Cisco Evolving Into A Security Company

ChipGuy writes "Om Malik has an opinion piece stating his opinion that Cisco Systems is slowly becoming a security company, a move which may prove problematic for traditional security vendors like Symantec. Cisco has bought its way into the market, worried about the security moves of its main rival, Juniper Networks. The company expects to make major announcements at the RSA Conference later this week. "

Elliptic curves

[2.7182]

Apparently they are very intersted in elliptic curve cryptography.

Re:Elliptic curves

elliptic curve crypto? sounds like pr0n from math geeks....

_
its not a scam

Kind of like

[Dachannien]

Cisco is becoming a security company - sort of like how Microsoft is becoming a security company.

Re:Kind of like

[In-Doge]

Indeed.

Re:Kind of like

[Alsee]

You're more right than you realize.

Microsoft and Cisco are both becoming "security companies" in the sense that "security" == "enforcing Trusted Computing". First I'll skim over the Windows issue, then I'll cover this new and insane threat from Cisco.

I assume we've all heard of Palladium. Well the next Windows release, Longhorn, *is* Palladium. Microsoft's own website documents that:
The Next-Generation Secure Computing Base (NGSCB) is new security technology for the Microsoft® Windows® platform. It will be included as part of an upcoming version of the Microsoft Windows operating system, code-named "Longhorn."...

"SSC" refers to the Security Support Component, a new PC hardware component...

The term "SSC" is generally interchangeable with "TPM" or trusted platform module. The TPM is a secure computing hardware module specified by the Trusted Computing Group

While Longhorn will likely technically run on a non-trusted computer, Microsoft has elswhere documented that it will go into a brain-damged cripple mode and lock you out of the full desktop graphics interface mode. Microsoft has documented that only Trusted Compliant hardwill will be "CertifiedWindowsCompatible". And we all know no PC manufacturer can afford to sell new PC's that are not CertifiedWindowsCompatible and which only run with a crippled and downgraded interface. Whebn Longhorn rolls out the simple fact is that ALL new PCs will ship with Trusted Computing compliant hardware. No major PC manufacturer can afford to do otherwise. At least one manufacturer - Samsung - has already declared that they are nor manufacturing nothing but Trusted compliant machines.

And now for Cisco. Cisco Cisco Cisco.

Some time ago Slashdot ran this story: Cisco Working to Block Viruses at the Router. Sounds wonderful, right? What the Slashdot story missed was that it does not actually have anything to do with routers blocking viruses. What it actually is is Cisco's new Network Admission Control (NAC). Anyone attempting to research exactly what Network Admission Control is and exactly how it works will find very little information available. Most Trusted Compuing projects tend to bury the fact that they are Trusted Computing based because they know it will draw anger and bad press, but Network Admission Control it a real whopper. I can back it up better with bits and peices from various sources, but this source has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware". If you read tha article it should be quite clear how it functions. Any computer which attempts to connect to the router and request a net connection must be running a Cisco Trust Agent. That Trust Agent only works on a Trusted Computing compliant computer. If you don't have a Trusted Computer then you are denied access to the net. The Trust agent then scans the operating system and software running on your computer and reports it to the router. If you are not running an approved operating system and running selected MANDATORY software then you are denied access to the net. The advertized purpose is to ensure that you have all of the latest operating system patches and that you are running an approved (mandatory) firewall and/or virus scanner. Of course it can be arbitrarily configured to make absolutely any kind of software mandatory, but the firewall and virus scanner are the ones they hype. And that where the silly Slashdot title about "Blocking viruses at the router" came from. It doesn't block viruses at the router, the router BANS computers that are not Trusted Compliant and it CAN be configured to enfor

Re:Kind of like

[randori82]

Perhaps they should focus on not having "security" leaks of their IOS & PIC src? ...perhaps...

Re:Kind of like

holy shit.

Re:Kind of like

[AndyMcL]

Sorry, this is just conspiracy theory stuff. I work at Cisco and there is plenty of info out there on what NAC is. This is for corporate networks and yes it will deny access the unauthorized or non-standard devices that attempt to use a network. It is policy based so if there is a PC or Laptop that does not fit the bill, then that device will be put on a different VLAN which will either allow the user to update Service Packs or virus definition or just have bandwidth restricted Internet access (like a guest VLAN). So it is not an all or nothing thing. IT departments can set it up how they want. NAC is cool stuff. You can even have ACL's that are tied to a certain user or group for instance. Also it is open so other companies can make applications that work with it. If you have seen the "Self Defending Networks" advertisements, this is part of it.

So there is no grand plan to take over the world. Just help IT departments control what devices access the business critical network. Would you really want someone to stick an unpatched fresh out of the box Windows PC with no Anti-virus on your network? Now that many companies have voice on their network 3, 4, or 5 9's is not the goal anymore. Now it is 100% uptime (excluding change windows) so having as much centralization, standardization and automation is critical to getting to that 100%.

With NAC and related technologies, companies can be sure of who is on, what they are doing, and the device they are connecting with meets IT standards.

Regards,

Andy

PS If you want more info on NAC just search on the CCO.

Re:Kind of like

[AndyMcL]

Oh yeah and another thing. NAC is not a special router. It will be on every network device (router, switch, wireless access point, etc.) Right now the first phase has been released so it is availible on L3 devices (routers)only. Phase 2 should be out soon and that will include switches. Check Cisco's website for info and updates in the future.

Regards,

Andy

Re:Kind of like

[Spoing]

1. Indeed.

Interesting read. Normally, Cisco doesn't (or didn't as of last year) offer security fixes on any of the equipment it sells...unless you have a service contract. This refusal to fix this one device is not a good sign, though.

Re:Kind of like

[USCG]

Per my nick, I actually work for the U.S. military as a intranet web services programmer, and the DOD has no plans of this type on any scale that even remotely follows what you are suggesting. The branch I work for, has just finished up moving all workstations to XP Professional within the last year. In addition, they are finally upgrading all their NT 4 servers to Windows 2003-with Microsoft Active Directory. When the next desktop OS comes out, they won't upgrade again until at least 2008, although 2010 is certainly a possibility.

I therefore, call your bluff.

Re:Kind of like

[X0563511]

When it gets to the point where you cannot connect to the net without a trusted computer, what is to stop us (geeks, hackers, ect.) from forming our own little patchwork TC-less "internet"?

Re:Kind of like

[Alsee]

I work at Cisco

Ok, and you can presumably confirm that it is in fact based on the Trusted Computing Group's Trust specification?

there is plenty of info out there on what NAC is.

There's plenty of information about it, but I spend a couple of hours pouring over Cisco's website and reading any PDFs/files I could find on the subject and Googling the internet for details. Assuming you do in fact directly confirm this is Trusted Computing based, I'd like to see you produce a public link documenting that fact.

This is for corporate networks

As I said that is where the project is now. And as I said there are in fact plans to eventually deploy it to ISPs as well. It's perfectly possible that you and those you work with have no such intent and know anything about it, but there are government policy papers and other corporate projects that DO have such plans. Government plans to eventually "Secure the National Information Infrastucture" and business plans for all personal PCs to have this sort of "security" system for networking. I wish I could give you a link to the Global Tech Summit PDF link, but as I said the file was taken down and I can't find it anywhere else.

if there is a PC or Laptop that does not fit the bill, then that device will be put on a different VLAN which will either allow the user to update Service Packs

Yes, I know all about that. If you don't have Trusted Compliant hardware, or if you decline to to allow your Trust chip to HIDE YOUR OWN KEYS FROM YOU, well... being able to download service packs isn't going to much matter, will it? Sure it could be configured to allow non-compliant systems access, or allow them reduced speed access, but that pretty much defeats the point of using such a router in the first place. In general anyone who does not have a Trust chip is going to be pretty much screwed. In general it will be configured such that no one will be permitted a useful connection unless they "voluntarily" give up control and effective ownership of their own computer.

This situation may seem "reasonable" on a corporate network, but to a lot of people it is something of apocalyptic proportions if it extends to general ISP access. And again, while YOU may have no such intent, it *is* exactly the same technology and there *are* powerful people who intend to eventually do exactly that. Trusted Computing is going to be phased in step by step. Deploying it on corporate networks like this is a great stepping stone.

NAC is cool stuff.

Sure, if you want and expect the ability to control other people's computers, if you want computers that are secure against the owner.

Now if you want to talk about sucureing YOUR computer for yourself, or about securing a corporations cmputers for the coproration, well fantastic! You could do that with almost identical hardware where the owner is allowed to know his master key - perhaps give the owner a printed copy of his master key. And for a company's computers, well the company would be the owner. The company would have the keys. The machines would still be secure against viruses and trojand and against the empoyee users of those machines.

Also it is open so other companies can make applications that work with it.

Oh yes, I know. All the Trusted Computing stuff is "open". However all of it is designed to be secure against the owner, and any particular application can impose ultimate lock-out and lock-in whenever it chooses to do so. NAC is "open" in that anyone is free to make their own software/hardware and get LOCKED OUT if they aren't configured on the approval list.

If you have seen the "Self Defending Networks" advertisements

I preffer the IBM Man-in-Black Thinkpad commercial. The one where they say Thinkpads have a new security chip to keep out hackers. The one that says that the chip self destructs if an attacker attempts to remove it. The one that DOESN'T happen to poin

Re:Kind of like

[Alsee]

I've never come across any Military trusted Computing referrences, and I never made any claims as to any military activity in the area. So I'm not sure what you think you are refuting?

When the next desktop OS comes out, they won't upgrade again until at least 2008, although 2010 is certainly a possibility.

As I said thing only really get started when Longhorn comes out. From there there it phases in over several years. Assoming Longhorn actually comes out in 2006, and as I said figure four years for a substantial fraction of PC's to be replaced, the earlies that public ISP's could consider making it a part of their Terms of Service works out to 2010. And obviously the military doesn't give a damn about public ISP Terms of Service. Chuckle. The military can adopt or not adopt Trusted Computing at any rate they wish. If they were to sepoly a general upgrade anywhere around 2010 it would be perfect timing for doing so. There are already draft versions of Excetutive Directives for all new exectuive branch IT aquisitions to be Trusted compliant, but obviously the military would be exempt from that sort of general order.

-

Re:Kind of like

[dago]

-1; Paranoid

Re:Kind of like

[Alsee]

hat is to stop us (geeks, hackers, ect.) from forming our own little patchwork TC-less "internet"?

Nothing. But what's going to be ON this new network? None of the existing internet websites and services. Just a handful of people. And anyway, none of the new software will run on a non-Trusted machine, the new media files won't work on a non-Trusted machine, Trusted e-mail won't be readable on a non-Trusted machine, you won't be able to send e-mail to the Trusted public network.

And even if you did start to build up websites and stuff on this freenet, well, everyone on the Trustednet would be able to access all of the stuff on the Trustednet PLUS all of your stuff. There is absolutely no reason data from outside the Trust wall can't move into the Trust system. The restriction is that stuff inside the wall can't move out. No matter what you do the Trustednet is always "bigger and better and more" because anyone on a Trusted machine can see stuff on both the inside and the outside.

