Archive for March, 2008

IPv6 And Security Architecture Changes

Monday, March 31st, 2008

I received a reader email asking if IPv6 is going to change the existing approach to security. He writes:

Do you believe that the transition to IPv6 will change the existing security architectures? I have heard from other professional architects, that there will be a transition from perimeter security to host-based security.

While the paper Darrin Miller and I wrote is the best place for a complete answer to that question, I can provide a quick summary and some clarification. Here’s the section on maintaining host and application security from the bottom of page 23:

Although timely patching and host lockdown are critical elements in IPv4, they are even more critical during the early stages of IPv6 because many host protections (firewalls, IDSs, and so on) do not yet broadly support IPv6. Additionally, it is highly likely (though testing is necessary; refer to Appendix A) that the initial introduction of IPv6 into networks will result in some hosts not being properly secured. It is necessary to focus on maintaining host security to ensure that hosts that are compromised will not become stepping stones to compromise other end hosts.

There’s also some information in my book on IPv6. It starts on page 668, which is available on books.google.com.

I actually think the move toward identity-based controls (whether IPv6 or IPv4) will have more of an impact on security architecture than the transition to IPv6 will. The network will remain important as a security control–as will the endpoint–but the shift will be towards more dynamic authorizations based on the the identity of the individual. IPv6 leads to subtle changes in the security architecture and I agree that endpoint controls will increase in importance; I don’t think that network controls will go away though. Security has always been about defense-in-depth and relying only on the host for security puts all your security eggs in one basket.

Technorati Tags: ,

Posted in General Security | 2 Comments »

Network World 802.1X Tests

Tuesday, March 25th, 2008

Continuing the 802.1X conversation, Network World recently put out test results for 10G access switches and included a whole section on 802.1X functionality. The article does a pretty good job running through many common 802.1X scenarios and highlights the breadth of functionality most modern switches have. While I’m not sure 10G to the desktop is necessary for all but the most demanding environments, most of the 802.1X functionality described here is available on much lower speed (and more affordable) switches from the same manufacturers. Wired 802.1X has seen quite a surge of interest of late as this article corroborates.

Technorati Tags:

Posted in 802.1X | No Comments »

Information Week on 802.1X

Monday, March 24th, 2008

With convenient timing, Mike Fratto at Information Week has a short blurb on 802.1X validating some of my previous post. He cites some of the early challenges in 802.1X and sees “broader adoption” coming. It is nice to see the mainstream press starting to talk about default VLAN, guest portals, and some of the other 802.1X elements discussed here for some time now.

Technorati Tags:

Posted in 802.1X | No Comments »

Lockdown Ceases Operations

Monday, March 24th, 2008

As frequent readers of this blog will no doubt expect, I was completely unsurprised by the shutdown of Lockdown Networks last week. Following the fire-sale of Caymas Systems and the announced restructuring of Vernier Networks as Autonomic Networks, it is natural that more NAC vendors would fall. Coincidentally, I was on the phone with a customer looking to swap out their Lockdown products for something more robust just before I heard the news.

For some analysis, take a look at the blog posts from Jon Oltsik and Eric Ogren, two former-colleagues of one another in the analyst community. The two take very different views with Jon pointing to Lockdown’s retooling of their product as a reason for their failure (but maintaining that the NAC market is healthy) while Eric blames the NAC market in general and the difficulty competing with Cisco and Microsoft.

I think Jon has things more on the money. The classic device-centric NAC market is crowded and with so many players it is awfully hard to reinvent yourself and still stay competitive. Part of me is surprised it has taken so long for another vendor to fail. After all, Cisco announced its intent to purchase Perfigo back in October of 2004. Perfigo’s product became Cisco Clean Access (the giant of the fledgling device NAC market). Lockdown’s technology seems almost identical to Perfigo’s but the market has moved on since then.

When I talk to customers I continue to hear the same themes as I did back in 2005 when I joined Identity Engines:

  • Organizations want to use the network enforcement gear they already have
  • No one wants to deploy a new inline device in their existing network (support and cost issues are cited)
  • User identity is far more important than device health because it allows for far more fine-grained access decisions
  • Guests and contractors is the area of greatest security concern
  • Proprietary clients are a no-no

802.1X is the natural antidote to these desires and now that the deployments are getting larger and the technical objections are being removed through better solutions, I think we’ll be hearing a lot more about 802.1X this year. In fact, tying back to the Lockdown news you can see evidence of this in the market as a whole. Lockdown’s non-Cisco competitors are now talking a lot more about 802.1X and trying to bolt-on more of this type of functionality into their existing non-802.1X offerings. For a sense of this trend, look at the acquisitions in this space since Perfigo. We have Juniper acquiring Funk Software in November of 2005 and Cisco acquiring Meetinghouse Data Communications in July of 2006. The main technology asset of both companies was, you guessed it, 802.1X capabilities.

Technorati Tags: , ,

Posted in 802.1X, Network Authentication | No Comments »

802.1X Coming to iPhone

Friday, March 14th, 2008

As part of their leap into the enterprise market, Apple is adding 802.1X support to the iPhone with their 2.0 firmware update in June. While I expected this to happen eventually, it is interesting that Apple found the feature noteworthy enough to mention in their top enterprise feature requests along with push email and push calendars. If you want proof check out this video and watch Phil Schiller, the SVP of WW Product Marketing at Apple discuss 802.1X at around the 5:30 mark of the video. This is during a press briefing announcing the SDK and the 2.0 feature-set. I’ve always thought 802.1X would be an essential part of networking going forward but to have it discussed as a key enterprise feature for the iPhone is great validation of the 802.1X market as a whole. Apple’s website calls 802.1X “the standard for Wi-Fi network protection.” Soon enough it will be the standard for wired network protection as well.

Technorati Tags: ,

Posted in 802.1X | No Comments »

802.1X and OpenSEA in March issue of IEEE Computer Magazine

Friday, March 14th, 2008

In the March issue of IEEE’s Computer magazine, there is a four-page story on 802.1X adoption. Entitled “Will IEEE 802.1X Finally Take Off in 2008,” the article is written by Neal Leavitt and quotes me and fellow OpenSEA board member Matthew Gast several times. I can’t find a free copy online so here’s a link to the abstract (with an option to buy the article). Hopefully there will be a free version online somewhere soon.

Technorati Tags: ,

Posted in 802.1X | No Comments »

802.1X Deployment at UT Austin

Friday, March 14th, 2008

William Green at UT Austin gave a great talk at Educause about their experiences with 802.1X rollout in their wireless network. If you have been watching 802.1X from the sidelines are are interested in a real-world deployment it is worth a look.

Technorati Tags:

Posted in 802.1X | No Comments »