Cisco Updates Network Security Technology

* * Beatles-Beatles writes to tell us that Cisco has announced an enhanced version of its Network Admission Control (NAC) technology. From the article: "Under its NAC initiative, Cisco is developing a range of tools that let companies permit, deny, quarantine or restrict admission to networks based on an end user's security status."

You are looking at Trusted Computing.

[tepples]

This Cisco technology is implemented in terms of Trusted Network Connect, a specification published by the Trusted Computing Group. Alsee explains how and why major residential ISPs will eventually use it to condition customers' Internet access on acceptance of Trusted Computing measures.

Re:You are looking at Trusted Computing.

I am sure this will be a cisco only feature requiring *only* cisco products from access to distro layer. Blegh...

Re:You are looking at Trusted Computing.

I for one welcome Cisco's attempt at overlording. It can only hasten the massive peer to peer mesh networks of the future. Who will need "The Internet" of the big boys when you can route packets anywhere in the world over commodity wifi mesh networks with a few backbone links? The Internet will route around damage, including silliness like trusted networks.

Re:You are looking at Trusted Computing.

This Cisco technology is implemented in terms of Trusted Network Connect, a specification published by the Trusted Computing Group.

No it's not. Cisco is not a member of the TCG, and NAC is not compatible with TNC.

Re:You are looking at Trusted Computing.

[Glamdrlng]

From what I've seen it will only require Cisco devices at the access layer. It would have been nice if they had built it similar to Checkpoint's intrusion prevention, where the client talks 802.1x with the switch and deliberately fails its dot1x authentication if the agent doesn'tike something with the host's configuration.

Re:You are looking at Trusted Computing.

[tepples]

Cisco is not a member of the TCG, and NAC is not compatible with TNC.

Details, details. The parts of NAC are said to correspond precisely to the parts of TNC.

Cisco needs to update more than its tech

[saskboy]

""With this, we are selling NAC on switches, routers and on just about every product we sell," Gleichauf said, adding that Cisco now has over 60 vendors participating in the NAC initiative."

Now if only their Contract website was as easy to manage as their Linksys routers. I try to log in to their website to check the account status, and they make me jump through hoops and look for hidden links. It makes me wonder if any web designer works for them.

Re:Cisco needs to update more than its tech

[Vombatus]

I try to log in to their website to check the account status, and they make me jump through hoops and look for hidden links

That is classic security by obscurity. If you cannot find the links, you cannot access any information.

You can't block the CEO

[ReformedExCon]

I'm just joking, of course. CEOs are typically the most informed of all employees at any given company.

But this is pretty cool. The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer. It isn't like infected computers are going to run around flagging routers of their infected status.

I wonder how they will manage this type of security clearance system. If it works, this is one of those technologies that is right on time. If we can stop viruses from infecting whole networks by shutting infections out of the network, then they can't propagate very far at all.

Re:You can't block the CEO

[rovingeyes]

"I'm just joking, of course. CEOs are typically the most informed of all employees at any given company."

Ahem...I take it you are a CEO of a company?

Re:You can't block the CEO

No, no, he was joking, see? He wasn't actually suggesting that CEOs know anything.

Re:You can't block the CEO

I was actually at a security conference a few weeks ago and a guy from Cisco presented some of their new stuff including this. Basically your computer will have to have some kind of antivirus software on it and communicate about it to gain access to the network. Right now its limited to about 10 vendors, and it is a closed protocol. He mentioned that eventually they would open it up and also add more vendors (missing was AVG :( ).

If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way. Maybe only allowed to receive email, browse (maybe certain sites), etc.

Another cool thing is that all this will sit on the front of your network and be coupled with another product. Actually it may be all one product, I can't remember for sure. But the other part is a way to simplify managing your network in the event of an outbreak of a new worm, virus, etc. The way it worked was they were partnered with an AV company (I think Trend Micro maybe) and as soon as that company finds out about a new worm, they can send out some loose information about it. Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network. This would be in roughly 15 minutes of learning of the new attack. Then within typically 90 minutes they will have out a way to digitally fingerprint this attack, and more specific rules are downloaded to the routers. Think something like the string codered sent out could be blocked.

This would be very fast solution to contain these things, especially when you think of large networks at say a large university or corporation with lots of routers. Way faster than what an admin could do by hand. Also it could be configured as to what ports could be blocked. Think not blocking outgoing port 80. Although I never got a clear answer about how this would work in the 15 minute part of initially just blocking a port since some worms do propagate on these commonly used ports. I'm sure they'll work all this out :)

Lets just hope they stick to opening up the protocols in this trusted networking approach so that more vendors can get involved. If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.