-

Re:Kind of like

[strikethree]

who will pay for the internet? nobody will want to use the damned thing if it is locked down like that. i know for sure that i would never pay to use a network like that. i would not even buy a computer if it were locked down like that. these people are insane.

strike

Re:Kind of like

[Alsee]

Paranoid? Perhaps you would like to refute some of the facts in that post or in my original post? It's all documented. Seriously, what part do you think is untrue? I can provide links backing up virtually everything in those posts. Technical specifications that the Trust chip is designed to conceal your keys from you and preventing you from decryptng your own data except as the system allows. I can cite Microsoft's own website on Longhorn and all of the Longhorn-related facts. I can provide links to Intel's Trusted CPU project, and even a link to a micrograph of the Trust chip inside already shipping Intel CPUs. Links for AMD's trusted CPU project. Links for Transmeta's existing Trusted CPUs. Links documenting how Cisco's Network Admission Control system works.

About the only thing I can't provide a link to - as I said in my original post - is the President's CyberSecurity Advisor's speech calling for ISP's to make this a mandatory part of their internet access Terms of Service. There *was* a PDF with a transcript of this speech on the BSA website, but they have taken it down and I cannot find it anywhere else.

So go ahead, tell me what part you didn't believe.

-

Re:Kind of like

[dago]

Yeah, sure, please back me up with a serious link documenting that Cisco is pushing Trusted computing as part of NAC.

Re:Kind of like

[Alsee]

i would not even buy a computer if it were locked down like that

There are some very common missunderstandings about Trusted Computing. One is that you are better off with a normal non-Trusted computer. You are not. That's why Trusted Computing is so insidious. Buying a computer without a Trust chip is like buying a computer without speakers. There's no reason NOT to take the computer with speakers, you can just leave the off and pretend they aren't there.

A Trusted computer can do anything and everything a normal computer can do. All of your old software and old files still work.

The difference is that a trusted Computer has a new handcuff mode. This is something "more" or "extra".

The problem is that all of the new software and files and websites will only work if you turn on the new handcuff mode.The new software and files and websites may be crippled crap in handcuff mode, but at least they work. They don't work at all with handcuff mode off, and they don't work at all on a normal computer.

It is the person with a normal computer who suffers. None of the new stuff works. And in a few years your ISP may only grant you a net connection through their Trusted software that only runs in handcuff mode. But by the time that happens you'll already be suffering pretty badly if you attempt to resist.

-

Re:Kind of like

[Alsee]

back me up with a serious link documenting that Cisco is pushing Trusted computing as part of NAC.

It was burried in the middle of my original post:

this source has just enough details in one place to pin it down. The title is "Cisco, others plan to ban insecure PCs". The last few paragraphs state that it requires "new hardware" and states that it will "spur sales of PCs and devices that use trusted-computing hardware".

If it requires hardware and it will spur the sales of Trusted Computing hardware then obviously the hardware it requires *is* Trusted hardware. I think NAC "spurring the sale of Trusted hardware" is pretty conclusive. I've read everything I could find on NAC and there's a variety of evidence and implications in different places, but that link is about the best single "smoking gun".

Some of the NAC documentation can clearly only do what it claims by using Trusted functionality, but it requires a pretty technicial understanding. If you're geeky enough and you understand Trusted Computing well enough then just reading the NAC explanation in the ZDNET article should give you a pretty good idea of how it works and why it's Trusted Computing based. There's no way the system could avoid being fooled by a virus or trojan unless it has Trusted hardware support to certify the report. The fact that the software is named "Cisco Trust Agent" is also pretty strong evidence, but admittedly not conclusive on it's own.

Furthermore the Cisco employee who replied never denied any Trusted Computing connection, though I admit he didn't confirm it. Hopefully he will answer my direct question and directly answer.

-

Re:Kind of like

So now we can also worry about Cisco instead of
just Microsoft making RFC changes to the default
TCP/IP stack of protocols? And then patenting
them?

This "embrace and extend" bullshit has gone on
quite far enough. Time to break out the suitcase
nukes...

Re:Kind of like

[dago]

Yep, I read that beforehand, but this article is just speculative ("might") on the implication of trusted computing ...

In its current version, NAC does NOT require trusted computers.
The so called "trusted" functionnalities are implemented by software only and things such as libraries wrapping. It is not 100% safe, altough the marketing docs pretends it. Indeed, you can go back to old security advisories to find problems. If you want, you can look at competing products like McAfee Entercept.

At then end, this whole issues boils down to the way people configure it, not the technology itself (cf guns don't kill ppl).

Your asking to "prove" there's not trusted computing in NAC is just like asking microsoft to prove they've never used GPL code or Saddam that he doesn't have any WMD.

Re:Kind of like

[AndyMcL]

I have not heard of NAC supporting "Trusted Computing". Right now there is a software client that runs on the "Trusted PC's" called Cisco Trust Agent (CTA). That will communicate back through the network to an authentication server and what ever 3rd party servers there are (like Antivirus) to make sure everything is installed and up to date. Routers, switches, AP's just check to see if the CTA is installed and are configured what to do if it is not(ACL's, VLANS). Is it conceivable that customers might want to have the various vendors' "Trusted Computing" mechanisms? Sure, if customers want it and the hardware/software support is out there. Again though, I think this would be more for corporate users. ISP's can not tell what the heck OS's my computer's run in my home. I have a PIX firewall and just about everyone I know has some type of firewall (Lynksys) so I can not see major ISP's shifting to a Trusted Computing model in which each device has to authenticate to the ISP first. If my ISP sends me a nasty gram saying that I need to remove my firewall, I will either change ISP or get business class service. Also, if they did change to that model, I am sure you could be a device that would authenticate for you. It is always a cat and mouse game.

So if there is "Trusted Computing" support in NAC in the future, it will be just one of many things customers can key off of to make sure devices meet what ever spec is in their Security Policy. I really do not see what "Trusted Computing" buys you. Any terrorist can go out and buy a "Trusted Computing" computer. Since it is officially licensed CPU and OS, how does that make bad things the terrorist/hacker/cracker do with somehow not malicious? If the person wants to run Linux really bad, all he or she needs to do is install VMWare or VirtualPC.

-Andy

Just my 2 cents. I still say NAC is cool stuff. ;-) BTW I do not think Cisco is turning into a security company. For one thing Cisco has been doing security for years (PIX??) and another is that routing and switching are Cisco's bread and butter. Cisco is doing a lot more VoIP and is really gaining ground, is Cisco a voice company then? Cisco is doing really well with SAN storage switching, is Cisco a storage company then? Cisco is Cisco. I love working there. Tons of cool technology and lots of awesome people!

Re:Kind of like

[Alsee]

I'm pretty sure that sort of mandatory Trust system could be implemnted such that the packet's contents and source were authenticated and the packet itself would pass thought the firewall/NAT invisibly. That authentication might need to mask out any header fields that would be modified by the firewall/NAT. It would be the origin of the packet that was authenticated. As long as the packet is encrypted and signed there is no possibility/threat of the contents being altered along the way.

if they did change to that model, I am sure you could be a device that would authenticate for you...
VMWare or VirtualPC

No, Trusted Computing explicitly prevents that. The keys never exist outside the chip. You cannot virtualize the chip because you do not know the required key. Pretty soon that chip will be inside the CPU itself. It reports on the exact hardware configuration, it reports on the exact BIOS identity. It reports on the exact OS identity. It reports on the exact application identity. Trying to have "some other device authenticate for you" is meaningless because the only device that CAN produce the authentic signatures and report the required conficuration is one that does indeed have the required full hardware configuration and is running the genuine unmodified BIOS and is running the genuine unmodified operating system and is running the genuine unmodified applications. Attempt to change a single byte of code anywhere relevant and the chip reports a different and unTrusted configuration.

I really do not see what "Trusted Computing" buys you.

Anyone else can know your exact hardware configuration and exactly what software you are running. Short of physically ripping open one of these tamper resistant self-destructing chips it is physically impossible for you to falsify this report. And one of the things it can report is an assurance that you cannot read or modify your own encrypted files except under the conditions THEY wish to allow. Assurance of DRM enforcement.

If NAC is not Trusted Computing based then some really smart virus or trojan can simply deactivate and emulate the Cisco Trust Agent. It can simply transmit a false NAC report and be granted network access. It can then proceed to infect the network.

If we had the version of the Trust system I want, one where the owner is given a printed copy of his master keys, then it becomes impossible for a virus/trojan to falsify that report because it does not know the required unique authentication key hidden inside the chip. That key is physically unreadable by software. However an owner who knows his key could knowingly and delberately generate a false report and deliberately connect to the network with a virus or other modified software. And if you've got an employee knowingly doing that, well... at that point it's kinda like expecting to be secure against authorized people walking in and deliberately torching the building. You have security to keep unauthorized people out and security to prevent authorized people from being infected and unwittingly carring a threat in.

With the current Trusted Computing design even the owner can never falsify a report.

Any terrorist can go out and buy a "Trusted Computing" computer.

Yes, but his computer will report to you exactly what software he is running. One kind of mandatory software would be a firewall running on his machine, but not a basic firewall. It would be an exit-firewall restricting what he is capable of sending. The network would only accept packets that were encrypted and originated from this firewall software. No software on the computer could transmit anything except through the firewall and with the express permission of the firewall and under the conditions imposed by the firewall. If the firewal says that you cannot forge bogus source IP address, and that you cannot send synfloods and you cannot cannot fragment packets and you cannot use certain protocals and you cannot contact certain addresses, well.

Re:Kind of like

[lq_x_pl]

Now I may be revealing my ignorance here but ..... I doubt that they will move away from communication with TCP/IP. The information signaling whether or not a computer is trusted will have to be transmitted using TCP/IP.
One could setup a small home LAN using a trusted router, a trusted computer (one of those cheap-as-hell dealies) and their favorite untrusted computer.
Even if the untrusted computer can't access the world outside, one could install their favorite packet sniffer and (as long as the trusted and untrusted computers are in the same collision domain) watch the traffic leaving the trusted computer.
Compare the differences in the information contained in those packets with the packets that leave your untrusted computer.
See how those bastards are crafted and try to recreate that.

As I said earlier, I may just be revealing my ignorance, and may possibly know jack-shit about trusted computing.

Re:Kind of like

[Alsee]

ignorance

Not a dirty word. This is a rather obscure and technical subject. On top of that the people behind it are actively consealing information and pushing disinformation.

one could install their favorite packet sniffer and [] watch the traffic

The packets are encrypted. The encryption key is locked inside the Trust chip and you are forbidden to see it. The only way to get at your keys is to physically rip open a tamper-resistant self-destructing chip and try to read it out with a extremely powerful microscope. Good luck.

And since the packets are encrypted and signed it is impossible to alter their contents without destroying them completely.

