Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

18 November 2008

NAC - IF-MAP

So, what's IF-MAP!?
As, you can see, your NAC is at a certain point of time aware of your credentials, the version of the antivirus installed on your PC, the patching level of your OS, etc. And now we need such date to be available for the other devices in the network in order to be able to deal with you not only based on your IP Address, but also based on your username, and machine health. We need some database - MAP or Meta-data Access Point - where all the previous info are available for our Firewalls, IPS's, DHCP Servers and any other network element to base their policies on them. Any IPS now that supports such protocol will be able to deal with end-points and have dynamic policies for them based on various parameters, and not just their IP Address.
"Trusted network connect - part of the Trusted Computing Group - published its Interface for Metadata Access Point protocol on April 28 to provide a common framework for sharing event metadata. This means there's finally a way for security and network devices from a variety of vendors to communicate, and thus make better assessments on whether to grant or deny access to everything from PCs to switches", InformationWeek

So now, even if someone changes his IP address, the firewall will not be fooled by his new IP address, but it will be able to deal with him based on his role in the organization regardless of his address. The IPS will be able to treat the different users differently based on their machine health, role in the organization, etc.

Related Links:
InteropLabs, Making NAC Secuirty - Aware with IF-MAP.
Got the NAC Blog, IF-MAP: Integrating All Network Security.
Got the NAC Blog, The Adoption Curve for IF-MAP.
StillSecure, After All These Years, Is IF-MAP the spark that will ignite theTCG/TNC and the security industry?
Rational Survivability, I Can Haz TCG IF-MAP Support In Your Security Product, Please.

Tags: , , , ,

12 November 2008

NAC - TNC

I wrote a post here about Network Access/Admission Control as a way to make sure that only authorized and healthy machines will have access to your network.
It's a solution that can check the various hosts before giving them to the network, and it can also control the switches, access points, and create dynamic rules on your firewalls and IPS's in order to granular control the access given to each host to the various resources in the network based on their identity and security posture.
As you can see, to have a successful NAC solution, we need to make sure of the following:

1- You need your NAC Device (Policy Decision Point) to be able to communicate with the different devices in your network (Switches, Access Points, Firewalls, IPS's, etc), in order to push to them the policies needed to control who has access to whcih resources.
2- You can never guarantee that all the devices installed in your network are from the same vendor.

So, the best solution to solve this is to have a standard NAC solution to facilitate the communication between your PDP and PEP's.
And as far as I know, Trusted Computer Group's "Trusted Network Connect" is the only standard available out there.

As for the Switches and Access Points part, TNC decided to make use of the existing 802.1x standard, and added some extension to it in order to transfer the machines health along with the authentication parameters.

But when it comes to the security devices such as Firewall's and IPS's, unfortunately there was no existing standard to depend on. And that's why they decided to introduce a new standard called "IF-MAP" few months ago.

Tags: , ,

30 October 2008

No More Blog Rushing

As you may have noticed, I've just removed the BlogRush widget few days ago. In fact I was not satisfied with the quality ... ehm ... the quantity of traffic it brings to my blog. And now, it cam to my knowledge that BlogRush team have decided to shut their service down. It seems that they were listening to me :)
"After careful consideration, we have decided to shutdown the BlogRush service. If you have the widget code on your blog you will need to remove it", BlogRush.

Tags: , ,

28 October 2008

FPS - Facebook Prevention System

I received a message in my Facebook account today from one of my contacts, with a malicious URL in it. The messages title is, "Youu're the wwhole shhow! i'm admirred wiith you" by the way. So take care.

I am not pretty sure how those Facebook worms normally work. One possible scenario is that there are some bots which try to guess people's Facebook passwords, and then start hacking into their accounts and send malicious messages on behalf of them. One other scenario is that attackers were able to guess the Facebook's users temporary Session Keys, and make use of the Facebook platform and API's to send malicious messages on behalf of the users. In fact, the second scenario is really scary, as users cannot protect themselves by choosing stronger passwords, or making sure they have no malicious applications installed on their PC's that can steal their passwords. But the good news here, is that facebook didn't announce any vulnerabilities in their system yet, so most probably it's the first scenario rather than the second one.

