The roles of TNC and IETF
As many of you know from my posts and talks, I always distinguish between frameworks and standards. TNC is a consortium that created a framework for NAC communications and endpoint checks. Many vendors have already bought in to the TNC specifications, but there have been a few holding out; Cisco being the largest and most influential. Strangely enough, Cisco wanted to have a standard in place, versus a less formal framework. Ironic, I know. In any event, the IETF (in the form of IETF’s NEA) has been trying to fill that gap of true NAC standards. The problem has been that, although vendors said “yes” to the IETF standards, no one was contributing any new specifications for it. Here’s where TNC reenters the picture. Slowly but surely, the IETF has been adopting the TNC’s frameworks as accepted specs for the standards.

The importance of this announcement
Today’s news demonstrates one more big step in the right direction for TNC, IETF and all the vendors participating. With the acceptance of two more TNC specifications into the IETF standard, we can expect to round out the full IETF NAC Standard by the close of 2010. With a full set of standards, vendors will be able to offer scalable, evolving solutions that integrate more seamlessly with the rest of the infrastructure. Exciting, isn’t it!?

The announcement begins

Internet Engineering Task Force Publishes Network Access Control Standards Based on Trusted Computing Group Specifications

PORTLAND, MARCH 11, 2010 - Trusted Computing Group today announced that two specifications created by its Trusted Network Connect (TNC) work group have been accepted and published as specifications by the Internet Engineering Task Force (IETF). This means that developers and OEMs wanting to create network access control products now will have a single set of standards to support.
“Enterprise users are the real winners; the agreement on a single standard for network access control and endpoint assessment will provide consistency across products from leading networking vendors,” said Russ Housley, chairman of the IETF.

Noted Steve Hanna, co-chairman of the TCG TNC work group and of the IETF working group on this topic, “This industry-wide agreement on standards will increase the number of vendors and customers adopting standards-based network security. In addition, products developed for the new standards can be deployed with the many existing products using TNC specifications to protect the network and critical assets from a myriad of threats.”

The first standard (called PB-TNC by the IETF and IF-TNCCS 2.0 by the TCG) defines a standard way to perform a health check of a network “endpoint” such as a laptop computer or printer. If the endpoint is not healthy, it can be fixed or have its network access restricted. The second standard (called PA-TNC by the IETF and IF-M 1.0 by the TCG) defines a standard set of health checks that are commonly performed, such as checking anti-virus status. These newest standards are based on the TNC standards that customers have been using for years.
continued

You can read the full press release online at: http://www.trustedcomputinggroup.org/media_room/news/113

Look for more information and content soon about TCG’s TNC, IETF and NAC standards, including a video interview with TNC’s Steve Hanna.

Resources and links:

• Trusted Computing Group http://www.trustedcomputinggroup.org
• IETF http://www.ietf.org

 # # #

What is it?
Maker Faire:NC is a newfangled fair that brings together science, art, craft and engineering plus music in a fun, energized, and exciting public forum. The aim is to inspire people of all ages to roll up their sleeves and become makers. This family-friendly event showcases the amazing work of all kinds of makers–anyone who is embracing DIY and wants to share their accomplishments with an appreciative audience.

Costs and Participation
Attend: FREE
Makers: FREE
Exhibitors: $50 - $200 (100-1600 sq ft)

A note from the organizer:

Maker Faire is an annual event organized by the people who bring us MAKE Magazine.  Maker Faire:NC is a fully sanctioned event but is being planned and coordinated by Raleigh/Durham locals.  Our goal is to bring together Makers, Crafters, Inventors, Evil Geniuses, Scientists, Artists, and anyone else interested in learning from NC, SC, VA, DC, and beyond.

Just like the bigger Left-Coast version, Maker Faire:NC celebrates things people create themselves — from James Bond-worthy electronic gizmos to Martha Stewart-quality “slow made” foods and homemade clothes. Inspiration is ubiquitous at the festival and there are surprises around every corner for people of all ages.

“At the surface, Maker Faire is a fun event for people of all ages,” explained (San Mateo 2009) Event Director Sherry Huss. “But we want people to experience more than just a weekend of creative entertainment, we want them to leave feeling inspired — that they too can create things, express themselves, and engage the world around them. Our goal is to resuscitate the spirit of American creativity and innovation.”

This video from the Full Size Maker Faire held in 2009 in California will give you a little idea of what we’re all about.

Ideas for Makers who want to participate (remember, it’s FREE)!