Re:You can't block the CEO

It isn't like infected computers are going to run around flagging routers of their infected status.
Clearly you have never dated. Every woman I have ever met has clearly indicated their herpes/AIDS/syphilis/etc. status. That is why I am the healthy individual that I am today.

Re:You can't block the CEO

[timmarhy]

CEO's are typically the most dense person in the company, their days comprise of meeting other dense CEO's and thinking up clever schemes like trusted computing, and help boost their self denial about the world at large.

Re:You can't block the CEO

How the fuck is this a good thing ? If the free anti-virus vendors (whose products only exist for one baddly designed platfrom) are not members the Open Source community at large is really screwed, we can't attest that we are running approved software so we get quarantined ? sounds *great* the alternative we have to run an "approved" version of linux from IBM or RedHat (bittersweet since people really concerned about security wouldnt choose anything those two companies had touched) ? or use horrible buggy binary blobs like the stupid drivers from adaptec or nvidia ? I am glad that it was a company such as cisco that introduced this, they are getting eatten alive everywhere but the very high end, by companies in asia because their stuff is A) expensive and B) sucks .

Re:You can't block the CEO

[muzzmac]

He's not but I'm the CEO of your company.

Now get back to work.

Re:You can't block the CEO

[qwertphobia]

The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

Just run a scan on them. Either a) they're your (IT's) computers, or (b) they signed an acceptable use policy, which says you might scan for vulnerabilities.

Re:You can't block the CEO

[quibbs0]

LOL!!! Sorry I was just reading a good article about the sociopathic bosses. Always love those. Turns out they ARE the most informed. Ok just kidding.

Re:You can't block the CEO

[99BottlesOfBeerInMyF]

If you don't have proof that you ran those tools, you may not have to worry about being completely shut out of the network. You may just be admitted onto the network in a restricted way.

What garbage. First, their are already products that run scans on an entire network and base access upon those results. They work well and do not require a client-side component. Second, if Cisco requires third parties to register/license with them it will eventually become a tax on connecting to the network, paid to Cisco and most open source will be shut out since they can't pay. Third, if Cisco provides their own tools they will suck just as badly as all the other flakey client-side programs they have provided. Finally, anyone care to comment if Cisco is eating their own dogfood here, or do they still rely upon the better solutions provided by their competitors to police their own network?

Cisco is a company that provides half-assed solutions, based upon companies they buy cheaply just as they are on the brink of being bankrupted by better, competing solutions. They rely upon their huge market share in routing and name recognition to sell these half-assed products to admins who don't know any better. The sad thing is there are about three companies who provide this sort of service, but do it right and have solutions that actually work properly, but most IT people don't take the time to properly evaluate the offerings, they just add another item to their quarterly order to Cisco and assume it will work.

Re:You can't block the CEO

[Pii]

So many salient points to choose from... Where to start...

It's a good thing because:

• It can rapidly harden an enterprise to a specific attack vector, preventing countless hours of isolating infected systems, and cleaning them individually.
• Non-conforming systems can be granted access to the network in any manner that you choose: Non-conforming Windows systems can be put in a "dirty" or "quarantine" VLAN, with access just to the Internet, or to Virus Signature update servers. Other systems (Unix/Linux/etc.) can have a completely different policy, including full access.
• You don't have to use it, but it's out there, and there's a lot of clueless organizations in the world that will benefit from it, and if they deploy it, that helps you too.

I wasn't aware that Cisco was getting eaten alive by anyone. Yes, they are moe expensive than most of their competition, but if you've ever dealt with the TAC (Cisco's Technical Assistance Center), it's a premium you don't mind paying.

As for them sucking, to each his own. I'll take Cisco over you any time.

Re:You can't block the CEO

[Quince+alPillan]

Maybe that it tries to propagate on outgoing port 666, and your router would download this information and block port 666. It would also be able to update all the routers in your network.

Wee! Now we can shutdown the internet with a well placed virus. If you can talk with your router, certainly I can as well. All I need to do is pretend I'm the authorative router (DNS poisoning maybe?) or hack the authoritive router and suddenly I get control of your entire network next time your routers update with my virus infected definition file. Let's just block everything except for port 666 so my virus can still propegate and redirect all port 80 traffic to goatse shall we?

If so, I don't think we have to fear trusted computing as this is an example of how it could be a _good_ thing.