Anyway, I am writing this article to tell you, since Facebook has gained such huge momentum and almost everyone is using it. Why don't security companies start inventing new security applications on top of it.

We've got AntiSpam and Mail Gateway Security Solution for Email. So, may be some day we may see Facebook Applications that are able to check the content of your Inbox and decide whether the messages you receive are Spam, or not. We may see applications monitoring your Status Updates, sent Messages, and Friends Requests, and inform you when it notices any anomalies in such activities and warn you or even stop those anomalies.

But the point is, emails now are essential to business, so the business model for building security applications for emails is justified. But when it comes to Facebook, it's just users like you and me, who refuses to pay money for their desktop antiviruses, and either get cracked versions of them, or wait for their companies to purchase one and deploy it on their company-owned laptops. Also securing Facebook accounts is mainly the responsibility of Facebook Inc, and those guy are forced to protect people's accounts, or else people will find an alternative social network application and start using it instead.

Anyway, all those dreams and business model theories depends on the following:
How essential is Facebook in people's daily life, and may be to business as well (some may claim that they use it for networking and maintaining relations with their customers and business partners)? Are people really willing to pay money in order to protect their accounts? Will Facebook team deploy some extra security measures and charge people for those solutions (Security as a Service)? Will they just deploy those methods for free in order to make sure they do not loose customers? Is there someone really is willing to build such FPS - or let's better call it Facebook Intrusion Prevention System (FIPS) - and sell it to people?

But finally, away from all that crap I've just written above, please, please, please, I do not want to see more torturing and annoying CAPTCHA's, as some people believe they are the only way to fight spam and bots. While for me CAPTCHA's are an AntiUser solution more than an AntiSpam one.

Tags: , ,

25 October 2008

Arista Networks

Every now and then, some companies grab bloggers attentions. Sometimes it is because they are offering new technologies or setting new standards, but some other times it's because people behind them are buzz-magnets.

A former head of Cisco's switch business, and Sun co-founder, started a new switching startup called Arista Networks. Their motto is "Extensible Operation System for Cloud Networking".

As you can see, "Sun", "Cisco", and "Cloud Networking", are all enough buzz words to grap people's attention, and start writing about the new company.

So, I decided to pay their site a visit in order to see what new technology are these guys offering to the market.

First of all, they have a very limited portfolio, 24 and 48 edge-switches with 10 GbE interfaces. They do not have any modulat chassis-based switches yet, but may be this is because they are just starting up.

They are focusing on their modular OS, but once again Juniper's JunOS for example is modular too, so what is really new in Arista's switches compared to Juniper's EX-Series?!

ISSU (In-service-software-upgrades), which is new for an edge-switch. Many modular switches with redundant Management Modules (Foundry Switches for example), can be upgraded without interruption. I also don't think this is the killing feature people are really looking for in an edge switch.

To tell you the truth, I think the main competitive value for Arista Networks, is their prices. I do not know their actual pricing, but it's said that their prices are much lower than the equivalent switches for Cisco for example. But what about HP ProCurve for example, are they cheaper too?

Anyway, it's still good to have more competing companies in the switches market which is dominated by one vendor so far. And analysts usually like to call it, "Cisco and the Seven Dwarfs" market.

Tags: , , , , , ,

22 September 2008

McAfee to buy Secure Computing

I'm used to make fun of McAfee when they present themselves as a Network Security Vendor especially that they don't even have their own Firewall product. So, now it seems that the people at McAfee decided to spend about $465M to stop me from making fun of them.

Ok, let's get serious now. I think this is a good move from McAfee anyway. Secure Computing security portfolio will sure fill some missing gaps in McAfee's product line. They have their own firewalls (Sidewinder), and Content Security (Webwasher). But on the other hand people may argue that Secure Computing products are not highly ranked compared to other vendors in the market. And to tell you the truth, I always believed that McAfee was going to acquire a Firewall vendor someday, and I thought that Fortinet is their best option. It's not only the best buy for McAfee, but if I were in Fortinet's guys shoes I'd have asked McAfee to acquire us too. Fortinet have good products and they sure were going to fill the missing gaps in McAfee's Network Security portfolio, and McAfee's guys would have been more proud to put their logo on Fortinet's products than Secure Computing ones. And on the other hand Fortinet is that kind of vendor that is there to be acquired. Come on, they may have good products, but they are small company and it is really hard for companies with similar size are narrow line of products nowadays to last for a long while before getting acquired or quitting the market..