• Green Tech and Clean Tech
• Robotics
• Music Performance and Participation
• 3D Printers and CNC Mill
• Textile Arts and Crafts
• Home Energy Monitoring
• Rockets and RC Toys
• Radios, Vintage Computers and Game Systems
• Electronics
• Electric vehicles
• Biology/Biotech and Chemistry Projects
• Food and Beverage Makers
• Kites
• Shelter (Tents, Domes, etc.)
• Unusual Tools, Machines, or Techniques
• How to Fix Things or Take them Apart (Vacuums, Clocks, Washing Machines, etc.)

Links and Resources

• Maker Faire NC Site: http://makerfairenc.com/
• Maker Faire NC on Twitter: @makerfaireNC

# # #

Universal NAC Feature Model document: 
A guide to model and compare NAC solutions

Author: Jennifer Jabbusch
White paper, feature and mechanical evaluation and comparison of Network Access Control technologies
24 pages, PDF format
2010-03-03 RSA Edition, first release
Copyright Carolina Advanced Digital, Inc., see contact page to request republishing rights

Document Summary

All NAC products are not created equal and there is not a one-NAC-fits-all solution. The Universal NAC Feature Model was developed for internal use at Carolina Advanced Digital and is invaluable in informing and guiding discussions with clients evaluating NAC solutions. Initially intended for private use, the value to the larger industry has led to the development of this material in guidebook form.

One of the leading challenges in discussing NAC is the terminology. Instead of referring to vendor terms or the random acronyms and naming convention used in the NAC frameworks, this guides uses plain English to describe the four feature components of network access control systems and the specific mechanics used to implement the technologies.

This Universal NAC Feature Model is a guide for organizations to model network access control (NAC) features from a variety of products and vendors. It aids in the comparison and analysis of available features and provides a common language to identify and describe required methods and execution of technology. This allows for useful comparisons across vendors who offer the same features, but with drastically different methods.

This document breaks down all the components and mechanics employed by various vendors, explains each piece in detail, and provides commentary on factors to consider while investigating NAC products. The tables and explanations in this guide can be used to map key concepts to their vendor- specific counterparts and map a desired feature to the mechanics that support it.

To all readers, I hope you enjoy the information in this guide and find the layout and explanations useful. As far as I know this is the first document of its kind, outlining the full depth and breadth of NAC features, functions and mechanics from all vendors, in a single guide. I expect it to serve as a foundation for discussions in the industry and in dialogue between consumers and vendors.

This document provides:
- A uniform terminology and descriptions of features and technical mechanics to compare all NAC products currently available.
- A hierarchical view of NAC features and mechanics in a simple one-page table.
- An explanation of the technical mechanics of NAC and commentary on considerations as you investigate NAC solutions.
- A foundation that will grow and be updated as technologies and products change in the market.

Related documents: Catching the Unicorn: a technical exploration of why NAC is failing

# # #

Were you in the session? Before I launch into my opinions, I’m most interested in hearing from anyone that was in the Peer 2 Peer. As the facilitator, I get a different kind of value from these peer sessions. The real question is: did you? Feel free to post comments (anonymous is fine) or email me directly using the contact form.

First, NAC is not dead. Wednesday’s full room was proof of that; I think we had only a couple of seats open of the 25 maximum available. I will share with you that these P2P attendees were a little disappointed that the industry events were not giving NAC the attention they did just a couple of years ago. Everyone understands why, but their comments resonated with me. They feel abandoned by the vendors and the industry; left to fend for themselves and work out the many major kinks of a security technology that’s not as ready for prime time as we’d hoped. We lamented over the decrease in industry’s willingness to help us in our efforts and the obvious lack of NAC sessions on the schedules of major conferences, such as RSA and the upcoming INTEROP.

Second, people do want NAC. The interest seems to be completely in line with my personal observations that port security and authentication are still highest on the list of requested features, with a strong desire for endpoint integrity sliding in as a solid second or third. These are the features being touted by the primary remaining vendors in the NAC and endpoint security space and there IS a demand for them.

Third, the consumers are happy to compromise. Instead of selecting from a menu of over-zealous vendors pitching their fix-all solutions, the consumers want more reasonable expectations, more manageable deployments and a sustainable maintenance plan - and they don’t mind giving up a few features to reach those goals. The stories I heard were ones of heartache, headache and hopelessness, riveted with frustrations, mostly stemming from the use of the wrong technology in the wrong environment. Although there were vendor-specific tribulations mentioned by the group, I steered clear of that part of the discussion, realizing that the failure wasn’t in the product as much as it was in the processes created by poorly made technical decisions. Unfortunately, these people are at the mercy of the vendor to help them with the process and many times the vendor’s sales force (and even at times, the engineering team) doesn’t understand enough about the environment and their own product to make recommendations for a successful rollout.

As promised, I did distribute the Universal NAC Feature Model document to the group (well, until I ran out of printed copies). I’ll make that document available here as well this weekend. Now available.