Actually, this is the perfect example of how it can be a bad thing. Admittedly, the likelyhood of this happening is probably rare, but I'll bet there are people out there who will try.

<sarcasm>Besides, commercial vendors always have our best interest at heart, even when it conflicts with their bottom dollar.</sarcasm>

Re:You can't block the CEO

Damn straight about Cisco merely buying up half-assed solution, and shoving them down corporation's throats. We got fucked by Cisco into buying a piece of shit called the CS-MARS. It's a product they got when they purchased Protego Networks, and now they foist it off onto other companies.

Just to give you an idea of this thing, it's a server running off the shelf hardware (SuperMicro MB, WD hard drives, etc), with a bunch of Expect scripts using a combination of XML files and Oracle as the database, tied together with Jboss. All sitting on top of Redhat 7.2 Seven dot two for fucks sake. Ancient versions of everything of course, Oracle was configured by a fucking 2 year old, the security on the thing is a joke, and they charge 200k for it.

And it doesn't even work properly unless that device has full read/write SNMP access to every single device on your network, in addition to receiving Netflow from every single switch, and it needs the admin passwords to every Windows device.

All in all, a piece of shit, but they are trying to pass it off as the best thing since sliced bread. We purchased one, because the manager in charge of evaluating the product gets kickbacks from Cisco, so although the entire technical staff that evaluated it recommended in the strongest terms possible that it was the wrong product, we gave them a check for a few hundred thousand (got to include support of course), and then the manager was able to finish paying off his boat. Fuckers.

Cisco is like Microsoft, but sneakier and stupider.

patches smaches

[scenestar]

they've lost alot of my respect after they confiscated those books and ripped out "certain" pages.

Re:patches smaches

[KillShill]

which books be those?

arr matey.

Re:patches smaches

I'm going to make a guess that the gp is referring to the Blackhat incident, where all of the Cisco related stuff got yanked from the presentation booklet they gave to everybody.

How to "trust" the computer

[tepples]

The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer.

Easy. Just make the computer run a scan on itself (using an approved dialer program) and then prove, using Trusted Computing techniques, that it ran the scan that it says it ran. These PDFs explain the process.

Cisco moving up to the application layer

[mparaz]

It looks like Cisco branded products are moving up the application layer to enterprise products. Perhaps plain IP is now a commodity - they have retained the Linksys brand and not folded the products into "Cisco."

The PCs mentioned in the article could be clients for their application oriented networking and message queueing architecture and product line.

Re:Cisco moving up to the application layer

[ldspartan]

Two different markets. Linksys targets the home and the SOHO market. Cisco targets... everything else... The name of the game is avoiding brand dilution.

Statement of bias: I'm an employee of Cisco. Not anywhere near Layers 2 or 3, but an employee nonetheless.

--
lds

Clueless Analyst Syndrome

[Glamdrlng]

The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.

Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.

Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?

Re:Clueless Analyst Syndrome

[sportal]

Reply to clueless slashdotter:

NAC Phase 1 was deployed using EAPoUDP (EAP over UDP). It used routers to quarantine devices. It is a layer 3 solution. Other devices could still infect layer 2 connected devices.

NAC Phase 2 (just announced) is deployed using EAPo802.1x (EAP over 802.1x). It uses switches to quarantine devices. It is a layer 2 solution. Thus an infected device cannot infect other layer 2 devices.

http://www.acuitive.com/musings/hmv7-12.htm

http://newsroom.cisco.com/dlls/2005/prod_101805.ht ml

Re:Clueless Analyst Syndrome

Switches have nothing to do with CSA other then pass it's traffic, it's a HIPS solution for desktops/servers. Your probably thinking CTA which is the Cisco Trust Agent. Also switches have not had NAC support, your wrong and need to research!

Re:Clueless Analyst Syndrome

[Glamdrlng]

Thanks for correcting me. I didn't do all my fact checking so I'll take the clueless label in the chest. I do question the usefulness of using a router or layer 3 switch to do your quarantining though, because from a defense in depth point of view the devices you want to protect with NAC are the ones on the same broadcast domain. As far as phase II being just deployed, I met with Cisco SE's about deploying NAC with layer 2 switches as the quarantine point in November 2004. I declined to test it because I'm not interested in deploying yet another agent on my network. Supposedly they're moving towards configuring options for agent-less machines, when that's an option I'll evaluate it again. As far as my clueless comment goes, I jumped to a clueless conclusion myself and I appreciate being corrected.