Anyway, congratulations to McAfee guys, and I believe the Network Security market will benefit from one strong vendor which is getting even stronger.

Tags: , ,

21 September 2008

Google Believes I'm a Virus

I received the following Error Message today when I tried to access Google homepage.

But what makes Google believe that my request is coming from a Virus or Spyware application? Has any of you received a similar message too?

Ok, according to Google Help Center, "This message appears when Google detects automated querying coming from your IP Address, thus causing a quick spike in traffic on http://www.google.com".

But wait a minute, this can also happen if you are behind a NAT'ing device, and another device in your network is sending automated queries to Google.
It's likely that a user or a computer in your network is running automated querying. Sending automated queries of any sort to Google is against our Terms of Service. This includes, among other things, the following activities:
* Using any software that sends queries to Google to determine how a website or webpage ranks on Google for various queries
* 'Meta-searching' Google
* Performing 'offline' searches on Google

Now, what's the next step? If you have suitable privileges on that network, I think you have to deploy or gather the logs from existing IDS/IPS Sensors and Traffic Anomaly Detection Systems. Such softwares can detect Traffic Peaks and other Traffic Patterns that violates the normal Behavior on your Network, and can then detect the offending host(s). Another solution for those who do not own an IPS is to gather the traffic logs from their Gateway Firewall or Router and analyze those logs manually.

The problem here is that there is no IPS installed, or may be there is one but I have no access to it. So I am forced to do it the hard way, to analyze the firewall logs. As far as I can see the nember of sessions from the internal network to Google IP Address are not that huge or even big enough to be suspected by their system. So it seems that it's as they said in their Help Center. May be it's something in the content of the traffic and not it's volume. May be they get alerted when they see someone using their search engine for example and the User-Agent parameter in his/her get request in not equal to any web browser they are aware of.

Anyway, is seems that with the tools available to me now, it is really hard to know the real reason for Google's error message, and how to detect the violating host and stop it if possible. So you may consider this post as some kind of rant or chit-chat.

Error Message URL: http://sorry.google.com/sorry/Captcha?continue=http://www.google.com

Tags: , ,

15 September 2008

Fire Eagle and Flickr

Two new services have been added to Baralbait.

1- Now if you are a Fire Eagle user, you can now let Baralbait automatically retrieve your location from there. This is useful for those who have GPS-Enable Mobile phones.

2- We now can also retrieve Geo-Tagged photos uploaded to Flickr, and display them in their relevant Places pages. So now by clicking on a certain place (Cafe, Hotel, etc), you can see photos taken there.

12 September 2008

Baralbait - Never Stay At Home

Baralbait is an Arabic word which means "Outside Home". It's a location based service where you can tell it where you are now, and it will show you nearby friends and places to go.

In fact, I always face the same problems whenever I want to go out and meet some friends:
  • Who is free to go out
  • When is the best time to go out
  • And the most important issues is where to go
That's why Baralbait is trying to help us solve the above problems. You can simply update your current location either from the site's web interface, or by using 3rd party tools such as Yahoo Fire Eagle.

You can also add new places, tag those places, or find places added by other site members. This can help you discover new places to visit in your town or city. You also can find where your friends normally go out to help you meet easily. We are not limited here to cafes and restaurants, but you use the site the way you want, from finding nearby gas station to discovering the famous malls in a city you plan to visit next week.

The site is currently a closed beta, so you'll need an invitation to join.

URL: http://www.baralbait.com/

01 July 2008

Handling Rogue Access Points

Michael Gregg of Search Networking wrote an article there about the best methods for handling rogue access points.

