Trustworthy Thoughts

I just returned from a couple days at the RSA Conference. I went with the primary goal of looking at the exhibitors to get some feeling of what is going on in the security market place. However, I didn’t read the schedule closely enought to see that the exhibition’s last day was Thursday, so I only got a couple hours on Thursday to walk the floor. I did get to hear a couple interesting talks Thursday and Friday on the developers track, which was a nice suprise.

My high level summary of the exhibition hall was: NAC (Network Admission Control), Security Compliance, and Identity Management.

My previous experience with NAC and its ilk was from Cisco and Microsoft (NAP), where it was a means of quarentining machines that did not match your software version and patch level requirements. For both Cisco and Microsoft solutions, a client agent had to be installed and the only client agent was available for Windows. Some of the vendors I talked with claimed that a client agent was desirable but not necessary, but non-Windows support even in the agentless case seemed to be lagging. This is probably a reasonable decision in the enterprise space where most laptops and desktops are running Windows. Many of these vendors seem like they have stop gap solutions in the Windows space until Vista takes off. Vista has NAP/NAC protection built in.

However, other vendors seem to have grown the boundaries of NAC quite a bit. In particular, it looks like the identity management people have adapted the NAC label to describe how they can download personalized policy to network enforcement points.

I was particularly looking for security compliance vendors to get a feel for tools in that space. There were quite a few companies with products that ranged from basic asset management to risk analysis frameworks to event and configuration integration. The advent of additional regulations really seems to have promoted action in this space. Most of these vendors have some comments about connecting the policy to your implementation, but it was hard to see how this was exactly performed. I need to dig through my bag of literature and do some web surfing to get a better idea of what the products really do with respect to policy.

Finally, there were a number of identity management companies. For the most part they are nicer AAA (Authentication, Authorization, and Auditing) implementations which communication to enforcing points using Radius. I was familiar with Cisco’s Access Control Server (ACS), and there is certainly room for growth in this space. As addresses become more dynamic through DHCP and people become more dynamic with laptops, tracking network policy though IP addresses becomes an ever cruder approximation. By authenticating people, and then configuration authorization decisions on the enforcing points based on the person, you get a pretty good approximation of user-based policy. As I recall, there were some rough edges with how the enforcing devices could actually deal with the authorization, but hopefully that is being addressed too.

The big players where there too, but I spent most of my time at the smaller booths. Intrusion Protection Systems (IPS) seemed to be prominately displayed at the big network security players. Checkpoint had just acquired a new IPS company. One smaller vendor, Arxceo Corp, had some interesting IPS products. Evidently, they found a way for a non-signature based approach to IPS. According to the fellow I spoke with, they get a lot of leverage from fingerprinting the source ports, and so they are more quickly able to correlate incoming and outgoing traffic and thus use statistically techniques to narrow down on anomolous traffic more quickly. They were handing out a SC magazine review where they won best buy. Their submission was the Ally ip100, about the size and shape of a fancy paint scraper. It was running against other products an order of magnitude or more in cost and size and evidently worked very well. It is heartening to hear that a statistical based approach finally works.

The Netscreen/Juniper person mentioned that they were going to put some of the virus scanning technology on box. Traditionally, firewalls route virus scanning, URL filtering, etc. off box to a partner’s solutions. By liscencing the software and keeping the analysis onbox, Netscreen/Juniper should see a significant performance improvement.

One other interesting bit of technology was from Coretrace. They are selling a box and software system that enables you to completely lock down desktop/laptop machines (presumably running Windows), and then centrally configure and manage them from their appliance. This was developed by one of the main architect of NetRanger (acquired by Cisco in ‘98? to be the basis of Cisco’s IDS solution). They install a special driver (presumably a filesystem shim) to intercept all file requests and prohibit file changes even if you are running in the Administrator’s group. The idea being that you create a golden image, and then push all changes from the management platform. Seems like a good idea in the Windows XP world. Maybe this is not essential in a Windows Vista world, we’ll see. Also, presumably, you must make some portion of the filesystem writeable, otherwise, the computer is not of much use to the enduser. I haven’t spent the time to convince myself that you can lock down enough to really be safe. Finally, couldn’t you acheive similar results just by banning people from the Administrators group? I’m not sure, but this does seem like an interesting idea.