Thanks for correcting me. I didn't do all my fact checking so I'll take the clueless label in the chest. I do question the usefulness of using a router or layer 3 switch to do your quarantining though, because from a defense in depth point of view the devices you want to protect with NAC are the ones on the same broadcast domain.
As far as phase II being just deployed, I met with Cisco SE's about deploying NAC with layer 2 switches as the quarantine point in November 2004. I declined to test it because I'm not interested in deploying yet another agent on my network. Supposedly they're moving towards configuring options for agent-less machines, when that's an option I'll evaluate it again.
As far as my clueless comment goes, I jumped to a clueless conclusion myself and I appreciate being corrected.
The fact that Cisco has finally extended NAC support to its line of switches means that users are likely to be more interested in the technology than they were when it was only available on Cisco routers, said Joel Conover, an analyst at Current Analysis Inc. in Sterling, Va.
Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.
Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?
The number of vulnerabilities and exploits isn't an accurate protrayal of the security of a product. What was the impact of the vulnerability, was it a buffer overflow or potential information disclosure? Any comparison that doesn't take the severity of the vulnerability into account is worthless.
Joris Evers is full of shit. He's spinning the existence of a class that teaches law enforcement agents how to do computer forensics as a story when there's really nothing there.
I've done forensic exams on machines that ran netscape and firefox and had no problem. The files and there structures are well documented. The format was a little tricky to read though... I mean, plain text is hard to interpret sometimes.
Here's an idea - maybe the people doing forensic exams should be IT professionals who learned law enforcement, not law enforcement officers who took a week-long class on using Encase.
If your organization's target audience or customer base isn't in a certain country it's perfectly reasonable. If every other IP that showed up in my firewall log trying to do nastiness didn't have a reverse dns that came up.ru or.tw then it wouldn't be an issue.
There are certain IP blocks we permit to come in reflexively, but we don't allow them to initiate contact with us. In 2 years there's been one case where it's caused a (very minor) problem.
Check out Astaro at http://www.astaro.com/. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.
It'll be interesting to see how this affects Nokia's line of FW appliances. I can't see Cisco continuing to sell a line of hardware that customers use to run their competitors' (ie Checkpoint) firewall software. Then again maybe they'd allow Pix to get ported over to the appliances? I'm not holding my breath though.
For almost 2 years now I've been running CheckPoint SecurePlatform (aka SPLAT) on HP servers for our firewalls and they've been rock solid. SPLAT is basically a customized Red Hat install that Checkpoint distributes (no, they don't charge for it) and those are the two most reliable boxes on our network. On a 5,000+ machine network, 300 of which are web servers, CPU utilization on the primary fw spiked up to 15% once on a busy day.
This has been and always will be Microsoft's downfall. They just can't resist dipping their hands in the money jar. You can't compromise your alleged integrity and at the same time expect to be a trusted purveyor of security software.
Their AV solution already ships every second Tuesday of the month. It's called the Windows Malware Remover, it runs silently when you perform a Windows Update. It's not a complete AV solution but it gets all the big worms and its updated each month.
I cringed when you said this before but I figured it wasn't worth the effort to correct you. But I hafta call bullshit this time. A worm needs minutes to completely infect an enterprise network. The MRT runs once a month, no dice. Plus, if the malware poisons the DNS cahce on the machine to the point that the MRT is unusable then it's reduced to so much vaporware. The Windows Malware Remover isn't a solution at all, complete or otherwise. It's a band aid. A band aid that's applied to a severed leg to stop the bleeding. And it's only applied once a month.
I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.
They disabled search prefixes / quick searches. In firefox, you can put prefixes in your bookmarks so typing "g monkeys" will do a google search for monkeys, or typing "sd m$" will do a search on slashdot for the string "m$" and make their poor indexing server do a shit-ton of work. Netscape 8 has those disabled, and anything typed into the URL bar is treated as a search on Netscape.com. I reported this as a bug when it was in Beta and they never did anything with it. I rely on search prefixes way too much to give them up, so I'm sticking with Firefox.
