To the surprise of no one who read the comments to my earlier post, it is now official that Nortel was the purchaser of Identity Engines’ IP assets. They updated the IDE homepage with a short message and contact info for more information. Given that they are inviting IDE customers to contact Nortel’s account teams, I’m hopeful that they’ll be providing some ongoing support options to existing IDE customers. Have any IDE customers contacted Nortel yet? What was the result?
Archive for the ‘802.1X’ Category
Just a quick 802.1X update that some folks may have missed. There is a new IOS release for the 6500: 12.2.33 SXI (gotta love our naming scheme). It provides some very nice improvements for wired 802.1X rollouts. Network World wrote up the basics and even provides some config examples; take a look. When this hits the other Cisco switch platforms I’ll be sure to provide another update.
Having a Google news alert on “802.1X” sometimes gives you some amusing stories. It seems the Turkish Ministry of Education is rolling out a new secure LAN using 802.1X and VLANs. The article goes on to say, “This deployment is considered to be one of the largest 802.1x application deployments in the Turkish market.” I found this interesting because 802.1X was such a focus of what they discussed. Like I’m seeing in North America, the government demands for secure audit and segmentation appear to be consistent in at least this portion of Southeastern Europe. Based on the discussions I’ve already had in Asia and the UK, 802.1X may be serving a global need.
Technorati Tags: 802.1X
A new research brief from Lawrence Orans and John Pescatore at Gartner claims 802.1X adoption is increasing:
A recent Gartner survey indicates that 50% of enterprises plan to implement 802.1X in their wired networks by 2011. Gartner believes that momentum will increase strongly, and that actual enterprise adoption will reach 70% by 2011.
I don’t have permission to share the document but if you are a Gartner client, be sure to check it out. My company is seeing a similar rise in interest as regular readers of this blog already know. The ANA framework represents a good starting point for organizations trying to plan a deployment.
Technorati Tags: 802.1X
I’m thrilled to announce that my company just launched the Authenticated Network Architecture (ANA). ANA is a vendor-neutral framework that leverages industry standards for the design of an identity-centric security system. ANA was conceived as the next logical step from my earlier work with the Cisco SAFE Blueprint and builds on my textbook “Network Security Architectures“. The ANA white paper goes into significant detail and breaks out deployment in five phases, each of which is incrementally beneficial and none of which requires a forklift upgrade (or any particular network vendor’s gear). I recommend you check out the overview first but feel free to download the complete white paper.
As anyone who’s familiar with my approach to white papers will know, the document does not pitch my company’s products at all, in fact they are not even mentioned. Also, one of the nice things about working at a small company is I can revise the document and publish an update fairly easily. I’d love feedback from the community on information you’d like to see added, any errors you found, or just general comments. Here’s the executive summary:
Network security has been evolving since its inception, sometimes slowly, sometimes in larger increments. As technology has shifted, best practices have slowly matured. What was a good idea two years ago is still likely a good idea today, with minor variations based on the evolving threats and business requirements. However, we are currently at an inï¬‚ection point in the use of network-based security controls. Whereas previous designs focused almost exclusively on static policies, ï¬lter rules, and enforcement controls, a newer approach has emerged that promises much more dynamic options to address the increased mobility and diversity of todayâ€™s network users.
This approach, called the Authenticated Network Architecture (ANA), is based on the notion of authentication of all users on a network and the association of each user with a particular set of network entitlements. For example, guests are granted access only to the Internet, contractors only to discrete network resources, employees only to the broader network as a whole, and privileged employees only to isolated enclaves of highly secured resources. Most of the capabilities described in the architecture have been available in shipping network infrastructure for many years. However, while the architecture itself does not mandate much in the way of equipment migration, it does require organizations to think differently with regard to their overall security framework. The cooperation of security and network architects with their more operationally inclined counterparts in IT is critical to ensure that the designs contained in this document evolve with the growing capabilities of your infrastructure.
This document outlines the ANA approach as a whole and describes how to migrate existing enterprise security designs to this more dynamic approach. In particular, it discusses the best practices that are emerging in ANA as well as the speciï¬c business requirements that influence deployment decisions.
So I managed to resist the urge to buy the 3G iPhone but I was happy to try out the new 2.0 firmware, primarily for the Exchange support and of course, 802.1X. I was curious to see how many options the UI would expose to the user to configure supplicant settings. What EAP types would be supported? Would it care about inner and outer tunnel identity? The answer on the options front, in typical Apple style, is zero. That’s it. No options at all. It just works. Now how it works and how efficient it operates is an open question. I haven’t managed to break out a sniffer yet to see what it tries to do. I just tried a simple test, connecting to my 802.1X network at the office. We use PEAP/MSCHAPv2 against our Ignition Server going to an AD back-end. Previously I had to connect my iPhone to the guest network and use MAC authentication bypass to get basic Internet connectivity; not particularly secure or easy to use. I had to fire up the browser each time to get the session with the captive portal which wasn’t hard but was an extra step I’d rather avoid. Here’s what I did today:
1. Went into settings, WiFi, and chose the SSID of our WPA2 Enterprise deployment
2. I hunted around for options related to 802.1X and found none. Instead, all I was asked for is a username and a password.