He first wrote about the potential problems of allowing end users to add wireless devices to the company network without approval.
There are several potential problems with allowing end users to add wireless or other devices to the company network without approval. One big one is they may not employ the proper security measures. There is also the issue of maintaining control of the organizations infrastructure.
Then he gave some suggestions for handling those rogue access points.
All employees should know the rules regarding wireless and what can and cannot be plugged into the network. Policy enforcement will be easier if you have managed switches. You can disable unused ports and start restricting down active ones by MAC address filtering.
Ok! Warning your employees and having some written policies is fine, but it's not enough at all. How are you going to be sure that your employees will adhere to such policy!?

Now, with respect to disabling and enabling ports on demand, and writing MAC filters. Come on, we are in the twenty first century now. Such manual controls as enabling and disabling ports on demand is something from the past, and they are not effective as well. An employee can simply connect the access point to his already activated port. And maintaining those MAC filters on the switches will be a real pain in the butt for the IT administrators, especially in a dynamic environment where users move a lot.

I believe an appropriate solution for this instead of those pre-historic ones is doing some authentication on your switch ports. IEEE 802.1x is a decent solution that will ensure that only those devices with valid credentials are given access to your network. And if you've got a NAC solution, then most probably you can use it in order to apply some network access control.

He finally suggested using tools to detect rouge access points such as AirMagnet and Air Defense.
Next, find some tools that will let you scan for rogue access points. There are commercial tools that will do this such as AirMagnet and AirDefense, and if your budget is tight you might want to try an open source tools such as RogueScanner.
Fine, monitoring your network is a good practice, but you have to apply your controls first. Such scanning tools can hardly take actions against those rogue access point, they will just warn you, and the intruders will have enough time to traverse your network till you receive such event and take action.

Tags: , ,

30 June 2008

Wireshark OUI Lookup Tool

Wireshark Packet Sniffer - formerly known as Ethereal - is a must-have tool for every Network Engineer, but these guys have got a cool OUI Lookup tool on their site as well.

Wireshark OUI Lookup Tool:
http://www.wireshark.org/tools/oui-lookup.html

Tags: , ,

10 June 2008

Books Burning Phenomenon

I'll leave the "Evil Encryption Dilemma" for a while now, as I have another topic in mind to talk about here.

Once upon a time, in a village in the North Pole, the weather was getting really cold, and people were not able to find straws or coal to use in their fires. In such village there was a bookshop, and a book there was sold for $20, so the salesman there decided to market books as some kind of fuel, and then he was able to sell the book for $30 instead of $20.

What I want to say here, is that for us, it's really dumb for the salesman and the villagers to just use books as a source of fuel. The publishers and writers efforts are just wasted in the fire. But on the other hand, if we put ourselves in the salesman's shoes, we can see that he is selling a book for $30 instead of $20. And for the villagers, they are in a bad need of warmth, more than reading and getting educated.

Such "Bocks Burning" Phenomenon, is sometimes the case for the Network Security Industry today. Every company has its own product portfolio, and when they feel that their customers are in a need of a certain product or solution, they sometimes start to re-brand their existing products as the ultimate solution for the customers' problems instead of inventing actual solutions for such problems.

Sometimes such re-branding is done in order to sell a certain product as a solution for a certain problem, and most of the time such re-branding is capable of solving at least a big part of the problem, and that's why it is successful and acceptable, however it may not be the optimum solution. But what I hate the most, is when vendors re-brand one of their products to sell it along with some other solution, even if it has nothing to do with such solution, but they simply convince their customers that they are in a bad need for such integral part in order to over-sell and maximize their profit.

Tags: , ,

02 June 2008

Evil Encryption Dilemma

SSL is everywhere nowadays, it's not only used by Web Servers, but also Telecommuters and Remote Employees access their Enterprises using SSL VPN Tunnels. P2P and IM's are also encrypting their traffic.

Ok, it's good to encrypt your traffic, so that no one can see or alter your confidential data, but on the other hand, how will the Network-Based IPS's, Firewalls/UTM's, and WAN Optimizers operate successfully in such Confidential World!?