Re:Clueless Analyst Syndrome

[Glamdrlng]

Then I guess the Cisco SE's I met with last year were bullshitting me. Thanks AC.

Re:Clueless Analyst Syndrome

[tlon]

Actually, I did do my research. And you're not completetly off about your Cisco SE asking you to test NAC with L2 switches back in 2004 -- This phase of NAC has been in "testing" for some time, and was originally promised by Cisco several months sooner - not that you should ever trust the promises of a vendor. It doesn't surprise me that SE's were out talking to you about it a year ago - Cisco made its roadmap very public when it first announced the NAC program. I'm disappointed that you fired a shot across my bow without checking your own facts first. Not all analysts are paper thin - I did my time building, evaluating, testing, benchmarking, and troubleshooting networks in the public and private sectors, and spent many a late night ferreting out bugs and sloppy implementations from vendors. And now I spend my time trying to help vendors and end users sort out the real juice from the Kool-Aid. Joel "Clueless Analyst, must be too much time trolling /." Conover

Re:Clueless Analyst Syndrome

[Skovoroda]

Vith a view to that 802.1x has been broken (http://blogs.technet.com/steriley/archive/2005/08 /11/409021.aspx) and requires a cryptography layer to prevent rogue hosts from connecting to the network, I'd consider NAC breakable for now.

Re:Clueless Analyst Syndrome

[Glamdrlng]

I already put my foot in my mouth responding to a previous comment but I'll gladly do so again. Mmm, yummy. Could use a little ketchup though.

I was in a pissy mood but I had no right to fire a shot in your direction because of it. If I had mod points and could mod my own post down I'd gladly do so. Please accept my humblest apologies sir.

On a related note, I'm instituting a self-enforced ban on posting in tech forums right after getting out of a change control meeting.

Great but what about IPv6?

[lappy512]

Slashdot had a earlier post about Cisco not supporting IPv6, what about that?

Re:Great but what about IPv6?

You must have read that incorrectly. Cisco has been supporting IPv6 for some time now

OpenBSD

Didn't OpenBSD do something like this?

For the Internetworking Challenged

[Quirk]

If, like me, internetworking isn't in your bailiwick, there's a couple of resources I've found handy.

Cisco's Internetworking Technology Handbook is a bit dated but a great base resource downloadable in pdf.

Pair the above with IBM's TCP/IP Tutorial and Technical Overview, and round things off by downloading Bable: A Glossary of Computer Oriented Abbreviations and Acronyms since you'll be in acrynom hell.

Probably few /.ers need the above but they've given me a good overview and reference.

For What it's Worth :)

My university already uses it

They use CISCO's Clean Access Agent for all student connecting from the droms. It's that lets them dictate certainly setting before students are able to log on to the network. Like have an anti-virus package running and up to date, having a firewall running and up to date, and having automatic update turned on in Windows XP.

be wary

Be wary of anything that will lock you into other proprietary hardware. Cisco is running scared right now with Juniper and others right on their tail, so some of this is likely to further cement Cisco into client networks.

Re:be wary

Other folks often appear to be "on your tail" when you are a leader. Too bad Juniper doesn't have that problem!

This will work great....

[Pozican]

Yup, this will work awesome! Until virus creators / spyware creators / worms / trojans (blah blah) read this on slashdot, and reverse engineer it until they figure out how to distribute their viruses without being caught by the router... I'm sure it's not far off, mainly since cisco is so large, so everyone will be implementing this soon

Re:This will work great....

[Gandul]

Or at least until they figure out a way to use the Cisco Trust Agent agent to distribute the virus/worm/trojan or any other kind of malicious code.

Re:This will work great....

[Evil+W1zard]

Cisco devices lend towards reboot when attacked with a buffer overflow so why not create a Slammer like worm with a quick infection vector and then at X time infected PCs send out a reboot sequence across the WAN, which in theory would cause Cisco devices to go into a reboot. If enough devices rebooted at the same time how badly would that affect the Internet? Not sure if this is plausible but if Cisco devices are vulnerable to traffic passing through them in this manner it would seem like an attack like that would work?

If the FCC has anything to do with it

[tepples]

The Internet will route around damage, including silliness like trusted networks.

But can a wireless mesh route around legislators and regulators who ban the transmission of electromagnetic waves for unauthorized wireless meshes? And can it choose a within-50-percent-of-optimal route that minimizes speed-of-light latency and processing latency? And can it route across large bodies of water?