3. I entered that information and clicked join and waited.
4. I waited
5. I waited some more…
6. Eventually I hit cancel, not sure what had happened
7. I then connected again, reentered my password, and was immediately taken to a certificate screen. It presented me with our server-side certificate, let me examine it if I wanted to, and then prompted me to accept it.
8. I clicked accept and then was on the network.
I’m eager to see what sort of experiences others are having with the 2.0 firmware and 802.1X. On the one hand, I’m incredibly excited that (glitch in the middle aside) I got on without needing to know anything about the nuances of 802.1X supplicant configuration. On the other hand I wonder if the lack of options will render certain types of 802.1X deployments non-functional.
Update: 7/11/08 – 8:38 PM
Wi-Fi Networking News has a post about Apple’s Enterprise phone management application that builds 802.1X packages for iPhone. It looks like Apple stuck all the options there for corporate IT managers looking to have tighter control over the 802.1X configs. From the post:
The utility serves two purposes: creating configuration profiles, including for multiple Wi-Fi networks and VPN connections; and allowing iPhones in an enterprise to run internally developed iPhone software. The Wi-Fi profiles allow you to create WEP or WPA/WPA2 802.1X configurations, and include support for choosing allowed EAP messaging types, configuring authentication elements associated with a given EAP type, and adding server certificates and names for better authentication control.
Once created, these profiles can be distributed throughout a company via email or as a direct download to the iPhone via an intranet Web server. Apple chose not to encrypt them, which means that certain information thatâ€™s not securedâ€”such as the shared secret for certain VPN connectionsâ€”could be disclosed to someone who had access to the profile or could download it off the local network.
Technorati Tags: 802.1X
Zeus Kerravala at Yankee has a nice column at Network World on the opportunity around network, identity, and policy integration. He writes:
Ultimately, getting policy to reside in a central location is the key. Rather than many disparate systems with policy information, enterprises need to have a single policy store, intimately tied to the identity store, where the network infrastructure can apply and enforce policy on all traffic. Having policy management in the core-with control at the edge-is the only scalable model for pulling together network, identity, and policy.
It is great to see more folks in the industry coalescing around this idea. The only thing I might take issue with is his goal of a single policy store. While that might be the best-case design ideal, I think the real world will require a much more collaborative approach. This is part of the reason my company writes all its policies using XACML. We’re expecting the need to share policy over time.
Continuing the 802.1X conversation, Network World recently put out test results for 10G access switches and included a whole section on 802.1X functionality. The article does a pretty good job running through many common 802.1X scenarios and highlights the breadth of functionality most modern switches have. While I’m not sure 10G to the desktop is necessary for all but the most demanding environments, most of the 802.1X functionality described here is available on much lower speed (and more affordable) switches from the same manufacturers. Wired 802.1X has seen quite a surge of interest of late as this article corroborates.
Technorati Tags: 802.1X
With convenient timing, Mike Fratto at Information Week has a short blurb on 802.1X validating some of my previous post. He cites some of the early challenges in 802.1X and sees “broader adoption” coming. It is nice to see the mainstream press starting to talk about default VLAN, guest portals, and some of the other 802.1X elements discussed here for some time now.
Technorati Tags: 802.1X
As frequent readers of this blog will no doubt expect, I was completely unsurprised by the shutdown of Lockdown Networks last week. Following the fire-sale of Caymas Systems and the announced restructuring of Vernier Networks as Autonomic Networks, it is natural that more NAC vendors would fall. Coincidentally, I was on the phone with a customer looking to swap out their Lockdown products for something more robust just before I heard the news.
For some analysis, take a look at the blog posts from Jon Oltsik and Eric Ogren, two former-colleagues of one another in the analyst community. The two take very different views with Jon pointing to Lockdown’s retooling of their product as a reason for their failure (but maintaining that the NAC market is healthy) while Eric blames the NAC market in general and the difficulty competing with Cisco and Microsoft.
I think Jon has things more on the money. The classic device-centric NAC market is crowded and with so many players it is awfully hard to reinvent yourself and still stay competitive. Part of me is surprised it has taken so long for another vendor to fail. After all, Cisco announced its intent to purchase Perfigo back in October of 2004. Perfigo’s product became Cisco Clean Access (the giant of the fledgling device NAC market). Lockdown’s technology seems almost identical to Perfigo’s but the market has moved on since then.
When I talk to customers I continue to hear the same themes as I did back in 2005 when I joined Identity Engines:
- Organizations want to use the network enforcement gear they already have
- No one wants to deploy a new inline device in their existing network (support and cost issues are cited)
- User identity is far more important than device health because it allows for far more fine-grained access decisions
- Guests and contractors is the area of greatest security concern
- Proprietary clients are a no-no
802.1X is the natural antidote to these desires and now that the deployments are getting larger and the technical objections are being removed through better solutions, I think we’ll be hearing a lot more about 802.1X this year. In fact, tying back to the Lockdown news you can see evidence of this in the market as a whole. Lockdown’s non-Cisco competitors are now talking a lot more about 802.1X and trying to bolt-on more of this type of functionality into their existing non-802.1X offerings. For a sense of this trend, look at the acquisitions in this space since Perfigo. We have Juniper acquiring Funk Software in November of 2005 and Cisco acquiring Meetinghouse Data Communications in July of 2006. The main technology asset of both companies was, you guessed it, 802.1X capabilities.