By encrypting your traffic you are hiding the malicious traffic patterns from the IPS's along with your confidential data. You are also hiding the repeated patterns from the WAN Optimizers, and sure they won't be able to optimize traffic they can't see.

I know there are some workarounds out there and special deployment scenarios that can somehow help in solving such issue. But I'd like you first to tell me what do you think is the optimum solution for this Evil Encryption Dilemma.

Tags: , ,

09 May 2008

Web 2.0, Do You Really Trust'em!?

Let me ask you something, do you really trust all those Web 2.0 applications!? Some of them are just Startup's and they may get closed after a while, some others are offering really cool applications, but you really don't know who's behind them, and if their ... ehmm ... your data is really protected there.

Third Party IM Applications

Sometimes it is not possible to login to your favourite IM applications such as GTalk and MSN. Either because the IT guys in your office are blocking them, or because they simply do not work on your mobile phone. So, we may think of using Web-Based IM's such as Meebo, or try to install a 3rd Party Application on our phones such as Fring.

But let me ask you, do you really trust Meebo and Fring? Come on, you've just gave them the password of your personal email.

I know, I may sound really paranoid here, but for sure there are some applications and sites that you may trust here. I myself for example trust Yahoo, Google and Microsoft far more than Fring and Gizmo5.

Social Networks

Most of those social networking applications give us an option to invite our buddies. And they know we are lazy to write their email addresses one after the other. So they are really kind, and ask us to just give them our email credentials and they will simply grab our contact list from there and invite them all automatically.

But let me ask you again, do you really trust Facebook, Linkedin, and Hi5? Come on you've just gave them the password of your personal email.

Ok, in such case, I sometimes do a simple trick by changing my mail password to some temporary one and then change it back to the original one just after the social networking application finishes its invitation job.

Sometimes simple passwords are more secure!

Ok, I know, I may sound really insane here, but let me tell you an incident that happened to one of my friends. We usually create a hard to guess cryptic password, and then start using it in our Email Application, Car-Fans Forums, File Sharing Websites, you name it. So one day that friend of mine wasn't able to login to his email, and later on all of his friends received mails from him signed by some guy calling himself The Saudi-Hacker. It seems that this Saudi-Hacker was the administrator of some Forum that my friend used to have an account there. And as you know when we register in those forums we give them our mail address and most of the time our password there is the same as our email's password. So it was really easy for that Hacker - he's not even a Script Kiddie - to break into my friends email.

And that's why it is really wise to have multiple passwords. For example, you can have three different passwords, one hard to guess cryptic password for the applications and sites your really trust such as Google, Microsoft, Yahoo, etc. Another simple password can be use in those well know sites such as Twitter, Facebook, etc. And a third password for those unknown forums and Web 2.0 startups that you really don't know anything about them.

Tags: , ,

23 April 2008

WAN Optimization - A Cookie With Your Morning Coffee

Today, I went to Second Cup Cafe to get some coffee before going to work, the guy there asked me if I want Cookie with my Coffee. The single Cookie there is for 5 EGP, while a pack of Boreo (Egyptian clone of Oreo) anywhere else is much cheaper than this. The point is, we all like cookies, but no one will ever go to such Cafe to get a Cookie for 5 EGP, so their only way to sell it, is by selling it along with a Cup of Coffee or Cappuccino.

This is exactly the case with WAN Optimizers. Ehmmm, I think I have to describe what a WAN Optimizer or WAN Accelerator is first. During the pre-historic ages of Computing, there were a creature called Main-Frame, and people used to sit on dummy terminals connected to those Main-Frames. So, as you see, the processing power was centralized in one location. Later on, after the Computing Ice Age, the earth was inhibited by PC's and the trend then was having distributed environment, we started to see Client-Server applications then, the the computing power was shared among them. Later on, we began to see Web 2.0 applications, and Virtualization, and the world decided to go back to the consolidated environment, where people sit on dummy terminals - this may be a simple Web Browser on their PC or even Mobile Phone - connected to a Server running VMWare and acting as your Mail-Server, CRM, Office Applications, you name it. During these stages the Data Centres were also moving back and forth from Centralized locations to Distributed Environment, then back to Centralized Location again. And since people are now in the phase of consolidating all the servers into a single location - let's say the Head Quarter - in order to reduce the IT cost and such stuff, the WAN links connected the disparate branches to the HQ are getting occupied with more and more traffic. And people in those branches are expecting the remote servers response to be as quick as if they were sitting on the same LAN. And that's why many companies started to develop WAN Optimizers as a way to solve these problems. A WAN Optimizer mainly compress and/or cache the data sent across the WAN link in order to save bandwidth, they also do some quality of service on such traffic, and try to optimize some protocols that were designed to work in the LAN environment, in order to adapt them to work on WAN links, which are known for their high delay.