-

Re:Kind of like

[Alsee]

Even if NAC does not currently use Trusted Computing:
Cisco Systems and Broadcom are already developing switches that will use the TPM for authentication and more

recent move by members of the Trusted Computing Group to create an open standards NAC alternative

and While Cisco presents NAC as an industry-standard approach, at this point, it's a Cisco approach, which apparently Cisco is hoping will become a de facto standard. Elsewhere, there's the Trusted Network Connect standard that's being put together under the auspices of the TCG (Trusted Computing Group), which is intended to accomplish the same thing.

So one way or another the Trusted network admission system *is* a genuine project and genuine threat. Plus the governent call for ordinary ISPs to impose exactly this sort of system on the public as part of their Terms of service. That government plan used to be documented at this BSA address, unfortunately they have taken the PDF down and I cannot find another copy anywhere.

-

Re:Kind of like

[Alsee]

Even if NAC does not currently use Trusted Computing:
Cisco Systems and Broadcom are already developing switches that will use the TPM for authentication and more

recent move by members of the Trusted Computing Group to create an open standards NAC alternative

and While Cisco presents NAC as an industry-standard approach, at this point, it's a Cisco approach, which apparently Cisco is hoping will become a de facto standard. Elsewhere, there's the Trusted Network Connect standard that's being put together under the auspices of the TCG (Trusted Computing Group), which is intended to accomplish the same thing.

So one way or another the Trusted network admission system *is* a genuine project and genuine threat. Plus the governent call for ordinary ISPs to impose exactly this sort of system on the public as part of their Terms of service. That government plan used to be documented at this BSA address, unfortunately they have taken the PDF down and I cannot find another copy anywhere. I did save some quotes from the President's Cyber Security Advisor's keynote speech:

I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.
-
TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough.
-
It is not beyond the wit of this industry to figure out a way of forcing down patches.
-
ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.

-

Re:Kind of like

[dago]

Umh ... quite a change eh, ... seems like NAC is the main alternative to "trusted network" and TCG projects. Again, this NAC is directed towards enterprises not ISP.

Moreover it seems the EU is putting some pressure on TCG spec for privacy issues, and I have few doubt they'll continue for (e.g.) anti-trust issues.

Now, if your government decides that ISP have to impose such control of their network to counter terrorist threats ... have fun ;)

Re:Kind of like

[Alsee]

privacy issues

They have been deliberatly focusing on that pretty much ever since the Pentium III CPU ID number got publicly lynched on privacy issues. The CPU ID number was the first step in a "roadmap" Intel said they had at the time for introducing new "security features". I've never seen that roadmap, but I'd imagine their plans had more than a little similarity to the current Trusted standard.

Anyway.... they extensively documented a "Privacy Certificate Authority" ever since the initialy TCPA days and incorporated hardware designs to secure your chips ID number. So now they are trying to bill it as a "privacy enhancing system". New in the 1.2 version of the secification they have something called "Direct Anonymous Attestation" to give "anonymity" without a Privacy CA having the master keys to tracking you. Of course they had to punch a few holes in the system so they would still be able to retrieve identification when they want to revoke some's key. And all of these privacy features are optional. Each application programmer actually has to write extra code and make an effort to choose to uses these features to give you privacy. Anyone and any program at any time can simply state that they want your identity and your computer locks you out until you "voluntarily" grant permission. And even if these privacy systems are used, it would still be pretty easy for applications to snoop some unoffical but equally unique identifier and coordinate tracking you anyway. But the official line and the standards will all be PrivacySupport and PrivacyEnhancement!

Oh, and they set up some frontgroup. I forgot the name, but it was like Public's Privacy Alliance or somesuch. It pretends to be a some grass roots consumer rights advocacy group. The founders are all corporate though, and straight out of the Trusted Computing Group membership. They do PR and government lobbying on two points (or at least two points that I noticed). The first point is a "consumer's right's" call to ensure that any Trust system include exactly the privacy features they already included. That way the Trust system appears to be exactly what "consumer watchdog groups" wanted it to be. Their second PR/lobbying point is for the government and the health industry and businesses to deploy the Trust system so they can use it to protect our privacy.

As for anti-trust, I seriously hope they get nailed to the wall. But they are also paying very close attention to that issue as well. God knows how many lawyers they have dedicated to the issue full time. They are keeping everything at arms-length. They are hyping everything as "open". I think there's over 200 companies who are members of the Trusted Computing Group. 200 companies cooperating on an open industry standard hadry sound like an anti-trust violation, does it? And Microsoft signed a deal with Sun for interoperability. Microsoft's Trusted Desktop will talk to Sun's Trusted server. I expect to see quite a bit of deliberately staged activity showcasing compliance with anti-trust law.

The way Trusted Computing is set up outside forces will generally be doing their anti-trust dirtywork for them. For example Microsoft doesn't do anything to lock out FireFox and other webbrowsers. They simply make a Trusted Browser - and they can even make an open standard for any browser to be compliant. But it will be the individual website owners who decide what browsers they will trust. Obviously they'll configure their website to trust Internet Explorer, and they know IE will enforce DRM and all the other Trusted crap. Even *if* FireFox made a Trusted Browser that enforced DRM and everything, how many website owners are really going to bother checking Trusted FireFox and configuring their website to accept it?

-

Or

[venicebeach]

They are still a "networking" company and networks are becoming security battlefields.

Re:Or

That's why Microsoft fails with Windows? =O

competition - not a bad thing

[ngc.for.life]

"a move which may prove problematic for traditional security vendors like Symantec."

Which means competition and is therefore good for the user.

Apart from that, another company concerned about security is no bad thing.

Re:competition - not a bad thing

I think what's scary here is the possibility of Big Bad Cisco monopolizing the market. The problems for Symantec et al come when a huge company like Cisco forces them out, as we've seen other software companies do countless times before.

Re:competition - not a bad thing

[Spoing]

1. "a move which may prove problematic for traditional security vendors like Symantec."

   Which means competition and is therefore good for the user.

I don't consider Symantec a security company. They make software add-ons that plug holes in another company's product(s).

Using Symantec's software to increase security is like adding bouncers to a pub that not only sells beer but hands out free baseball bats and crack cocaine while leaving everything on the bar because it's easier that way.

Cisco has hardware

[rkcallaghan]

And some pretty good stuff, I might add. Popular with PHBs, too. Can we say "No one ever got fired for buying [Cisco]." yet?

This is going to be their major advantage when it comes to security, even down to the linksys brand for home users.

Good, proactive hardware provides real security. Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).

Software, and security software has its purpose and can have value, but Cisco's advantage doesn't lie there.

~Rebecca

Re:Cisco has hardware

[Keruo]

good hardware != security

Cisco/linksys stuff out of the box is insecure by default, which is not good.
Have you ever tried any cisco software(not ios), but their vpn clients etc?
From my experiences, those are worst crap I've seen since mobile data suites.

It's easy to compare hardware firewall to some software like norton av. The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.

But why compare them in first place? Nobody in corporate networks should run any software like that on their machines in first place.
The it administration should have limited certain set of programs that user can run, and they shouldn't have permissions to install any own software on machines.

If you notice the AV part in Norton, it pretty clearly hints that it's anti-virus, not firewall. And can you really compare anti-virus to firewall/router?

Sure, there are some L7 firewalls, which slow the traffic equally(depending on connection and traffic load of course), but they are pretty much outside budget and overkill solution for most users anyway.

Re:Cisco has hardware

"Cisco/linksys stuff out of the box is insecure by default, which is not good"

My god man...what are you blathering on about? Have you ever seen a new Cisco router out of the box? They come entirely unconfigured. As in the interfaces don't have IP addresses, no routes are defined. You can't do anything with them until you configure them via a serial port. Even if you put them on your network with no password, they will refuse telnet or ssh connections until a password is set.

Re:Cisco has hardware

[rkcallaghan]

Have you ever tried any cisco software(not ios), but their vpn clients etc?

Whether I have or not, I didn't say anything about Cisco's software. I'd be willing to bet that "crappy" or not; it does more stuff better than Norton.

The software runs on your workstation instead on separate box and cpu. It's clear it'll eat resources when processing incoming/outgoing traffic.

This is true, but not the reason I cited as Cisco's hardware advantage.

But why compare them in first place?

Because the original poster/article wrote: "...a move which may prove problematic for traditional security vendors like Symantec."

If you notice the AV part in Norton, it pretty clearly hints that it's anti-virus, not firewall. And can you really compare anti-virus to firewall/router?

Good top end products in the hardware line, if they really want to make a move in to being known for security, are going to include antivirus, among many other things.

But, if you'd like me to compare what you propose, fine:

Norton firewall is a bloaty, reactive toilet log, that will sink with the ship when the windows box its on gets loaded with the next worm.

Just out of curiosity, how come you flame Cisco hardware for not being "secure out of the box"; but then go on to claim that the systems Norton is on should be well configured?

~Rebecca

Re:Cisco has hardware

[Cramer]

• Can we say "No one ever got fired for buying [Cisco]." yet?

Nope. You've obviously never been in a non-Cisco shop. People tend to form fierce loyalties to the evil's they know.

Re:Cisco has hardware

[Keruo]

Symantec does real security products as well as norton, which is software geared for home users.
They have real hardware firewalls aswell, see Gateway security 400 or 5400.

Cisco hardware isn't secure by default.
They have minimal configuration which will make it run(this is good thing from a view of network engineer, since the device will be configured when placed in its place), but it'll be open to the world with default password until changed.
Same thing with linksys, but atleast they include ip filter which allows access only from certain private host/range.

I never claimed that systems where norton is on, should be well configured.
If you have system with norton, you're most likely home user.
My point was that corporate networks don't use software firewalls, and home users won't use cisco hardware, unless they found something on ebay for bargain.
And if the user knew to look for cisco from ebay, there are good chances that he/she knows how to configure that device to be secure. Home users and linksys is another story.

Re:Cisco has hardware

[roony]

Cisco will need to do alot more than merely make a marketing statement about becomming a security company. At the moment its security tech 9other than the RSA competative one) isnt that fantastic. You look at its inability to think ahead on the IDS side of things and youll see what Im talking about. Cisco waits for you to be hacked before it thinks about making signaturess for its IDS (Slammer, Blaster etc). CISCO don't even know what that IPS concept is.
Thats not the actions of a security company, its more like Government Road-works...

Traditionally (much like Symantec), they have bought their way into market. Unfortunately there isnt much available to buy let alone much worth buying that will deliver them any kind of growable tech. Refer to latest Gartner report.

"Not fired for buying Cisco.." Pfft - sorry, that may only be by companies that don't understand security; they are getting fewer & fewer everyday.

Re:Cisco has hardware

You don't know what you are talking about.

Security is good though...

[Gareth+Saxby]

The market for security is much bigger anyway. There are dozens of network retailers, yet there are also dozens of security measures out there as well. From my experiance with Linksys equiptment (Part of Cisco, for those not in the know), security is a major strongpoint in their network hardware.