Re:If the FCC has anything to do with it

[buysse]

In that case, the "damage" the Internet will route around is the United States. Simple.

Pity most OSs authenticate to hosts, not switches

[Nailer]

This isn't a complaint about NAC, I actually like the idea.

But I bet the way it integrates with the OS is a bit of a kludge (I haven't played with it, just guessing). Most network OSs have methods to integrate with host based auth systems - kerberos, LDAP or some such. Adding a secondary auth to the switch (which from what I hear of these technologies, they do) seems a bit hacky.

It'd be great if the switch only let the client send auth packets to the kerberos / LDAP server, only enabling them to do anything else once the auth server has approved their login. Maybe a kerberised router that's actually a host that clients need a service ticket to route to anything else, and the KDC automatically sends a service ticket along with the Ticket Granting Ticket.

Just an idea. Would love to talk to somebody that's played with this stuff and get your ideas.

Compatibility?

[fmwap]

I wonder how this will work for non-Windows machines trying to gain access?

Somebody mentioned the Cisco Clean Access Agent in a previous post, googling around a bit shows that only Windows is supported for the AV/Patch scan, and this is easily bypassed by changing the User-Agent on the HTTP login page. Details here

Cisco's canned response is to use Nessus to determine the real OS, or write your own plugin. Although windows boxen are probably the most common, and the biggest threat, non-Windows products need some sort of working by-pass that doesn't involve simply spoofing the UA.

Re:Compatibility?

[dago]

If you actually read the docs, you'll see that CSA runs on Solaris and Linux as well, and the TrustAgent used for NAC is now available for Linux as well. Only redhat is officially supported, but I guess it should be possible to adapt it. I guess Mac OS X will come next.

NAC sucks

We've tried to deploy NAC locally. It's hell to configure the "CTA" (i.e. magic software that runs only on Windows). It's hell to configure the switches (docs? Like they help...) It's hell to configure Cisco ACS (does Cisco even *use* that PoS?)

NAC is great in theory, but it's Windows-only, it requires extra software on Windows boxes, it requires all of your switches to be NAC aware, and it requires a NAC aware authenticator.

Can you say "not going to happen"?

If someone else comes out with something similar that can be used in the real world, like 802.1x supplicants with a bit more smarts, it will deployed so fast that Cisco's NAC will be a sad memory.

NAC: Good in theory. Cisco "gets" routers. They don't "get" network administration.

Re:NAC sucks

[Ph33r+th3+g(O)at]

And I assume Cisco wants some $ per seat, as well--that may be the biggest barrier of all in most places against this next step (client attestation) towards a locked-down Trusted Computing environment.

Re:NAC sucks

We're deploying NAC for Solaris, Linux, and OS X clients as well as Windows. Hosts which don't pass muster (can be defined by patch levels, a port scan, etc) can be placed on a fallback VLAN which of course you can apply whatever ACLs or security measures you like.

Re:NAC sucks

Imagine the fun when NAC flips out and decides to stop talking to the ACS servers. Everyone on a network is suddenly running in virus-mitigation mode (no network access in our configuration). The fix: reboot the router.

Cisco hasn't made a good product since the Cisco 2500 router running IOS 11.

I like to remind my PHB when he says "Nobody ever got fired for buying Cisco" that people have gotten fired for wasting money on lousy hardware with 20% failure rates and software the requires more reboots than a Windows 98 box.

Come on E-rate reform! Audit the fuck out of school so we can finally get rid of this Cisco bullshit!

Initials?

Cisco Updates Network Technology Security.

Re:Pity most OSs authenticate to hosts, not switch

Check out the RADIUS protocol. that does exactly that. RFC 1865, I think.

Yay!

[sl4shd0rk]

end user authentication with a side-order of bloat - supersized with a vendor lockin feature. I wonder how well non-cisco devices will work with the new NAC overlords?

Why is this here?

[ninja_assault_kitten]

This is nothing more than an advertisement.

Cisco is a late player...

[qwertphobia]

Cisco is a late player to this game, and they're still catching up. They bought a company to bring this technology into the Cisco brand, and they're still working on "cisco-izing" the product.

Last time I checked this only works with Cisco hardware in the wiring closets.

Other than that, does it yet come close to the capabilities of Bradford's Campus Manager? Any college trying to lock down their resnet probably used Campus Manager.

Trust Cisco!

[puke76]

Because you can trust Cisco with your security.

Yes, you can.