Back to our Coffee and Cookie story, WAN Optimizers are just like the Cookies in Second-Cup, we are like them, and we know that we need to deploy them in our network, but as soon as we get into the process of buying them and paying money, we start to think twice and may be three times, especially that such products are really pricey and the CXO's sometimes are not able to see their value to their environment. That's why the key players started to offer them as extra modules or add-on's to other products. And the best product to plug the WAN Optimizer in is your WAN Router, they are already there on the WAN links connecting your branches, so it really makes sense to plug some hardware in the router to do some optimization to your traffic. And that's why Cisco and Juniper - the two key players in both WAN Optimization and Routing - decided to offer them both as an all-in-one box. Riverbed on the other hand is one of the market leaders in WAN Optimization, and they have a very good product, but unfortunately those guys do not have their own routers, so they decided to partner with Secure Computing - they make enterprise gateway security solutions - and have Secure Computing's security products running on top of Riverbed's WAN Optimizers (RiOS).
According to Secure Computing, the partnership will be two-phased. First, the vendors will jointly offer solutions through select channel partners to address both WDS and Web security for companies that want to boost application performance on the WAN and secure their Internet gateways.
Phase two will involve Secure Computing's Secure SnapGear firewall technology, its SmartFilter reputation-based Web filtering and its TrustedSource global reputation based anti-spam technology being offered as a software module that can run on Riverbed's RiOS Services Platform (RSP). Secure Computing said running on RSP ties together the two vendors' solutions into a single hardware platform, the Steelhead appliance. The mash-up lets users deliver virtualized edge services for branch offices.
Source: ChannelWeb, Secure Computing, Riverbed Team For Secure WAN Optimization.
This is a smart move, but how many customers are willing to deploy security solutions across their private WAN links. Come on, it's sad but true that most of the customers nowadays are having perimeter security solution only.

By the way, there is another player in this field that I forgot to mention, BlueCoat, these guys are really brilliant, they used to have Web Caches, but later on the Caches technology started to die, so they tweaked their product and started to market it as a WAN Optimizer sometimes, a Remote Access and SSL-VPN solution some other times, and may be an Application Layer Security or even a UTM too. So believe me, those guys do not need to integrate their WAN Optimizers with any other products, you can simply tell them your needs, and they will present their appliance to you as the ultimate solution that can solve all your problems and the pill that can heal all your pains. I even was surprised when I knew that they are going to acquire Packeteer, do they really need them? Anyway they may make use of the Customer Base and add Packeteer's QoS features on top of their one-stop-box.

Tags: , ,

12 April 2008

Network Element

During our Computer Network course in the university, we used to study the differences between LAN Switches and Routers, and one of the main differences between them was that Switches forward traffic using Layer-2 header (MAC Address) while Routers forward traffic based on Layer-3 header (IP Address). Later on, in my professional life, I realized that there are also Layer-3 switches, and these Switches can do Routing, ACL's, Network Address Translation, and all other Routers functionalities.