Anyway, as I'm trying to make out, the more competition in the security market, the more security has to evolve. This can only be a good thing, I feel.

Re:Security is good though...

[Alsee]

Security is good though...
This can only be a good thing

Even if "security" is redefined to mean securing the computer against its owner? This is all about Trusted Computing.

-

Re:Security is good though...

[Gareth+Saxby]

Sometimes, protection against the owner is necessary.

Re:Security is good though...

[Alsee]

Sometimes, protection against the owner is necessary.

Really? Please explain to me when your kitchen table needs to be protected against you? Please explain to me when your computer needs to be protected against you? Please tell me when your home needs to be protected against you? Please explain to me when your left foot needs to be protected against you?

You do understand property rights, don't you?

It is impossible for anything someone does to themselves (or to their own property) to be an "attack". My baseball is my property and I have every right to rip it open and stick it under a microscope if I like. My baseball does not need or receive any "protection" against me. It is my property.

-

SSH

[cyberkahn]

And it took them how long to get SSH into the IOS? Give me a break. They are going to have to move at a lot faster pace if they want to be a security company.

Re:SSH

[jhealy1024]

They are going to have to move at a lot faster pace if they want to be a security company.

No kidding. I just got finished with a 4-month battle with Cisco to fix a bug that disabled access control lists in my core switch.

If that's how long it takes a security bug to get fixed, I don't want to know how long it takes features to get implemented...

Re:SSH

Not to mention their FW - PIX. SSH1/DES only...

Re:SSH

[Cramer]

Actually, 4 months is pretty good. My personal average is about 6 months of constant bitching to get things "fixed" -- they don't stay fixed, 'tho. (It takes an act of God to get those monkeys to commit something to the main code branch [/main in clearcase].)

Re:SSH

Yeah, I noticed that too. Whee, we have ssh1 - yes the somewhat broken security tool. Besides which every network engineer I've ever seen always uses telnet. Not only that they use the Windows Telnet client of all things.

The other way around : networking is the product

[AwaxSlashdot]

Or security is a network battefield.
You don't 'sell' security : security for security is useless. Networking is something you sell and it needs security.

Cisco Announcement

[dangermen]

It will probably be Cisco's continued development of Network Admission Control(NAC) as it extends further down the network. NAC will interrogate a PC(via Cisco Trust Agent) that is plugged in to see if it running the latest MS patches, latest virus definitions, and Cisco Secure Agent policies. If not, it will prevent the workstation from going anywhere but to MS update, the AV vendor for updates, and the CSA policy server. Cisco is also pushing their IPSes into their devices. I wouldn't be surprised to see Cisco pushing IPSes to their switching line.

Re:Cisco Announcement

[Tuxedo+Jack]

And if this gets implemented at the ISP level, we're going to be in trouble. While it'll curtail the latest worms and viruses, we're going to have to deal with what's classified as a "trusted" application - obviously, corporations like Symantec and MS with their big bucks can buy access into the definition fields, but what about the little guys like Grisoft, and what of the users who use nonstandard configurations (like me on a 68K Macintosh)? We don't all conform to green-out-of-the-box Dell specifications, you know.

Re:Cisco Announcement

[dangermen]

NAC is not for ISPs. It is for businesses and enterprises. NAC isn't built for random dialup users as CSA, CTA, and other apps require you relinquish control of your PC to the CSA console, etc... It is to keep unpatched systems off of the inside of a corporate network.

Re:Cisco Announcement

[_ph1ux_]

and my point on this has always been that these features increase the TCO of the network in that one must keep all their service subscriptions up to date in order to ensure that all is clean on the network.

While companies should keep their support contracts current, the fact is that this is not being acknowledged by cisco in any of the discussions I have had with them.

So, if you are thinking about this as an option - remmeber that service is typically in the range of ~20% of the equipemtn cost anually - and depending on the company - service on software licenses can be rather significant.

finally, you need to ensure that you are cisco across the board or else you wont be able to take advantage of all of these new features.

This is a problem - it was the same problem with their wifi solution - but now that they purchased Airespace, they will have a wider offering.

the thing with cisco is that they purchase standards rather than create them. This is due to them throwing a ton of funds at a technology or company as to ensure that it will become standard through adoption. This happens a lot in the industry though, so its not too surprising....

I think that cisco making things more inherently secure through the equipment used in packet transit is a smart idea, however I dont like Cisco's top-down apprach as opposed to something like a packet delivery consortium wherby networking vendors agree on a packet delivery audit trail standard.

Re:Cisco Announcement

[Alsee]

No, corporate networks are merely the initital market. Assuming all goes according to expectations the majority of home PCs will be Trusted compliant a couple of years after the Longhorn rollout. The president's Cyber security advisor has already called on ISPs to make exactly this sort of Network Admission Control system a mandatory part of their Terms of Service, and industry representitives applauded the speech. I go into far more detail in this post. Relinquishing control of your PC will then be a condition of internet access.

-

Re:Cisco Announcement

[nzkbuk]

Ok lets for a minute agree that ISP's will agree to this.
What about all the NAT / Firewalls won't most of their packets not conform to this. How happy will joe sixpack be when he's told he has to go out and buy a new firewall/nat box so he can connect to the net with others in the house ?

Then there are the hosting companies (I work in a large on in the UK) currently about 70%-80% of servers where I work (we have a 2 /19's in this DC alone) have *nix.
I can assure you that as much as management might want to implement this there is NO WAY they are going to tell the bulk of our customers "Sorry our new network routers won't talk to your servers, you'll have to find hosting (co-location) elsewhere"

Then where's this all going to be, an ISP will reject connections from most servers because they aren't running windows ?
What happens then when 1/4 of the customer base (or more) can't get to their favorite porn site http://www.theregister.co.uk/2004/12/08/brit_net_f ilth/
because it happens to be on a linux box ?

Re:Cisco Announcement

[Alsee]

What about all the NAT / Firewalls won't most of their packets not conform to this.

I'm pretty sure it authenticates the packets themselves, as crafted by the source. It doesn't matter whether your NAT is Trusted so long as your desktop is Trusted. Your desktop encrypts and signs the packets. Your NAT cannot read or alter the packets, at least not without destrying them. You cannot "tamper" with your own packets, they are encrypted and your Trusted computer secures them against you. You are forbidden to know or access your own encryption keys. So long as your NAT faithfully passes on these authenticated packets your ISPs router will accept the connection. You ISP then knows that YOU are locked down under the Trust system, that YOU cannot send any packets unless their Trusted software on your machine allows you to. The MANDATORY Trust software. They also know it is impossible for you to alter the data their software allows you to send.

As for corporate ISP service, I suspect that they won't be forced to switch over at the same time. They'll probably have some extra time.

have *nix.

There will be Trusted Linux and presumably Trusted Unix. I believe that the SUN deal is primarily about SUN supplying the Trusted Server market.

It all about phasing it in. They have no problem with planning on several year timescales. There will be a long phase where it's optional, but anyone who is noncompliant will be increasingly locked out of things. In the computer field hardware that is 5 or 7 years old is absolutely archaic. When they get around to making Trusted computing mandatory, well either you haven't bought new hardware in the hast 5 years then it's time to replace it anyway, or you HAVE bought hardware in the last 5 years then that new hardware will have been compliant anyway.

Even if it takes longer, well they're patient and can can wait a few extra years to force a total switchover. There's no way a handful of 8 year old legacy machines are going to prevent it. Anyone with hardware that old is just going to be told to suck it up and buy a new compatible machine already.

-

Re:Cisco Announcement

[nzkbuk]

Network Address Translation aka NAT, by it's very nature it MUST alter the source and destination addresses.
Typically NAT boxes also do port translation as well as address translation. Both alter the headers of the packet.

So then do you only consider the packet to be the only the data portion, or would the entire packet be signed ?

While I'd agree that a desktop PC that is 5-7 years old is archaic, I would not apply that to a network device (such as a router or nat box). Most can handle 100baseTX-FD connections. Do you expect to have faster than 100Mbit to the average consumer by the time they are forced to expect it ?
The only way I would see them becoming obsolite would be if things were IPV6 and what's the bet these features won't be IPV6 only

That however would be a good way to finally get IPV6 in widespread use and it would eliminate the need for NAT

Re:Cisco Announcement

[Alsee]

I don't know the implementation details of the Network Admission Control system, but I would guess they would or could be designed to tolerate those sorts of headder issues.

IPV6

Yes, an IPV6 deployment would be a very effective avenue for rolling in deployment of mandatory Trust compliance. Anyone moving to IPV6 is going to face a major software change anyway, and quite likely a hardware upgrade in the process. It makes a perfect fit for replacing the entire network infrastructure. Everything from NAT's to the network backbone to the DNS system.

-

Re:The [job] security company?

[shreevatsa]

I live in Bangalore, you insensitive clod!

Apple Security

I think Apple will always have the strongest security. http://www.theappleblog.com/2005/01/26/best-from-a pple-security/

Re:Heh

[KinkifyTheNation]

That's why they invented ACs.

Or-First Tier Security.

"They are still a "networking" company and networks are becoming security battlefields."

More like networks are the second best place to handle security. The clients and servers is the first best.

security?

[torrents]

do you really have to evolve into a security company in order to ensure that your products are secure... isn't it a fair expectation that when you buy an expensive router etc. that it won't have enormous flaws that allow for numerous exploits? regardless of who you buy it from?

Re:security?

[blackomegax]

no. everything has flaws. there are no promises made, and they clause themselves out of personal responsibility 99% of the time.

Re:security?

[_Sprocket_]

It's not about making secure products. It's about making products for security - firewalls, remote access, intrusion detection / prevention, etc.

Re:Security?

[superpulpsicle]

Cisco is a huge, massive company. Massive companies are clumsy and usually find it tough to shift corners and sell something else.

Re:Security?

[4of12]

Given the recent theft of the IOS source code, I certainly hope they get their shit together first.

Genuine security built into IOS would mean that public release of the source code would have almost no impact.

But you are correct that it shows slipshod corporate practices if a release occurred when it wasn't supposed to.

Security?

[ErichTheWebGuy]

Given the recent theft of the IOS source code, I certainly hope they get their shit together first.

Wow

You're funny and informative. I wish I could be you.

They have said this for awhile BUT.....

[flinxmeister]

...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"

Then there are other little things, like the limited authentication options unless you spend bookoo bucks...or the very limited logging/audit functions...or the way PIX assumes all 'outgoing' connections are valid (the very concept of 'outgoing' is a SOHO concept and not an enterprise firewalling concept)...ugh...don't get me started on the pix....

The more you look at Cisco products hands-on, it just highlight what Cisco does: Make networking products.

Granted, they make networking products *very* well and I wouldn't hesitate to recommend them over anyone else. But myself and just about every security pro I know sees them as networking devices with security kind of bolted on...NOT security devices. It's more like some IOS networking programmers tried to figure out what security folks need instead of researching what's actually going on out there or getting some real world infosec experience.

