What I mean by "productivity does not require security" is that most organizations are guilty of deploying networking technologies without consideration of the security risks involved. Anyone can setup a productive Apache server, but properly locking it down, setting permissions and associated firewall and routing policies, etc., is something that should be considered, but is often devolved down to a set of so-called best practices, if followed at all. You can stand up a wireless AP, but setting one up securely is something beyond most people (I can walk around my neighborhood and remain connected with the number of open APs available). When you look at convergence technologies, such as VoIP, everyone sees the benefits, but no one factors the risk mitigating costs, such as ensuring that your routed infrastructure's reliability matches that expected of your phone system. We are so often blinded by the fact that something works, that we fail to examine if it is secure until it is too late.
I'm constantly befuddled about the time and energy wasted on the concept of end-to-end security. The plain basic truth is this:
Productivity does not require security!
What this means is we end up in a cycle of building networks and applications without considering the potential risks and security requirements. Security, whether it's a firewall to an end-to-end implementation with so-called defense in depth, is a bolt-on patch to something can could have been designed securely to begin with. There's never enough time and money to do something right, but tons of it to do it over.
Start with zero, and define your applications, from routing protocols all the way up to e-mail and databases, and put security controls in place relative to those applications. If you support mobile hosts, figure out how they can be securely mobile, or treat them as external hosts at all times.
Once you design security into your processes and hosts, deny the rest of the traffic. It just seems that users think they have some God given right to do as they choose on the Net as they do at home. This is just not the case.
What a scam! Cisco has a NAC partnership program that allows partners to either incorporate CTA technology into their client software, or allow them to build third-party security servers that operate behind their CiscoSecure ACS product. But you are not allowed to build a NAD (network access device, i.e. a switch or AP that interrogates CTA) or a replacement for ACS as the authentication server.
So now that Cisco has failed to get the community to play in their proprietary communications sandbox (remember these are the guys who bring us EIGRP and Skinny), they are hoping the open source community will come to their rescue as leverage in the forming IETF standards.
Want open source NAC?... look at PacketFence (www.packetfence.org)
I've seen the technology and it's impressive. It's intended for vendors to detect break points in their products. The fuzzing and mutation engine can really be relentless. The reporting is nice, particularly if you tie the console of the ToE into the mu box so that you can see any error messages side by side with their cause.
Those vendors serious about securing their products should give this a look. You allude to the fact that experts do this type of testing, but once user-friendly automated tools come onto the market we will both an improvement in security, as well as a rise in attacks.
Another difference is that this technology breaks boxes without finese. Finding exploitable logic errors without trashing the box will still be in the realm of experts.
Slashdot Mirror
What I mean by "productivity does not require security" is that most organizations are guilty of deploying networking technologies without consideration of the security risks involved. Anyone can setup a productive Apache server, but properly locking it down, setting permissions and associated firewall and routing policies, etc., is something that should be considered, but is often devolved down to a set of so-called best practices, if followed at all. You can stand up a wireless AP, but setting one up securely is something beyond most people (I can walk around my neighborhood and remain connected with the number of open APs available). When you look at convergence technologies, such as VoIP, everyone sees the benefits, but no one factors the risk mitigating costs, such as ensuring that your routed infrastructure's reliability matches that expected of your phone system.
We are so often blinded by the fact that something works, that we fail to examine if it is secure until it is too late.
I'm constantly befuddled about the time and energy wasted on the concept of end-to-end security. The plain basic truth is this: Productivity does not require security! What this means is we end up in a cycle of building networks and applications without considering the potential risks and security requirements. Security, whether it's a firewall to an end-to-end implementation with so-called defense in depth, is a bolt-on patch to something can could have been designed securely to begin with. There's never enough time and money to do something right, but tons of it to do it over. Start with zero, and define your applications, from routing protocols all the way up to e-mail and databases, and put security controls in place relative to those applications. If you support mobile hosts, figure out how they can be securely mobile, or treat them as external hosts at all times. Once you design security into your processes and hosts, deny the rest of the traffic. It just seems that users think they have some God given right to do as they choose on the Net as they do at home. This is just not the case.
What a scam! Cisco has a NAC partnership program that allows partners to either incorporate CTA technology into their client software, or allow them to build third-party security servers that operate behind their CiscoSecure ACS product. But you are not allowed to build a NAD (network access device, i.e. a switch or AP that interrogates CTA) or a replacement for ACS as the authentication server.
... look at PacketFence (www.packetfence.org)
So now that Cisco has failed to get the community to play in their proprietary communications sandbox (remember these are the guys who bring us EIGRP and Skinny), they are hoping the open source community will come to their rescue as leverage in the forming IETF standards.
Want open source NAC?
I've seen the technology and it's impressive. It's intended for vendors to detect break points in their products. The fuzzing and mutation engine can really be relentless. The reporting is nice, particularly if you tie the console of the ToE into the mu box so that you can see any error messages side by side with their cause. Those vendors serious about securing their products should give this a look. You allude to the fact that experts do this type of testing, but once user-friendly automated tools come onto the market we will both an improvement in security, as well as a rise in attacks. Another difference is that this technology breaks boxes without finese. Finding exploitable logic errors without trashing the box will still be in the realm of experts.