According to Wikipedia, "The major difference between the packet switching operation of a router and that of a Layer 3 switch is the physical implementation. In general-purpose routers, packet switching takes place using a microprocessor, whereas a Layer 3 switch performs this using application-specific integrated circuit (ASIC) hardware". And may be that's why Layer-3 switches have higher throughput and process more packets per second than routers. LAN Switches also have higher port density and the cost of an Ethernet port on a Switch is much cheaper than that of a Router. Ok, in fact, the behaviour of the traffic in a LAN environment is different than that in an ISP, and that's why the Router's interface hardware is different than that of a Switch. The Buffers and Queues of Router's interfaces are different than those of a Switch's interfaces, and that's why the Switch's interfaces is cheaper. But I am sure one day the Switch's interfaces will inherit those advanced features in their Router's equivalents, especially with the boom of Metro Ethernet. There Routers nowadays also support WAN Interfaces such as Serial Interfaces, E1's and STM-1's, while switches on the other hand do not support such kind of interfaces. MPLS is another protocol that you cannot find in Switches, however Foundry's NetIron for example supports it.

As you can see, in the following few years, the boundaries between LAN Switches and Routers are going to disappear.

Now, let's see what's is going on in the Network Security field. We used to have Firewalls, IDS's/IPS's, Network-Based Antivirus, Antispam, Anti-X. Each one of those, was a separate product. Now we just deploy a UTM, and it's just a Firewall, IPS, Antivirus, all in a single box. UTM's may be suitable now to SOHO and Medium Enterprises more than ISP's and Large Data Centres due to their performance limitations and so. But believe me the advances in Processors and ASIC's - Intel and Cavium Networks are doing great job here - are capable of getting the UTM's into your Data Centre soon.

But wait a minute, now the Network products are getting combined, and so are the security products. What about combining the Network and Security products together as well? Ok, let's see what the two main players are doing. Cisco is adding security features to their ISR (Integrated Services Router).
"Cisco Integrated Services Routers help maximize the power of your organization’s network with unified network services, integrated security, mobility, and application intelligence", Cisco Systems.
The also decided to open their ISR for Application developers to build their own applications and addons on top of it.
At the Cisco Partner Summit 2008 in Honolulu, the San Jose, Calif.-based networking giant unveiled the Cisco Application eXtension Platform (AXP). The AXP consists of open, Linux-based Cisco ISR hardware modules for application development and hosting to support a tighter integration of the network and applications. According to Inbar Lasser-Raab, Cisco's senior director of access routing and switching, several off-the-shelf and custom applications are already available for the ISR, along with a development and support ecosystem that includes a downloadable software development kit (SDK) and application programming interface (API) for application developers.
Lasser-Raab said opening the ISR to third-party applications, on top of the more than 30 services already available for the platform, creates a link between the network and applications and imbeds those applications directly onto the platform, instead of having them just hosted on the router. Services available for the ISR include VoIP, wireless, WAN access, unified communications and a host of security tools like NAC, IPS, content filtering and VPN.
Andrew R Hickey, ChannelWeb.
Juniper on the other hand introduced their SSG-Series of Firewalls/UTM few years ago, they can have multiple LAN as well as WAN interfaces, and they also can run all those well known dynamic routing protocols. Later on, Juniper wraps Security Services Into JUNOS, their Router's and Switches Operating System.
Juniper Networks (NSDQ:JNPR) took JUNOS one step further, announcing that it is now wrapping the security services typically found in its ScreenOS operating system into JUNOS, meaning ScreenOS firewall, IPsec VPN, NAT, DOS and D-DOS capabilities will run on top of JUNOS software.
Michael Frendo, Juniper's senior vice president of high-end security systems, said integrating security services into the vendor's line of J-Series services routers, with integration with EX switches to follow, solidifies Juniper's vision of "fast, reliable and secure networking".
Andrew R Hickey, ChannelWeb
Juniper have opened their Operating System to Application developers even before Cisco.
Juniper has announced a Partner Solution Development Platform (PSDP) allowing customers and partners to develop specialized applications on its JUNOS operating system.
The company claims the PSDP is the industry's first partner development platform for a carrier-class network operating system, and anticipates its customers and partners will deploy new services unique to their businesses, and improve network operations productivity.
Rodney Gedda , Computerworld.
In brief, I don't think in the coming few years, there will be dedicated, Firewalls, Switches, or Routers. There will be a Network Element instead. An all in one product that will be capable of doing all the Networking, Security and may be IP Telephony tasks.