If they are becoming a security company, great. But they've said this for awhile now and it hasn't changed the fact that the focus is networking networking networking.

Re:They have said this for awhile BUT.....

" ...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"

I can't decide what's worse, the misinformation of the post or the fact that it currently stands at +5. The IPSec capable IOS supports SSH. And for whatever uninformed shrieking idiot that wants to ask the inevitable question : "Why isn't it supported by default?" I'll give you two answers in advance : the IPSec feature set has export control concerns; and just fucking order the IPSec IOS with the router if you want SSH.

Even if you did have to use telnet for administration, between vty access lists, snmp access lists, a AAA server, and good logging, you would have the risks pretty well mitigated.

Re:They have said this for awhile BUT.....

[Wiseleo]

It's trivially easy to add ACLs to connections from higher security interfaces to lower security interfaces in PIX.

That said, there is a significant amount of work left on PIX usability. It is not an easy box to configure it, and given the price point of 501E and 506E boxes we've seen customers buy them without realizing what they are getting themselves into as far as configuring the box to do something as simple as what a typical Linksys firewall does out of the box.

For example, PAT is supported, but not when configured through GUI. The PDM will scream obscenities, or make the customer do that to itself, but it won't accept perfectly valid configurations.

My experience is with the PixOS 6.3 whatever the current release is and PDM 3.0.

Re:They have said this for awhile BUT.....

...unless you spend bookoo bucks...

The word, by the way, is beaucoup, italicized for Frenchness.

Re:They have said this for awhile BUT.....

[Cramer]

That just the way security levels are handled -- it's been like that since before Cisco bought the Pix line. Decending security levels is not restricted... inside@100 can talk to anyone.

Re:They have said this for awhile BUT.....

[Cramer]

Actually, PDM isn't that bad these days. There's still a lot of things it won't do, but those things rank above zero on the complicated scale. The 501 comes out-of-the-box in a mostly working state -- sorta like a linksys, but you'll obviously want someone with a brain to configure it for your network. And being a business class hunk of technology, it's not surprising that it takes some knowledge to setup and manage effectively. The documentation and PDM should be enough for 90% of the small businesses where the 501 is targeted. It's not supposed to be a Linksys :-)

I learned to manage Pixen in just a few hours playing with one and reading the mountains of documents (both cisco and non-cisco.) I can make a pix roll over and play dead. Heck, I can make one roll over and be dead *grin* (and sometimes bring it back from the dead.)

Re:They have said this for awhile BUT.....

[BurritoWarrior]

...when you ask them why you must use plaintext telnet to maintain routers you bought as recently as a year or two ago...they mumble around and then say "have you heard of our self defending networks?"

Um, all Cisco routers come with SSH. If you don't know how to enable it, fault lies with you, not Cisco.

Re:They have said this for awhile BUT.....

The base IOS systems don't don SSH and they should.
Has cisco figured out ssh protocol 2 yet?

Re:They have said this for awhile BUT.....

Coulda shoulda woulda. Base IOS doesn't do SSH, so tough shit. Deal with it.

Re:They have said this for awhile BUT.....

Put ACLs on all interfaces, problem solved.

Re:They have said this for awhile BUT.....

[asdfghjklqwertyuiop]

I'll give you two answers in advance : the IPSec feature set has export control concerns;

Weren't those crypto export regulations eased up years ago?

Even if you did have to use telnet for administration, between vty access lists, snmp access lists, a AAA server, and good logging, you would have the risks pretty well mitigated.

No... no combination of those things offers anywhere near the level of security SSH provides.

MacOS vs Win ... easy

[AwaxSlashdot]

Because there are only 2 OSes in the article and the other one is Win.

Looky here.

[idono]

"The communications and computing sectors are coming together, and the key for us as a company is to leverage the expertise we have in those two sectors and develop vertical solutions." Hilarious.

Re:Looky here.

[drinkypoo]

I would have had bingo if he had said converging instead of "coming together".

Re:The other way around : networking is the produc

[Nicholas+Evans]

Or security is an OS battlefield.
You don't 'sell' OSes : OSes for OSes are useless. OSes are something you sell and they need security.

Re:Heh

[ScrewMaster]

Still ... the presumed anonymity of posting AC kinda depends upon Slashdot's logging policies. I have no idea what those are. But I bet that if autopr0n posted any really important "insider" info here on Slashdot, Cisco's lawyers would be beating down the door to Slashdot's server room tomorrow. Companies take a dim view of leaks.

Good news?

[Pan+T.+Hose]

Cisco is certainly a very experienced and knowledgeable company. The question is: would I trust someone who has built the greatest machine of censorship and oppression in the history of human kind to manage my "security"? Only an idiot would! Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit. Cisco is happy to collaborate with oppressive regimes helping to take away the last pieces of liberty from their citizens. Only a naïve child would think that they would not help the CIA and FBI to violate your privacy. Hiring Cisco as a security company would be an utterly foolish idea.

Re:Good news?

Remember kids: some people may be experts in their field, but when they are so outrageously immoral you should never trust them. Never. Because one day those greedy bastards will gladly betray you as soon as they see even a slightest possibility of profit.

Of course it would. Cisco is a corporation, not a human being. It has no soul and should not be expected to have one. A successful corporation works for shareholder profits and nothing more. If China wants a firewall, Cisco will sell one at the right price.

Real problems occur when people naïvely trust corporations to "do no evil". Such a concept is antithetical to their nature. It's not a corporation's business to police the world, and it should never be entrusted with that obligation.

Re:Good news?

[SunFan]

China is one of the biggest emerging markets in history. Besides, more global interdependency means a major global enconomic meltdown would be the prelude of another world war. At least we'll know when to start stocking up on canned goods before the shit hits the fan.

a girl?

OMGHI2U

Ads

[mattthateeguy]

I love how the ad that popped up above this article was a Cisco ad.

Re:Ads

[marafa]

there was a cisco ad?
oh .. i use firefox with adblock extensions .. i dont see ads any more.
life is now so much faster and easier

Cisco != Security

Two attacks on their own network resulting in stolen PIX and IOS code. Yeah...secure...if it weren't for the OpenBSD team Cisco would still be using telnet to remote admin routers....oh wait, they still do regardless, my bad. My $50 goes to an OpenBSD CD.

A 'judgemental' network?

[femto]

Surely security belongs on the edges of the network, where users can make their own judgements about how much security they desire? Need high security? Do your own encryption at each end.

There is also the issue of whether any security, except your own, can be trusted. Will Cisco guarantee the absence of backdoors or 'approved' (not by the user) surveillance?

Then there is the issue of who makes the call on what 'security' is. There's a fair chance the average geek, sys admin, government and music trade rep will all have different ideas of what security is. Who's version gets implemented by Cisco and friends? Better that each one gets to do their own security.

Re:A 'judgemental' network?

"Surely security belongs on the edges of the network, where users can make their own judgements about how much security they desire?"

Sweet jesus are you fucking mad? Leaving security up to individual users is a recipe for anarchy. You have just suggested the polar opposite of best standard practices for a security policy. Please leave the IT field for reasons of lack of clue.

Re:A 'judgemental' network?

'User' in this context does not mean 'the person who sits at a windows desktop' (that's a myopic view, probably taken by a sys admin).

Rather it means 'those use the network'. A 'user' may be a company, a sys admin, or a person sitting at a desktop. If a telco uses their own network, for the purposes of their own data, that telco is also a user.

NAP is sick...

[danielrm26]

I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.

An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.

The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure.

Don't dismiss them as a security company; we've only seen the beginning.

Re:NAP is sick...

[RGautier]

Of course, if Neo shows up, the agent stops doing its job and concentrates all its efforts on stopping him.

Re:NAP is sick...

[jhealy1024]

An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc. If it's clean, the switch or router let's them through to the main netowrk. If not, you get VLAN'd off to a remediation network, and once you are done there you are allowed on.

Not to sound like a sales guy, but Bradford Software has an appliance that's been doing this for over a year. It polls switches for clients, can perform port and VLAN management, and it does remediation scans. Best of all, it interoperates with most managed switching equipment from any vendor.

Also cool is the fact that it doesn't require software on the clients (I couldn't tell from your description if NAP requires this). The appliance scans the client machines with various penetration tools and automatically sends them to a remediation VLAN. Very helpful for rogue clients on the network.

Re:NAP is sick...

[bushidocoder]

There's a company called PatchLink that has an agent which does much the same - their product not only includes AV, firewall and patch scans, but also common misconfiguration scans. Their agent also allows allows a network admin to instantly deploy OS and software patches, as well as remote product installations, AND it collects a complete hardware/software inventory of every machine's system and keeps the central console informed of any updates.

I can't say enough good things about what they can do.

Re:NAP is sick...

[isometrick]

Microsoft was working on something like this too, called Network Quarantine. Basically, the server would request a ticket from the machine indicating its virus definition file version, system health, etc.

If anything was less than kosher, the same kind of thing would happen as you speak of. You'd be put on a VLAN with access limited to servers with patches and other updates.

My problem with it was that you have to trust the client machine to report its health status correctly, while such information could be easily mangled by virii or spyware.

Re:NAP is sick...

[_Sprocket_]

I hate to sound like a sales guy for the company, but they have something called NAP that's just completely sick.

It's interesting that you note this... especially with the parent article's quote about Juniper. Juniper bought Netscreen last year. And for over a year, Netscreen has partnered with Infoexpress to support their CyberGatekeeper product - providing this kind of functionality. In fact, Cisco apparently had some interest in aquiring Netscreen but not the same dedication to the aquisition as Juniper. It would seem that they're now playing catch-up on tech they had not managed to aquire in that deal.

Re:NAP is sick...

I saw a demo from ExtremeNetworks where they did the exact same thing using their switches and McAfee. I think it was McAfee but I could be wrong. But it worked as we put a Virus infested PC on the protected vlan and their switch correctly put the PC in the dirty vlan.

Re:NAP is sick...

[Spezzer]

"The trick here is that no one is in better position to do such a thing than the company that owns most of the network infrastructure."

Couldn't you replace 'network infrastructure' with 'OS Market Share' and say the same thing about Microsoft?

Isn't this what everybody complains about? If not, I'd love to hear the difference

Re:NAP is sick...

[carlivar]

An agent (CSA) runs on all endpoints and checks them for AV, firewall, OS patches, etc.

Does it support Macs, Linux, and BSD? I would be surprised if it did. Though I guess you don't need AV and such with non-Windows machines, but some sort of visibility into these systems would be nice.

There is very few end-user software out there that makes a legitimate effort to support all platforms. Though actually, Cisco's VPN client does a pretty good job. They have Windows, Mac, and Linux versions.

Carl

Re:NAP is sick...

[Jacco+de+Leeuw]

My problem with it was that you have to trust the client machine to report its health status correctly, while such information could be easily mangled by virii or spyware.