I can't say I have any sympathy for the company that imprisoned a programmer because he broke their encryption so the visually impaired could read their file format. Companies like Adobe are part of the reason the DMCA exists. It's nice to see them bleeding on their double-edged sword every now and again.
I know this is slashdot and filtering is evil etc. But filtering software a la websense or surfcontrol marginally protects web surfers from spyware and malicious web code, and it also stops http worms from spreading. It doesn't sound like that's the goal here, but some level of filtering on public internet connections is not necessarily a bad thing.
It boils down to a risk analysis and a cost benefits analysis. Since you're looking at the situation in terms of dollars, ie how expensive it would be to patch the holes reported by the auditor, you'll need to do a quantitative risk analysis. For each of the items you were dinged on you'll need to come up with a risk analysis. Or you could get your auditors to do one, but they're not exactly impartial. Once you come up with an estimate of what it costs a year to have that vulnerability unchecked, then you can do your cost benefits analysis. That's where you get to show that spending 100k on disabling ICMP timestamp requests on your workstations is a waste of money.
It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.
Deny them the rights necessary to install hardware on their workstations. If not for all employees, for the employees that have access to sensitive information.
Every time someone does one of these studies they start from the same flawed logic. They calculate exposure time as "time from vulnerability disclosure to patch availability". In Microsoft's world, a vulnerability doesn't exist until they've disclosed it. And guess what? They don't disclose it until there's a patch available. They're also quick to brand any researchers who post vulnerabilities before they get patches as irresponsible.
So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.
It's Shut the Fuck Up. Not "STFU", not "be quiet please", not "your silence at this time is very important". If I want to talk about zombieboxen that have been infected with virii I'm going to do so regardless of some AC's objections.
Slashdot Mirror
Thanks for correcting me. I didn't do all my fact checking so I'll take the clueless label in the chest. I do question the usefulness of using a router or layer 3 switch to do your quarantining though, because from a defense in depth point of view the devices you want to protect with NAC are the ones on the same broadcast domain. As far as phase II being just deployed, I met with Cisco SE's about deploying NAC with layer 2 switches as the quarantine point in November 2004. I declined to test it because I'm not interested in deploying yet another agent on my network. Supposedly they're moving towards configuring options for agent-less machines, when that's an option I'll evaluate it again. As far as my clueless comment goes, I jumped to a clueless conclusion myself and I appreciate being corrected.
Eh? NAC has been available on Cisco switches for a while now. Technically it's been available since they started supported 802.1x, and switches have been compatible with the Cisco Security Agent since it was developed about a year ago. In fact, I haven't heard of routers being used in conjunction with NAC, CSA, or 802.1x. The only admissions control routers have ever done is access lists, which of course are also supported on layer 3 switches.
Mr. Conover: did you actually do any research on the technology involved or did you just read through the glossies and spew out something you remembered from the CCNA class you took 5 years ago?
Crest Electronics fails self-administered IQ test.
The number of vulnerabilities and exploits isn't an accurate protrayal of the security of a product. What was the impact of the vulnerability, was it a buffer overflow or potential information disclosure? Any comparison that doesn't take the severity of the vulnerability into account is worthless.
Joris Evers is full of shit. He's spinning the existence of a class that teaches law enforcement agents how to do computer forensics as a story when there's really nothing there. I've done forensic exams on machines that ran netscape and firefox and had no problem. The files and there structures are well documented. The format was a little tricky to read though... I mean, plain text is hard to interpret sometimes. Here's an idea - maybe the people doing forensic exams should be IT professionals who learned law enforcement, not law enforcement officers who took a week-long class on using Encase.
If your organization's target audience or customer base isn't in a certain country it's perfectly reasonable. If every other IP that showed up in my firewall log trying to do nastiness didn't have a reverse dns that came up .ru or .tw then it wouldn't be an issue.
There are certain IP blocks we permit to come in reflexively, but we don't allow them to initiate contact with us. In 2 years there's been one case where it's caused a (very minor) problem.