With the confinement of a short 50-minute, session, we certainly couldn’t solve the evils of the NAC world, but it got everyone talking and it got me thinking - again. We can do this. We just need to make it affordable, efficacious and reasonable to integrate. It is possible, and the session reinforced my support for the groups working to create frameworks and standards that will help these consumers of the technology (and all others) find the right product for them and integrate it in a much less painful way.

# # #

• SEM-004 TCG Workshop: Industry’s First International Security Playground!
  Monday, March 1st 11:00AM – 3:00PM
  With: TCG’s Trusted Network Connect members
  Juniper Networks
  Wave Systems
  Infoblox
  Lumeta
  Hirsch Electronics
  .
• SPO2-106: Protection vs. Access: Solving The Security Dilemma for Businesses
  Tuesday, March 2nd 1:00 PM
  With: Greg Jensen, Microsoft Corporation
  .
• END-107: Lessons Learned: Enterprise X.509 Certificate Management at Boeing
  Tuesday, March 2nd 2:30 PM
  With: Greg Blana, The Boeing Company
  .
• NMS-107:   Secure Virtual Networking: An Oxymoron?
  Tuesday, March 2nd 2:30 PM
  With: Paul Congdon, CTO and HP Fellow, HP ProCurve
  .
• SPO2-203: Network Access Technology in Progress- How to Manage Your IT Infrastructure
  Wednesday, March 3rd 10:40 AM
  With: Bruno Quint, CORISECIO GmbH
  Rainer Enders, NCP engineering GmbH
  René Poot, NCP engineering GmbH
  Joerg Hirschmann, NCP engineering GmbH
  .
• P2P-204B:  Endpoint Security and Network Access Control in the Real World
  Wednesday, March 3rd 1:00 PM
  With: Jennifer Jabbusch, CAD, Inc.
  .
• END-302: The Changing Face of Endpoint Security
  Thursday, March 4th 9:10 AM
  With: Mischel Kwon, RSA/EMC
  Richard Marshall, DHS
  Phillip Loranger, U.S. Department of Education
  Dickie George, NSA
  Richard Hale, DISA
  .
• NMS-303: NAC Best Practices Panel
  Thursday, March 4th 10:40 AM
  With: Lawrence Orans, Gartner, Inc.
  Russell Rice, Cisco Systems, Inc.
  Khaja Ahmed, Microsoft Corporation
  David Vargas, Cadence Design Systems
  Daniel Conroy, Bank of New York Mellon

Also look for these NAC and Endpoint Security vendors in the expo area:

• Avenda Systems - Booth 558
• Black Box - Booth 850
• Cisco Systems, Inc. - Booth 831
• ForeScout Technologies, Inc. - Booth 739
• InfoExpress, Inc. - Booth 751
• Juniper at TCG’s TNC Playground
• Microsoft Corporation - Booth 1517
• NCP engineering GmbH - Booth 1541
• StillSecure Software - Booth 2228

# # #

If you’re at the P2P session, you’ll receive your very own copy. It can be used as a reference during discussions, but we won’t be specifically addressing the document during the session. It’s something for you to take home and enjoy. ;) If you’re not at the P2P session, you’ll see the contents at a later time here or through one of our media partners.

Universal NAC Feature Model overview:

This Universal NAC Feature Model is a guide with which an organization can model network access control (NAC) features from a variety of solutions and vendors. It provides a single platform for comparison and analysis of the features provided as well as a means to identify and describe the methods and execution of technology to offer those features. Many vendors offer the same features, but with drastically different methods. This guide serves as a single ubiquitous model with common verbiage to describe NAC offerings. 

RSA Peer 2 Peer session details:

Session Title:  Endpoint Security and Network Access Control in the Real World
Session Code:  P2P-204B
Scheduled Date/Time:  Wednesday, March 3 1:00 PM
Session Abstract:  While current solutions have proven difficult to implement in the real world, the need for access control and network security continues to grow. Join this Peer2Peer session for a lively discussion of real world case studies, an exploration of technical roadblocks and a dive into vendor-specific solutions. Participants will be given a copy of the host’s proprietary Universal NAC Evaluation Framework document to reference and evaluate various technologies and solutions at a technical level.
Facilitator:  Jennifer Jabbusch CISO, Network Security Specialist, CAD, Inc.

Key pages from the Universal NAC Feature Model

# # #

Meet Lab Barbie. Lab Barbie comes in a variety of styles. This photo is of SRX Barbie, beautifully clad in a pink taffeta gown and lovingly enjoying her new Juniper devices. Doesn’t she look smashing!