Exactly. Sure, it works great but effectively this is security through obscurity. Currently there is little incentive to reverse engineer the NAP / Network Quarantine protocol. The zillions of unpatched Windows boxes are easier targets. But if the pay-off is there (remember the Xbox hack?) it can and will be done. If only by some CS Phd to prove his point.

And, as someone else noted, this scheme does not work on all operating systems.

Re:NAP is sick...

[jsindell]

Actually, NAP is the Microsoft quarantine solution. Cisco's solution is NAC.

NAP is not a security feature, it's a client health feature.

Re:NAP is sick...

You know, I've been trying to do something like this forever with Windows DHCP Server. DHCP server recognizes client request, so run xyz.bat file which might run a Languard scan against the machine, or whatever you want, and if the results come back favorable, grant the DHCP address. Otherwise, no IP (or segregate them out). To bad, I would imagine very simple to implement.

Re:NAP is sick...

[CAIMLAS]

It'd be nice for ISPs to instigate such a thing. I imagine it's around the corner.

on the other hand: can you imagine the draconian enforcement which would lead to roughly 20% (all Mac and Linux users) getting shut off (or forced to upgrade "business" grade service)?

I'd be very angry.

Re:NAP is sick...

[akalat]

Indeed, many companies are doing this same thing. It's called using 802.1x. As long as the switch architecture supports it, many vendors can do function the same way. ZoneLabs Integrity does it for instance. I'm sure you'll see something like this in some MS OS down the line as well.

Re:NAP is sick...

[azrael]

You mean NAC, network access control.

http://www.cisco.com/warp/public/cc/so/neso/sqso /c sdni_wp.htm

Re:NAP is sick...

[azrael]

(Correction from my prior post.)

http://www.cisco.com/warp/public/cc/so/neso/sqso /c sdni_wp.htm
You mean NAC, network admission control.
The CTA, Cisco Trust Agent, is the piece that actually runs on the host, to help defend the network from the host.

http://www.cisco.com/en/US/products/sw/secursw/p s5 057/
In contrast to CTA, CSA, Cisco Security Agent, focuses on protecting the host from the network.

The difference is host vs. network intrusion prevention.

About time too! Hardware security

[CdBee]

Software firewalls and security software are inherently pervertible - some even have programmatic interfaces to open ports!

The only good system security comes in part from sitting behind a hardware firewall router - something Cisco, with its subsidiary Linksys, is in a position to sell

Re:About time too! Hardware security

[cpghost]

hardware firewall router

And what do you think runs on this hardware? Right, IOS or a simlar OS. Now go scan for IOS vulnerabilities and enjoy! There's no such thing as "hardware security."

Re:About time too! Hardware security

Shhhhh, the PHB's needs to sleeps at nites.

Re:Heh

[blackomegax]

thats why he can do it through an anonymous proxy i dont think slashdot logs IP of ac's

Pink Syntax Early Post

The Pink Syntax is a group of would-be jazz fanatics who commend on Slashdot stories in typical 1940s jazz-cat slang and insert random notes on worsgipping Charles Mingus and "Django Reinhardt Hot Grits". Unca Faubus is their leader.

Hmm

[mcc]

Well I'd rather Cisco buy their way into the market than, say, Microsoft. Bought in or no, if Cisco wants to get somewhere meaningful, they're going to have to do it entirely based on quality products. If Symantec has to improve their own products to keep up, or Cisco's mainline products are indirectly improved in the process, well, so much the better.

Private Policemen

[itsthebin]

Cisco in Singaporehttp://www.cisco.com.sg/ is already a security company. They provide private policemen , armoured transport and have control over much of Singapores electronic infrastructure. They do have their fingers in more than just producing routers.

Well

Not imho. Last year, they released six new servers and five new software titles, none of them related to security. The big profits are all about routers and other hardware. Cisco owns Debliro, a security company which deals with things like virus protection, industry-strength firewalls, complete medium/large scale company security business system arrangement solutions for infrastructure management overviews. Not much R&D goes into Debliro, but it's a trademark they could use, which is widely known among large scale system administrators and the like.

4/5ths of our problems are from the inside

[gelfling]

And I suspect you organization is the same. Internal networks are victims of strange political forces, ridiculous budgets and a crippling blindness that expensive boxes that protect us from the evil commie internets is all we need.

It would make sense

[cr0y]

I personally would love to see routers that you could install 'modules' onto to control things ranging from spam, to virueses, to spy/malware. I know this can be done with custom machines with router software, however you don't get the reliability that IS cisco.

Re:It would make sense

[myov]

Maybe I'm missing something, but what about redirecting HTTP through a filtering proxy? Something matches a signature and it's blocked.

The trick is keeping the signatures up to date. I'm not sure I want my firewall auto updating.

The Year 2000 wants it's headline back.

[ABeowulfCluster]

This is really really old news.

Re:The Year 2000 wants it's headline back.

[TeknoHog]

The grammar called, it want's it's apostrophe's back.

How is this funny??

ECC is the emerging standard for public-key cryptography. Within a few years, I can see it taking significant market share from traditional RSA-based systems. The mathematics behind ECC is much more complicated, but it improves on most of RSA's weaknesses. The only major drawback that I know of is that ECC is encumbered by a variety of patents.

Re:How is this funny??

[_Sprocket_]

It might have something to do with Cisco's logo.

Similar, not the same though.

[anti-NAT]

While I'm not defending the issues listed on that page, Microsoft are directly responsible for the flaws in their software, as they wrote it, where as the products described on the Attrition site came to Cisco via acquisition (the ONS products came from Pirelli (I think the same company that make tires and very "interesting" calendars)), in times when security probably wasn't one of the checkpoints on the due diligence list.

The only "true" Cisco products are routers, IOS, and more recently the IOS that is on the CRS-1. The security record for IOS has been pretty resonable, when you consider that it has and will always be "exposed" to the Internet.

Re:Similar, not the same though.

The security record for IOS has been pretty resonable

Not really what I'd call reasonable, not "IE standard bad" but hardly good either.

Re:Similar, not the same though.

[Cramer]

The ONS came from Cerent. And Cisco has fixed all of the bugs in the code it purchased from them. There are situations where they cannot fix the bugs that pop up -- and others where marketing tells them not to... don't fix it; make 'em buy the new stuff.

Even Cisco's routers are not 100% Cisco engineered these days -- hardware or software. Cisco has bought their way into just about every market they touch. And that's not necessarily a bad thing.

The will have to improve their products then...

Their PIX firewall is no competition to the other popular vendors. It lacks both the performance and features of Netscreen/Junpier and has a shoddy security record.

Their IDS is less sensitive than Snort and its VMS manager software is slow, hideously bloated and buggy.

For several years, Cisco have been promoting an insecure combination of IPSEC shared-secret with xauth. Despite being documented as dangerous on their own website, it was still the taught and recommended way of configuring "convenient" secure remote access VPNs. Only in the last six months have they fixed this.

Their NAC/self-deluding-network initiative is broken as proposed. All enforcement is performed in the wrong place: routers off in the edge of the network. Right now, there is no way to deploy NAC on a switch or even a MSFC.

Cisco need to stop their marketing droids from directing their product development and get back to competing on technology.

Re:The will have to improve their products then...

[dangermen]

1. Their Pixes are a fixed configuration system that handles bandwidth just fine. I managed several customer networks and most of those are running 200-300 mbps per second with anywhere from 10,000 to 80000 concurrent connections. Heck FW1 can't even go above 50,000 concurrent connections.

2. Their IDSes do lack something to be desired but they are working on it.

3. Cisco HAS a work around for several years now for the IPSEC issue you reference.

4. NAC is part of a growing roadmap. Switches are coming this May. Christ, how about you rewrite Windows in a week and make it secure. Cisco has to write and test this shit.

Re:The will have to improve their products then...

NAC Phase 2 is on the way. It's not broken it's a phased approach, stop spreading FUD you damn troll. The IDS sensors are less sensitive?? WTH does that mean, your obviously a die hard netscreen/juniper fan. Stick with a 2nd rate product and ridiculous firewall solution. Keep telling yourself your safe. Cisco doesn't have to sell a security product, they sell a security solution. End to end security. What does netscreen/Juniper do ?? Exactly.. take your troll somewhere else and come back with facts when you can hang with the big boys....

Re:The will have to improve their products then...

Juniper / Netscreen aren't big boys? I think you are the troll my friend.

Netscreen has excellent IDS and policy based firewall management. Their VPNs are rock solid and the ASIC arch of the units makes them very fast. ...and remote management can be performed via SSH :)

How are they 2nd rate? What are they doing wrong?

Re:The will have to improve their products then...

1. 200-300 mbps isn't fast. Their so-called "fast pix" is really a Catalyst 6500 switch blade that uses switching flows rather than inspecting every packet. Also, they lack important features like transparent filtering and deep packet inspection (both Checkpoint and Netscreen do these fine BTW).

3. "Use certificate auth" isn't much of a workaround, when the point of the system is to provide easy access. They do call it "EasyVPN", not "FrustratinglyX509ishVPN". Checkpoint has had this right for *years*. BTW If you want a laugh, try turning on SSL VPN on a 3k concentrator.

4. That is pretty much what I said - NAC *as currently proposed* is useless. It might be good when you can do it on a switch, or at least a MSFC, but it is a waste of time now. It doesn't stop worm/virus propogation *a single bit*. Based on Cisco's inability to ship security features, I bet that NAC-on-a-switch isn't ready before 2006. So NAC could be an interesting architecture, but right now it is expensive and useless.

It's great that Cisco is thinking about security, but they don't really have much to talk about except a bunch of 2nd rate acquisitions and incomplete technologies.

Re:The will have to improve their products then...

studied hard for the ccna did you?

Where comes the Sun?

[Doc+Ruby]

I would have though that Sun would have filled this vacuum a couple of years ago. With all their "network is the computer" marketing, and the huge demand for security on the networks that Sun pioneered, Sun had an even better position to fill this niche than does Cisco. But no real move by Sun on security for everyone since Java's sandbox. I think the Sun really is setting if it lets opportunities like this fall to companies like Cisco instead.

Capitalism supporting communism

[anti-NAT]

I'd be pretty sure that the only reason they built the "Great Firewall of China" is because they could sell a lot of kit to do it, as well as establish a relationship and presence in China to sell a lot more kit in the future. If they didn't, probably one of their competitors would have.

Who demands Cisco continue to be a profitable company ? Who demands Cisco continue to provide ever increasing share value, on a trajectory similar to the past ? Who demands that Cisco never accept letting their competitor win a deal ? I'd suggest it is primarily the hard-nosed capitalists in the US, as they have the largest shareholdings in the company.

Arguably, China is becoming more and more a Communist country in name only - it is having to adopt capitalist systems to survive on the world stage. In the short term, there will be conflicts between communist beliefs (and the government who administer them) and capitalist systems they need to survive. The controlling of the Internet via the "Great Firewall of China" is an example.