Check out Astaro at http://www.astaro.com/. Full featured firewall, competitive with Checkpoint, but not 100% free as in beer. Price is certainly reasonable though, plus it's incredibly easy to install and manage.
It'll be interesting to see how this affects Nokia's line of FW appliances. I can't see Cisco continuing to sell a line of hardware that customers use to run their competitors' (ie Checkpoint) firewall software. Then again maybe they'd allow Pix to get ported over to the appliances? I'm not holding my breath though.
For almost 2 years now I've been running CheckPoint SecurePlatform (aka SPLAT) on HP servers for our firewalls and they've been rock solid. SPLAT is basically a customized Red Hat install that Checkpoint distributes (no, they don't charge for it) and those are the two most reliable boxes on our network. On a 5,000+ machine network, 300 of which are web servers, CPU utilization on the primary fw spiked up to 15% once on a busy day.
This has been and always will be Microsoft's downfall. They just can't resist dipping their hands in the money jar. You can't compromise your alleged integrity and at the same time expect to be a trusted purveyor of security software.
I'm sure it's just a coincidence that the Yankee Group, who are not exactly known for the impartiality, have released a report saying that 3rd party security apps (read that, AV, firewall, and spyware blockers) are insecure just as Microsoft gets ready to take their spyware software out of beta and unveil their antivirus software. Riiiight.
I'm expecting this to be exploited by a Blaster/Sasser type worm. Time to go on Terry Tate mode looking for users with laptops...
They disabled search prefixes / quick searches. In firefox, you can put prefixes in your bookmarks so typing "g monkeys" will do a google search for monkeys, or typing "sd m$" will do a search on slashdot for the string "m$" and make their poor indexing server do a shit-ton of work. Netscape 8 has those disabled, and anything typed into the URL bar is treated as a search on Netscape.com. I reported this as a bug when it was in Beta and they never did anything with it. I rely on search prefixes way too much to give them up, so I'm sticking with Firefox.
I can't say I have any sympathy for the company that imprisoned a programmer because he broke their encryption so the visually impaired could read their file format. Companies like Adobe are part of the reason the DMCA exists. It's nice to see them bleeding on their double-edged sword every now and again.
I know this is slashdot and filtering is evil etc. But filtering software a la websense or surfcontrol marginally protects web surfers from spyware and malicious web code, and it also stops http worms from spreading. It doesn't sound like that's the goal here, but some level of filtering on public internet connections is not necessarily a bad thing.
It boils down to a risk analysis and a cost benefits analysis. Since you're looking at the situation in terms of dollars, ie how expensive it would be to patch the holes reported by the auditor, you'll need to do a quantitative risk analysis. For each of the items you were dinged on you'll need to come up with a risk analysis. Or you could get your auditors to do one, but they're not exactly impartial. Once you come up with an estimate of what it costs a year to have that vulnerability unchecked, then you can do your cost benefits analysis. That's where you get to show that spending 100k on disabling ICMP timestamp requests on your workstations is a waste of money.
It's not a total solution, but GFI Network Security Scanner (used to be LANGuard) can scan for unauthorized USB devices and fire off an alert if it detect one on a scan. Demo available at http://www.gfi.com/lannetscan/.
Deny them the rights necessary to install hardware on their workstations. If not for all employees, for the employees that have access to sensitive information.
And pray tell AC, what's your idea of strong firewall protection?
Every time someone does one of these studies they start from the same flawed logic. They calculate exposure time as "time from vulnerability disclosure to patch availability". In Microsoft's world, a vulnerability doesn't exist until they've disclosed it. And guess what? They don't disclose it until there's a patch available. They're also quick to brand any researchers who post vulnerabilities before they get patches as irresponsible.
So it's a self-fulfilling prophecy: Microsoft products will always have lower exposure time for vulnerabilities because most Linux distro maintainers practice full disclosure.
Oh, and while I'm at it:
It's Shut the Fuck Up. Not "STFU", not "be quiet please", not "your silence at this time is very important". If I want to talk about zombieboxen that have been infected with virii I'm going to do so regardless of some AC's objections.