Tags: , ,

14 March 2008

Network Access/Admission Control

Some reports are stating that 70% of the attacks are internal attacks. So, perimeter Firewalls are Intrusion Prevention Systems are really good in protecting us from external attacks, but what about protecting the users from each other.

But wait a minute, I know what you are thinking of now. "Screw these reports, my employees are decent people, and I believe they don't have mean intentions to harm their company's resources!". Yes, you are right, they may not have mean intentions, but what if their antivirus is not up to date, isn't it possible that they may have a work that they are not aware of that may propagate into your network and cause some damage there? What about P2P applications, don't you warn them of using it as it utilizes all your bandwidth? Do they really listen to you? And what about those guests in your meeting room, or those guys who came today in order to fix some server in your server room, who decided to plug their laptops into your network in order to download some stuff from the internet? Can't they simply send or receive some traffic that they are not supposed to send nor receive?

We were installing the LAN infrastructure of one of the major financial institutes here in Egypt a long while ago, and then I was supposed to find out the best way to deploy such equipments from a security point of view. So, one of there features that we decided to enable on the switches was IEEE 802.1X, which is a protocol used in order to authenticate the hosts and/or the users before giving them access to the network, i.e. Network Access Control solution. But you know what, IEEE 802.1X is really cool, and it may help in solving some of the problems mentioned earlier, but in real life, they never deployed it, and so does many other customers.

Controlling users/hosts access to your network based on their identities is really useful, but not sufficient. We still need more vision and granular control. A certain host may have valid credentials to access your network, but still such host may not be really healthy - doesn't have End-Point Security softwares installed - and giving it access to your network may harm other resources connected to it. What you really need here is a combination of Network Access and Admission Control. And here comes the new trend of network security, NAC. It's a solution that can check the different hosts before giving them to the network, and it can also control the different switches, access points, and create dynamic rules on your firewalls and IPS's in order to granularly control the access given to each host to the various resources in the network based on their identity and security posture.

Some vendors have decided to build on the existing IEEE 802.1X standard in order to make sure that their solution will work in heterogeneous environments where that are different switches and security vendors. Some others decided to create their own proprietary protocols from scratch, some other decided to have their controls and policies in the hosts themselves by having installing agents there instead on relying on the existing infrastructure. And for sure some had mixtures of all the above.

References and Vendors:
Network World, NAC Topics
Got the NAC Blog, Steve Hanna
TechNet, NAP Blog
Cisco Systems, NAC Appliance (Clean Access)
Juniper Networks, Unified Access Control
Microsoft, NAP (Network Access Protection)
Symantec, Network Access Control
McAfee, Network Access Control
CanSentry Networks, Intelligent Switches

Tags: , , ,

10 January 2008

End Point Security

So, it it enough to have some Firewalls, UTM's, and IPS's in the different locations of your network to be secured? What about Removable Storage Drives such as Flash Memories and CD's? Isn't it possible for Viruses to got into your PC after copying a file from Flash Memory Drive, even if you are having the most powerful UTM on your network gateway? What about encrypted traffic? How can the gateway security device inspect such traffic when it is encrypted?

That's why, most of the Security Experts believe in Defence in Depth, and Layered Security Approach. It's not enough to have one layer of security to be secured.

The End Point Security in its simplest form is the Antivirus Software you have on your PC. However viruses are not everything, you still need softwares to fight Worms, Spywares, etc. Most of the Security Vendors now a days are moving towards Integrated Threat Management Agents, which are Agents that include a Desktop Firewall, Host-Based IPS, Antivirus, Antispyware, etc.

A Firewall is a single device installed in the network and the IT or Security Administrator can manage it easily and add whatever policies or rules he wants there. But when it comes to Desktop Firewalls, you are having softwares installed on every host, each is responsible of protecting such host. And for sure not all the users are aware of the Security Requirements and the Managers and CXO's do not have time to configure their End Point Security Agents. And that's why most of the Security Vendors have their own Centralized Management that can configure those distributed agents and capable of pushing security updates to them.

Here you are a list of some End Point Security Vendors:
McAfee, Total Protection for Enterprise.
Symantec, Endpoint Security.
CA, Threat Management.

Tags: , , , , , ,