I think China is on the "slippery slope" towards eventually becoming a Capitalist country. The Chinese government are letting companies become profit and growth/aquisition oriented, the next logical step is to let the citizens themselves adopt the same views. Isn't that what capitalism is fundamentally ?

Re:Capitalism supporting communism

[John+Pliskin]

The stock holder; of which I am one of.
Voting stock to boot; and while I see, and agree with your point; I still would rather they have built it, and left holes open.

Capitalism kills communism; they are different ideals, of which I know you know, however the way in which is does so, is just as you said. Over time people, and countries change; but it's only in relative terms.

$

Cisco has never been exceptional at security

The only security related product Cisco has been remotely successful with is Cisco Security Agent aka CSA aka Okena. A technology that will be obsolete with technologies being integrated into Windows.

They have to give away their PIX firewalls to have any sort of market share at all, their network IDS is is piss poor and their network IPS (present and future) falls below ISS Proventia Gseries (which puts it nearly at the bottom of the list.

I don't care who they aquire, any security professional worth their salt knows Cisco doesn't do software well.

Cisco has exploits like Microsoft.

Cisco has a terrible security track record, using them for security is absolutely retarded. And although its not firing, I have consistantly refused to hire people who think of cisco as the default solution to network problems for the last 3 years. You can get better hardware much cheaper, and install open source OSs like linux and openbsd and get a way better solution than cisco for a fraction of the price. The only think cisco is in competition is switches and high end routers. And there are superior products from other vendors in both those areas.

Re:Cisco has exploits like Microsoft.

Bingo. Nice comment. Can't sat too much but that about sums it up. Hence you have to hype your security products and hope to sell to managers with no clue.

Re:Heh

i dont think slashdot logs IP of ac's

They sure do.

Hosts shouldn't trust the network; Network ..

[anti-NAT]

shouldn't trust the hosts.

In "Routing in the Internet", Christian Huitma, when describing the Internet architecture, describes why hosts shouldn't trust the network to perform reliable delivery. Hosts have more of an interest in reliable communication than the network as ultimately they will suffer the most if the network isn't as reliable as it says it is; therefore hosts should take the primary interest in ensuring the network delivers data reliably. That leads to absolute reliablity mechanisms in the network being redundant, as the hosts will implement them anyway. This is why TCP is an end-to-end protocol, why the IP header checksum only covers the IP header, and why the network layer in the Internet is only "best-effort".

In a later chapter, regarding QoS, he makes the point that the network shouldn't trust the hosts. The network should provide generally equal service to all its "customers" - the hosts that are attached to the edge of the network. Therefore, if one host is misbehaving, the network should penalise it. That is what the default queuing algorithm (Random Early Dectection) for the Internet does. Some details are in Recommendations on Queue Management and Congestion Avoidance in the Internet.

The same model applies to security. Security should be end-to-end when the host has the most interest in the consequences of lack of security. Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).

The network's security needs aren't quite the same as the hosts; the main thing the network has to secure is availability and the ability to continue to provide equal service to all its customers (the hosts.) Authentication in routing protocols, secure administration tools such as SNMPv3 and SSH, and traffic rate limiting mechanisms like RED are network security mechanisms that protect the network's service.

Security problems come about when attempts are made to implement host security in the network, and network security in the hosts. For example, a firewall's purpose is really to protect the hosts. The current location for most firewalls is inside the network. Unfortunately that doesn't fully extend the host protection a firewall provides up to the host itself. With the current model, it is easy enough to "unprotect" the host by inserting a device, for example a wireless access point, between the firewall and the host. The firewall may still protect the host from Internet based attackers, however it doesn't protect the host from war drivers. Ideally, a firewall should reside on the host itself, to protect the host from attacks from all (network) directions. Interestingly, that is happening already through evolution - most host OSes are coming with firewalls out of the box. Administration of firewall security policy is a problem with this model, due to the increased number of firewalls to now administer, however, mechanisms are being developed to apply distributed security policy. Distributed Firewalls by Steven M. Bellovin describes this model further.

Re:The other way around : networking is the produc

[dhakbar]

Or love is a battlefield.

They've tried for years....

[-audiowhore-]

Ever since Cisco bought the Wheel group all those years back, they've attempted to make a real entry into the security market.

Although they have great market share in the blue-chip corporate sector these days, they are still lacking two major components from the suite of products have also been lacking: A decent workable management platform (anyone that has built or used VMS knows where this is coming from), and an event correlation engine (the Protego aquisition addresses this).

Cisco has made so many aqusitions over the years, but has had little success with re-branding them and taking them to market. Check out the host based IDS as an example of this (for those who cannot be bothered, Cisco introduced an OEM'ed HIDS then dumped it very quickly after aquiring yet another vendor in the HIDS space...)

Whilst NAC and the latest product offerings all sound great and definately are the way of the future converged network, I'll believe it when I see it deployed in a real network - not in the lab in the Cisco building.

hmm

could cisco be evolving into a more services-oriented company because in a few years 95% of networking hardware will be a commodity item - except for the truly truly large mega-buck routers?

I could easily see Dell or Huawei encroaching on their market very very soon. Dell is an amazing assembly plant that happens to sell computers (and tvs, laptops, pdas, soon - printers)

Huawei has the benefit of super low cost labor to eat into any competitor's margins.

Cisco is caught between a rock and a hard place, they do R&D in networking components, but after a certain point, everything in techland becomes a commodity or margin locked.

Good Luck Cisco - I sense you will have to reinvent yourself like Sun, Apple, and HP - very very hard things for large companies to do.

I disagree with this model.

[anti-NAT]

What happens if the CSA is compromised ? The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow. This model implies that Cisco believe they can write perfectly secure and perfectly trustworthy software that operates on a perfectly insecure and perfectly untrustworthy OS such as Windows. I'd doubt they actually believe that.

I explain some more about the network security model I believe should be followed in this previous post - Hosts shouldn't trust the network; Network ...

Re:I disagree with this model.

[danielrm26]

The network shouldn't trust the host, or any software running it it, to make network protection decisions that the network will blindly follow.

The alternative today is to do no such access control from a network standpoint. Don't let perfect be the enemy of vastly improved.

Re:I disagree with this model.

[anti-NAT]

I don't disagree with your sentiment.

First up I'll admit that I don't really know much about how the software in question works, so my opinion below is based on speculation.

Thinking a bit more about how this model could be implemented, there are fundamentally two components :

• the software itself
• the protocol used by the software to communicate policy to the network devices

Each of those two components provide an opportunity for attack.

Firstly, as I mentioned before, the software will have bugs in it, and those bugs may be exploitable, such that the software can be used to generate alternative, malicious commands or status messages that the network will obey.

Secondly, the protocol itself may be vulnerable to being spoofed. It may be enough for malware on the host PC to send carefully formed packets that again generate alternative, malicious commands or status messages that the network will obey.

A lot of effort could be put into "securing" the software, making it impervious to exploits. However, I'm sure most people would agree that the only bug free program that has ever existed has been "hello world", and even that relies on external libraries that can have vulnerabilities.

The communications protocol could be "secured" by using mechanisms such as HMACs, and public / private key authentication mechanisms. The protocol could probably be proven secure.

Unfortunately, security is a weakest link problem, so if the software can be exploited to generate "wrong" messages via a secure protocol, security has been compromised.

I think the more broader issue is that "users" shouldn't be trusted to "administer" security policy that they would be effected by. Running security software on the desktop PC that administers the users security policy breaks this rule. The users themselves may not do it directly, however, untrusted software they download or receive as an email payload might.

Re:I disagree with this model.

[Alsee]

You missed the fact that Cisco's system runs on top of Trusted computing. Of course that is mainly because Cisco and other compaines actively BURY the fact that such projects are Trusted Computing based. They want to hide from outrage and bad press related to Trusted Computing.

If you don't have a Trusted compliant machine then Cisco's system denies you a net connection.

-

Re:I disagree with this model.

[nzkbuk]

So what happens with packets that come from outside your network ?

a) They require Trusted computing
b) They are assumed to have passed whatever required tests

In short do the routers pass on (and expect) whatever certificates are exchanged.

If it's a) what about all the old routers / networks or the vast bulk of servers on the internet that doesn't run M$ Windows

If it's b) then security is out the window. How can you expect to be secure if you trust everyone. not directly connected to your switches and so verified by your routers.

Re:I disagree with this model.

[Alsee]

I'm not sure I completely understand your question. I'll guess a little and try to clarify some points. I think you are asking about a corporate Trusted network and ordinary untrusted routers out on the normal internet. Lets say you have a Trusted laptop and you're out of the country on a business trip. You attempt to link to the corporate network. Your computer generates Trusted packets and passes them over the open internet and accross untrusted routers. Those normal internet routers pass the packets along unmodified. The corporate gateway router might then directly inspect those packets or it may even set up a connection to query your Trusted laptop. Either way the corporate gateway router can authenticate that your packets are originating on a Trusted and Compliant machine. Those packets are also encrypted enroute, and likely continuously authenticated with encrypted checksums. Any untrusted router or attacker on the internet might be able to block or destroy those packets, but since they are encrypted and authenticated it is impossible for them to read or alter those packets.

Or perhaps you were thinking of incoming webpages coming from non-Trusted webservers? That would depend upon how the Trusted router was configured. It could outright reject any packet from a non-Trusted machine, but a more likely configuration would be to allow a webpage request to go out from the Trusted network and then allow essentially anything to come in as a reply to that outgoing request. Any untrusted packet that was not a reply to a standing outgoing link would be blocked. And since any computer inside the network is Trusted compliant the Trust system can restrict what outbound requests are even possible in the first place.

Did that answer your question?

-

Re:I disagree with this model.

[nzkbuk]

It was the latter that I was asking about.

How about the situiation of incoming connections eg mail ?

Or perhaps a customer wanting to look at the corporate website.

Re:I disagree with this model.

[Alsee]

a customer wanting to look at the corporate website

The one setting up the corporate network and website would choose whether they want to allow non-Trusted connections in. If you want everyone to see your website then just leave it wide open.

However you are going to see an increasing number of websites that are only viewable with a Trusted Computer and using a Trusted browser. The website is then able to use the Trust system to ENFORCE that it's ads are displayed. It can prevent you from using a pop-up blocker. It can make it impossible to save a copy of images or text or media files from the site. They can prevent other websites from "leeching" and of the files. They can block anyone from "deep linking". They can track your identity. And they can enforce absolutely any sort of terms-of-service they like. There will be a million reasons webstites will choose to use the Trust system. Either you are compliant and the webpage displays, or you are non-compliant and it is impossible to view the webpage.

It will be like trying to surf the web with javascript and cookies shut off, you'll constantly trip over websites that don't work. They'll just pop up those lovely helpful error messages explaining how to turn your cookies back on and explaining how to turn you javascript back on and explaining how to turn the Trust system back on.

-

Slight edit.