My friend Shelby sums it up best:

Lab Barbie: PRICELESS
Cost of extremely pink Barbie - $5
Cost of work time placing Barbie in just the right position - $20
Keeping boys out of your highly efficient space - PRICELESS

SRX Barbie: Firewall princess

Look for more Lab Barbie shots as they take their places to defend my development and testing areas.

Please do not confuse Lab Barbie with Security Barbie. They’re different people.

# # #

If you’re looking for more security-related articles and how-tos, be sure to visit the Tech Target Search Midmarket Security site, as well as the Search Financial Security site, for more content authored by me.

Recent content you’ll find there

• Configuring a Windows network infrastructure: Wired, wireless security NEW
• Five NAC-like endpoint settings enforced with group policy
• Five considerations for choosing NAC (financial orgs)
• Handling the politics of network access control
• Five network security issues to avoid
• Other stuff I’ve written there >>

# # #

Although I cannot possibly expect to win against this line-up, the nomination has prompted me to refocus on my own blog and writing in hopes that I can deliver content that’s as useful to readers as my favorite sites are to me! And yes, I’m voting for my own blog (if I can) so I have at least one notch on my scorecard. ;)

Instead of repeating the details of it all, I’m including information from Alan’s original post announcing the winners/nominees.

After a bit of a *ahem* learning process last year, they’ve changed the voting and nomination process. I think ballots went out to all SBN network members today and winners (as last year) will be announced at the RSA Official Security Bloggers Meetup.

OK for the first time in public, here are the finalists for the 2010 Social Security Blogger Awards! The finalists were chosen by our blue ribbon panel of judges (Mike Fratto, Bill Brenner, Kelly Jackson-Higgins and Larry Walsh). The members of the Security Bloggers Network will be receiving ballots shortly with the names of the finalists and they will cast the deciding votes for who this years lucky winners are. So without further delay, the finalists are:

Best Technical Security Blog
SANS Internet Storm Center
Evil Bytes by John Sawyer
Praetorian Prefect
Darknet.org
Frequency X ISS blog

Best Non-Technical Security Blog
Security Uncorked
Schneier on Security
Krebs on Security
ThreatPost
TaoSecurity

Best Security Podcast
PaulDotCom
SANS ISC Stormcast
An Information Security Place
CSO Security Insights
Security Catalyst

Best Corporate Security Blog
Jeremiah Grossman (White Hat Security)
Sophos Graham Cluley Blog
Microsoft Security Response Center
Fortiguard Blog
Cisco Security Blog

Most Entertaining Security Blog
Rational Survivability by Chris Hoff
Security Incite by Mike Rothman
Uncommon Sense Security by Jack Daniel
SecBarbie by Erin Jacobs
Emergent Chaos by Adam Shostack and ensemble

What an all star list of finalists. Each and every blog and podcast on this list are deserving of winning. It is a testament to the quality and quantity of blogs that the security industry has spawned. Congratulations to each and every one of them. May the best blogs win!

As Alan did, I too want to point out a few blogs and podcasts that did not make the finalists because they were not eligible, though they were nominated. These are (in my opinion) some of the best content in the network, but are ineligible due to their participation in the nomination process.

• Securosis Blog
• Network Security Blog and Podcast
• Ashimmy, after all these years

# # #

Tuesday, February 16th 2010, 6:00pm
OWASP NC Monthly Meeting
CFCU Offices, Raleigh, NC
Event page OWASP Meetup Page

Meeting details from the OWASP Meetup Page

Aside from picking up where we should have left off last time with some Capture the Flag exercises, Jim Tiller, Vice President of Security North American for BT Global Services will be presenting on the Cloud Security Alliance. This will be a great opportunity for everyone to learn what the CSA is all about, and hopefully discuss some challenges that Cloud Computing brings to Web Application Security and what is being done.

We look forward to everyone making it out, and please invite your friends and colleagues.

As always, there will be beer!

About the Cloud Security Alliance

The Cloud Security Alliance is a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

The Cloud Security Alliance is comprised of many subject matter experts from a wide variety disciplines, united in our objectives:

• Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.
• Promote independent research into best practices for cloud computing security.
• Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.
• Create consensus lists of issues and guidance for cloud security assurance.

About OWASP

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

You’ll find everything about OWASP here on our wiki and current information on our OWASP Blog. Please feel free to make changes and improve our site. There are hundreds of people around the globe who review the changes to the site to help ensure quality. If you’re new, you may want to check out our getting started page. Questions or comments should be sent to one of our many mailing lists. If you like what you see here and want to support our efforts, please consider becoming a member.

Links and resources

• OWASP: Find OWASP NC information on the OWASP wiki
• OWASP: North Carolina Feb 16th OWASP Meetup Page
• CSA: Cloud Security Alliance site

# # #