s an assortment of legal and business reasons to hold off on total network domination. In this age, the IT department is forced to take into account such off-the-wall issues as human resources policies, compliance and regulation mandates, corporate initiatives and even partner contracts. What if one of your newly imposed NAC policies conflicted with a primary policy or standard for operation and violated your organizations HIPAA or SOX compliance? What if you cut off a partner resource that was contractually provisioned with an uptime guarantee? Or what if the policy you set is simply not enforceable by the HR department?

Five Steps for a Successful Start

If NAC is something your organization’s management recognizes as a necessity and has signed off on, then you’re heading down the right path and there are some key things to consider in a successful NAC rollout.

• 1. REVIEW your organization’s current policies on network resource usage, access and enforcement. If they need to be updated or rewritten, do that first and then continue with your project.
• 2. IDENTIFY, ORGANIZE AND CATEGORIZE key resources, devices and users. You don’t want to cut off your arm if your finger is bleeding, and for some users, you don’t want to ever cut off anything. Understanding the key pieces in the network is the first step to matching your NAC policies to the real policies.
• 3. MAP the NAC policies to your organization’s usage policies. That’s why we do step 1 first. If users in Group A aren’t allowed to Resource X, in Circumstances C, D or E, then make it happen that way. If a device is critical, exempt it from enforcement policies and only monitor and audit it.
• 4. START slowly and monitor first. Most NAC solutions offer a monitor-only function that allows you to create policies and then determine which systems would pass or fail based on the current posture of the devices — without actually enforcing any restrictions. Monitoring lets you ease in to the solution, identify non-compliant devices and fix them before your help desk (or your cell phone) is inundated with calls from end users.
  
• 5. RINSE AND REPEAT. NAC policies need adjusting as endpoints, programs and the Internet changes and evolve. New threats and new organizational goals are always on the horizon, and the only way to prevent stale and useless policies is to stay on top of them.

# # #

This content and similar articles appear in Search Midmarket Security by TechTarget.

While each organization’s handling of non-compliant devices can vary widely, there are a few good guidelines and best practices to get you started. First of all, we have to consider the allowed tradeoffs between security, ease of management and productivity. There are some organizations, primarily government and high-risk corporate groups, which have zero allowance for tradeoffs that compromise security at any level. Others, such as many commerce-driven companies, have a minimal tolerance for any down time that directly affects revenue.

We could revisit the ubiquitous C.I.A. triad of confidentiality, integrity and availability. Our security systems are a delicate balance of the beloved security triangle. I’m obligated to read and write enough CISSP materials as it is, so I’ll just leave you with the triad to keep in the back of your mind.

Options for Unruly Users

What can we do to our unruly users and malware-ridden demonic devices? You’ll usually see one of these four solutions, or some slight modification thereof.

• 1. Monitor only. Most NAC solutions offer a monitor-only function, which allows you to create policies and then see which systems would pass or fail based on the current posture of the devices — without actually enforcing any restrictions. It’s like a dry run. This is a great place to start, and may be the best place to stay, if you can afford a bit of security tradeoff in favor of productivity.
• 2. Probation. This lets you specify an amount of time a non-compliant device is allowed to remain on the network and function uninterrupted. This option imposes no restrictions but usually notifies the user that the endpoint doesn’t meet the policy requirements and tells them how long of a probation period they’re permitted. On most users, this is a wasted effort and you’ll need the IT department to proactively remedy the issue. Again, this can be a nice transition option when going from zero to full enforcement.
• 3. Quarantine. Quarantining can be one of the most restrictive actions, but it can also be as flexible and permissive as you allow. If you’ve set up quarantine policies using VLANs and/or ACLs, you can permit or deny access to internal and external resources and — for example — only inhibit connections to critical segments of the network, or - as another example - confine the device to accessing a very small set of remediation servers. NAC solutions that offer some level of auto-remediation are ideal if this is important since the built-in quarantine functions of most are meager at best.
• 4. Block. There are some organizations that entirely block access to all network resources for non-compliant devices of a particular nature. Complete blocking of access is really a more restrictive function of a quarantine action. In most NAC systems you can configure different levels of access policies so that a user might have unrestricted or probationary access if the operating system patches aren’t quite up to date. But, if the device scans positive for a virus, it’s immediately blocked from all access so as not to spread malicious code.

Again, the key is to understand the pain thresholds and tradeoff allowances. The four actions above are arranged from most lenient/least secure to least flexible/most secure. Of course, the actual security provided will depend on the quality of policies and proper execution of enforcement.

At first blush, most network admins are predisposed to blocking anyone for any reason. You’ll soon learn during your exploratory and monitor-only period that this isn’t a feasible option. Try not to jump in head first with NAC policies — you’re sure to bust your head wide open. Be judicious about it and refrain from the overzealousness that accompanies all the new blinking lights.

It’s difficult to quantify threats and vulnerabilities without a team dedicated to security and audit functions, but you can make some educated decisions when planning your NAC strategy. Just make sure your policies and restrictions make sense and the action warrants the punishment you’re imposing.

# # #

This content and similar articles appear in Search Midmarket Security by TechTarget.