[anti-NAT]

I wrote

Hosts shouldn't trust the network to deliver data securely, as the consequences of secure delivery are most felt by the hosts (and therefore the users sitting behind them).

which really should be

Hosts shouldn't trust the network to deliver data securely, as the consequences of insecure delivery are most felt by the hosts (and therefore the users sitting behind them).

Yes there is

[anti-NAT]

Wire Cutters

Re:Yes there is

[Megane]

I aim a little higher. Or is that lower?

Re:Heh

Most local libraries provide public internet access. Combined with AC posting, it would be impossible to identify him. Unless, of course, his information could be tracked to him by the others that knew the same info.

Mmmmmmkay.....

If CiscoIDS is any indication of the quality of their security mindset...I wouldn't expect them to master it anytime soon.

enterprise security products

cisco's corp support for tier 1 and 2 at least, is complete shit. I once argued for 20 minutes with a 2nd tier tech who was trying to tell me that a router was giving two devices problems on the same subnet. tech: "oh, there's probably a firewall or router blocking this." me: "device A is 10.10.10.1, device B is 10.10.10.2. The subnet mask is 255.255.255.0 for both devices. Which router are they going across? It is a _flat_ network." Took me twenty minutes and eventually I just got pissed off enough to demand that they escalate the call to a tech whose vision wasn't impaired by his anus.

Juniper's made some great strides, but as much as I like their products, what I've seen of Fortinet products is much more impressive. Having all your enterprise netowrk and infrastructure devices in one product is reaaaaaaaaaaalllly fucking handy. No more explaining "ok, the up-link is coming from our IDS, then comes our firewall, then comes our VPN device, then comes the spam filtering boxes."

Fortinet was founded by one of the guys who started Netscreen (which is now Juniper) and some of their ideas are really worth checking out (like re-ordering packets to search them as one complete packet -- no "deep-inspection" BS like Netscreen or TippingPoint IDS'. From what I understand from speaking to company reps, this was one of the things that made the founder go from netscreen to creating his own company.

Purpose-specific products (e.g. sealed boxes with ASICs that do one thing reallllly well,) are the future of enterprise-level security, imo. Linux (or solaris or what-have-you,) doing firewalling or routing or anti-spam or whatver may be adequate for small offices, but is not an ideal solution for large companies (10000+ users.)

Re:enterprise security products

[skingers6894]

In reference to the Cisco support guy and not that I imagine this is the case here but there ARE layer-2 firewalls that could block traffic between two hosts on the same IP network. Not a PIX of course, but other firewalls :-)

On the other note the case for integrated silicon-based security solutions is very interesting. I can see your point about reducing complexity with a single box solution but I don't think the security solutions are quite "there yet" to support this.

Firstly not all of these security mechanisms do well in silicon. For example, almost anyone can make a pretty handy silicon based ethernet switch because what it is doing is well defined and understood. Security exploits are a little more variable than switching ethernet however. Firewalls are probably the oldest security device out there and so the path to silicon has been built on experience. By comparison IDP technology is not nearly so robust or mature. This has some time to go in the development cycle before we can start relying on silicon versions .

It is this lack of maturity in the security market that leads to the biggest problem for integrated solutions. No single vendor makes the best solution for every security mechanism. In fact some security analysts argue that no single vendor makes even a satisfactory solution for every security mechanism.

Don't get me wrong, I like the idea. It's going to need some time though.

But that's not all!

They really do have their fingers in more than just producing routers!

That ain't no "backhoe"

[anti-NAT]

This is a backhoe !

Re:That ain't no "backhoe"

Holy shiiiit.

Every company HAS to be a security company

[zerofoo]

Cisco has always been a security company. My favorite quote from the article:

"Cisco isn't known as a security company,"

Really? IOS doesn't have any security features built in? What exactly are my PIX firewalls doing for me?

Security isn't something you can buy from a vendor and just roll out over a weekend. Security must be present at every layer of your network. Routers, firewalls, switches, servers, desktops, operating systems, applications, user accounts, and even peripherals must be scrutinzed for security these days. Cisco realizes this, and is taking steps to secure "their" part - the network part.

Now if we could just get some software guys in Redmond to check their input buffers...

-ted

Better colours

http://shit.slashdot.org/article.pl?sid=05/02/13/2 023202

They may have been being reasonable

[anti-NAT]

General design philosophy is that "core" anything shouldn't have ACLs, as they inhibit performance.

ACLs on a core device is usually a sign that a non-optimal design is being used. Push the ACLs to towards the edge if you can, so traffic is dropped as early as possible. It also distributes the ACL processing load across many more devices, by distributing subsets of the network ACL set to those devices, rather than concentrating the network ACL set on a more central device.

Cell "doubtless Trusted Computing"? Don't think so

[koko775]

"The new CELL processor is documented as having a DRM enforcment system embedded in the CPU itself. There's no details available on this "DRM enforcement system", but it is doubtless Trusted Computing."
I guess IBM will be crippling linux rather than protecting Sony's profits on the PS3? Hmm, no. Take off your tinfoil hat and realize that anything designed to take away our freedoms is at least slightly more insidious than giving Microsoft and Apple and Sun monopolies on the OS market.

Cisco Patents Fix/Patch

> Bloaty, reactive software (Norton AV) goes down with the sinking ship (an exploding windows box).

You don't mean the TCP Reset Vulnerability in Cisco's BGP do you? You know, the one Cisco tried to blow it out of proportion by including the internet, while in reality it was their own implementation that didn't take security seriously. But that's not all, Cisco then tried to patent the fix for largely their own vulnerability.

"Feature: Understanding TCP Reset Attacks, Part I"
http://kerneltrap.org/node/
3072?PHPSESSID=94 1eb76f2c0adc72440aafe3477bac43

"You are being told "lots of people have a problem". By not seperating out the various problems combined in their notice, or the impact of those problems, you are not being told the whole truth."
http://marc.theaimsgroup.com/
?l=openbsd -misc&m=108248948202715&w=2

"cisco is affected and tries to make it look like it was a problem everybody has, which it isn't, and it looks like they managed to fool you."
http://marc.theaimsgroup.com/
?l=openbsd-m isc&m=108264490523927&w=2

Cisco applied for a patent to the TCP Reset vulnerability Fix. Patenting a freaking FIX...
http://marc.theaimsgroup.com/
?l=openbsd- misc&m=108431540506674&w=2

Re:The other way around : networking is the produc

[AwaxSlashdot]

I do agree : security is not a final purpose. But it is needed in many products and sometimes to be efficient, must span accross many of them.
But security is not a target, communication/work/processing is.

Can we say "flop"?

[putaro]

This might be that actual strategy but I guarantee that this will flop big time.

A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes. Killing everyone's NAT boxes will not fly well.

B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.

These kind of big bang schemes are often dreamed up by marketing types and control freaks but the reality is that they're damned hard to roll out. I doubt this will go anywhere really. Samsung just got suckered is all. If Dell said they were doing it it might be something to take seriously.

Re:Can we say "flop"?

[Alsee]

guarantee that this will flop big time.

A) A large percentage (growing all the time) of people connect to the Internet via their own little NAT boxes.

I don't think the NAT matters. It's the data you are passing through that NAT that matters. It's the PC creating those packets that matters. Those packets are encrypted and signed. It is impossible for you or your NAT to alter the contents of those encrypted packets expect to block/destroy them. The ISP would only accept an authenticated packet that originated from a Trusted Compliant machine.

-

Re:Can we say "flop"?

[Alsee]

Whoops, I accidentally posted only half a post. Her's the second half:

B) What about all the non-Windows boxes hooked to the network? And I'm not talking about Macs, I'm talking about all the little doo-hickeys that get hooked to the net like my printer, people's TIVO's, etc.

Well, there's no reason your OLD printer and stuff can't still work on an internal network. They just wouldn't be able to talk to the outside internet.

As for new stuff, there's a big push to start dumping Trust chips into pretty much everything that will be networked. Your 5 year old printer and webcam won't be supported by your ISP, but your New and Improved Network Secure printer and webcam will probably work fine.

If Dell said they were doing it it might be something to take seriously.

YES, I AGREE.

Only a few Dell models are currently Trusted Compliant, but as I said, not a single PC manufacturer will be selling non-compliant systems once Longhorn rolls out. Do you seriously think Dell is going to sell computers that can't fully run the new version of Windows? Computers that can only run the new Windows in crippled mode with a downgraded graphics interface? And you KNOW Windows will occationally pop up "error" messages complaining that it can't do X Y and Z becuase your hardware is incompatible.

-

Value for your money

> What exactly are my PIX firewalls doing for me?

Well, I don't know and it's difficult to say, but it certainly does something for the people who have the source. Maybe they'll take your computers and networks for a spin.

http://www.techworld.com/news/
index.cfm?fuseac tion=displaynews&NewsID=2546

Re:Cell "doubtless Trusted Computing"? Don't think

[Alsee]

I guess IBM will be crippling linux

I'm don't think it's completed yet, but there will be a Trusted Linux available soon. It will almost definitely be available before Longhorn is out.

Oh, and in case it wasn't clear, Trusted Computing processors will run existing Linux and all existing software just fine. Hoever normal Linux and software will not be able to read Trusted files. Also you will increasingly run into software and servers that will refuse to talk to normal Linux or unTrusted applications. In a few years you may not be able to get an internet connection except with Longhorn or a Trusted Mac or with Trusted Linux.

-

ECC not patent encumbered

[Paul+Crowley]

Despite what Certicom would have you believe, it's perfectly possible to use ECC and point compression without trespassing their patents. There are some optimizations and nice tricks that are patented, but they are not essential.

Treacherous Computing doesn't stop Linux entirely

[Paul+Crowley]

You will still be able to run Linux on a TC platform. It's just that you'll no longer be able to fool other (local and remote) software into thinking you're running Windows.

TC is evil, but it's more subtle than a hardware lock that prevents you from running Linux on the plaform.

Cisco websites already updated

[dago]

Hum, it seems they are already publishing info ...

For example, this Cisco Clean Access is the re-badged and cisco-integrated Perfigo CleanMachines.

Re:Cisco websites already updated

[dago]

missing link : Cisco Clean Access

Re:Heh

[rylin]

They most definitely do.
Which is why I can't post as an AC from home any more. . . :P

Cisco has a lot of nerve

[AlphaSys]

Cisco as security company? Sure, whynot?

These are the same guys who'll shout high and low that the internet could be brought down by a particular vulnerability and then refuse to supply the fix (not an IOS upgrade, mind you, just a patch) to anyone running their gear but without a current maintenance contract. Sorry, if your gear powers a sizable fraction of the internet and you have already made your money off of selling it, it is your responsibility to the community to provide patches for this kind of exploit gratis if in fact it is as dire as you say it is. Security comapny? Bah. Profitteer!

"Sick?"

[burndive]

Am I the only one here who thinks this usage of the word "sick" is the most unoriginal, contrived linguistic devices since the 1980's?