[Halo-]

Note: I work for a company which develops software for this solution, but I do not speak for them in any official way. I'm also not going to plug my product by name, because that's not the point of this article. There aren't that many people doing this kind of work, and if you're really interested, you'll find us easily enough.

But this is pretty cool. The problem, of course, is how to decide whether someone is "secure" or not without running a scan on that computer. It isn't like infected computers are going to run around flagging routers of their infected status.

One of the principle components of the NAC architecture is something called the Cisco Trust Agent. The CTA is an authenticator framework which allows for multiple third-party vendor plugins. There are existing extensions for several major anti-virus technologies, and also much broader solutions. Basically, when you first show up on the network at a hardware level, the NAC-enabled device (router, switch, etc...) sends a challenge. The CTA then responds with information about the machine generated by CTA itself and any installed plugins. (This also can include authentication, which makes things that much more secure). The response is relayed to a Cisco Access Control Server (ACS), which then makes a decision about the state (posture) of the machine and pushes down an appropriate set of access controls.

What's even cooler, is that products like the one I work on, are capable of "closing the loop" and fixing violations. If your virus definitions are out of date, we can kick of a scan. If you're missing a Windows hotfix, we can install it. If you password length is too short, we can fix that too. All this is done by associating workflows with existing (and proven) configuration and provisioning management solutions.

Been there, done that!

Citrix currently provides this ability with even more granular options with it's end-point analysis scans available with their access gateway's advanced access controls.

Normally you wouldn't think of Citrix to provide this type of networking functionality but with their new gateway appliances they provide a very nice solution.

Re:Pity most OSs authenticate to hosts, not switch

[Sulihin]

EAP, used in 802.1X, is pretty much exactly what you're talking about:

" [EAP is] an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this." --- RFC 3748, page 3

Wow! That's great!

It's also totally Windows specific. You must run yet another frigging Windows only background process on your system to make sure that your AV program is running and up-to-date. You must run Windows XP or greater so that Microsoft Group Policies can enforce patch levels and system policy settings.

That's dandy, really! And it's very very helpful to the already overworked Windows admins that run only Windows XP or greater and Cisco only networks. But, what about the Mac OS X users that can't run the Cisco agent and don't have Microsoft Group Policies? What about the Linux users? If I recall, companies like Novell were making major efforts to push Linux into server rooms and desktops everywhere. Not to mentions the countless "hardware" devices that run BSD for an OS/firmware. Will we have to eliminate all of these devices from the networks or will we have to make exception rules that defeat the security measures? Or will we have policies that are assigned to these devices based on MAC address, I know everybody loves MAC filtering and it's SO effective.

I've seen the presentation too.

[skids]

And frankly, I was more appalled than impressed. Way to cobble up the "mission critical" network system in a byzantine system involving PCs, centralized servers, and other cruft. An order of magnitude more of a hackjob than server-mode VLAN configuration. Bloatware for networks.

If they want to enhance security, they should be paring down their codebase for simplicity's sake and extensively testing it under hostile and high-stress traffic loads. Which I can say quite unequivocally, they don't do much. It took them years to even acknowlege that the fact you could crash a routing protocol by drowning out its signalling was just plain wrongheaded, and even now protecting the signalling as paramount has not been successfully drummed into developers heads in all areas of the codebase.

Cisco Updates Network Security Technology

[Kylere]

Cisco Updates Network Security Technology is one word swap from being a great acronym.

Was At the Live Launch in New York Yesterday

[*+*+Beatles-Beatles]

Came from the New York City Launch( 4 hour Seminar )- a pre-filtered event for established Security Pros It got very good feedback from this learned bunch - Trend Micro is also one of their partners for this package. It seems very promising and effective

Re:Was At the Live Launch in New York Yesterday

[Slashcrap]

On a completely off-topic note, can I just mention that your website is one of the worst things I've ever seen on the Internet?

Most websites require the use of garish colours and Flash to achieve the level of horror that you have managed with just black and white.

I would prefer to spend a week looking at Goatse than experience that again.

Re:Was At the Live Launch in New York Yesterday

Yeah, that website is a great lesson in how not to do anything. Repulsive, just like the format of their submissions.

Harmonization is a virus.

[tepples]

In that case, the "damage" the Internet will route around is the United States. Simple.

Does "harmonization" of other countries' corporate-welfare laws with those of the United States, such as parts of the Australian "free" trade agreement, count as another form of damage? Once the harmonization virus hits the entire developed world, then where should I move?

Re:Harmonization is a virus.

[buysse]

I guess we're all going back to the BBS... Dammit.