Sean Convery

Zeus Kerravala at Yankee has a nice column at Network World on the opportunity around network, identity, and policy integration. He writes:

Ultimately, getting policy to reside in a central location is the key. Rather than many disparate systems with policy information, enterprises need to have a single policy store, intimately tied to the identity store, where the network infrastructure can apply and enforce policy on all traffic. Having policy management in the core-with control at the edge-is the only scalable model for pulling together network, identity, and policy.

It is great to see more folks in the industry coalescing around this idea. The only thing I might take issue with is his goal of a single policy store. While that might be the best-case design ideal, I think the real world will require a much more collaborative approach. This is part of the reason my company writes all its policies using XACML. We’re expecting the need to share policy over time.

Technorati Tags: identity, policy, security

Continuing the 802.1X conversation, Network World recently put out test results for 10G access switches and included a whole section on 802.1X functionality. The article does a pretty good job running through many common 802.1X scenarios and highlights the breadth of functionality most modern switches have. While I’m not sure 10G to the desktop is necessary for all but the most demanding environments, most of the 802.1X functionality described here is available on much lower speed (and more affordable) switches from the same manufacturers. Wired 802.1X has seen quite a surge of interest of late as this article corroborates.

Technorati Tags: 802.1X

With convenient timing, Mike Fratto at Information Week has a short blurb on 802.1X validating some of my previous post. He cites some of the early challenges in 802.1X and sees “broader adoption” coming. It is nice to see the mainstream press starting to talk about default VLAN, guest portals, and some of the other 802.1X elements discussed here for some time now.

Technorati Tags: 802.1X

As frequent readers of this blog will no doubt expect, I was completely unsurprised by the shutdown of Lockdown Networks last week. Following the fire-sale of Caymas Systems and the announced restructuring of Vernier Networks as Autonomic Networks, it is natural that more NAC vendors would fall. Coincidentally, I was on the phone with a customer looking to swap out their Lockdown products for something more robust just before I heard the news.

For some analysis, take a look at the blog posts from Jon Oltsik and Eric Ogren, two former-colleagues of one another in the analyst community. The two take very different views with Jon pointing to Lockdown’s retooling of their product as a reason for their failure (but maintaining that the NAC market is healthy) while Eric blames the NAC market in general and the difficulty competing with Cisco and Microsoft.

I think Jon has things more on the money. The classic device-centric NAC market is crowded and with so many players it is awfully hard to reinvent yourself and still stay competitive. Part of me is surprised it has taken so long for another vendor to fail. After all, Cisco announced its intent to purchase Perfigo back in October of 2004. Perfigo’s product became Cisco Clean Access (the giant of the fledgling device NAC market). Lockdown’s technology seems almost identical to Perfigo’s but the market has moved on since then.

When I talk to customers I continue to hear the same themes as I did back in 2005 when I joined Identity Engines:

• Organizations want to use the network enforcement gear they already have
• No one wants to deploy a new inline device in their existing network (support and cost issues are cited)
• User identity is far more important than device health because it allows for far more fine-grained access decisions
• Guests and contractors is the area of greatest security concern
• Proprietary clients are a no-no

802.1X is the natural antidote to these desires and now that the deployments are getting larger and the technical objections are being removed through better solutions, I think we’ll be hearing a lot more about 802.1X this year. In fact, tying back to the Lockdown news you can see evidence of this in the market as a whole. Lockdown’s non-Cisco competitors are now talking a lot more about 802.1X and trying to bolt-on more of this type of functionality into their existing non-802.1X offerings. For a sense of this trend, look at the acquisitions in this space since Perfigo. We have Juniper acquiring Funk Software in November of 2005 and Cisco acquiring Meetinghouse Data Communications in July of 2006. The main technology asset of both companies was, you guessed it, 802.1X capabilities.

Technorati Tags: 802.1X, NAC, security

As part of their leap into the enterprise market, Apple is adding 802.1X support to the iPhone with their 2.0 firmware update in June. While I expected this to happen eventually, it is interesting that Apple found the feature noteworthy enough to mention in their top enterprise feature requests along with push email and push calendars. If you want proof check out this video and watch Phil Schiller, the SVP of WW Product Marketing at Apple discuss 802.1X at around the 5:30 mark of the video. This is during a press briefing announcing the SDK and the 2.0 feature-set. I’ve always thought 802.1X would be an essential part of networking going forward but to have it discussed as a key enterprise feature for the iPhone is great validation of the 802.1X market as a whole. Apple’s website calls 802.1X “the standard for Wi-Fi network protection.” Soon enough it will be the standard for wired network protection as well.

Technorati Tags: 802.1X, iPhone

In the March issue of IEEE’s Computer magazine, there is a four-page story on 802.1X adoption. Entitled “Will IEEE 802.1X Finally Take Off in 2008,” the article is written by Neal Leavitt and quotes me and fellow OpenSEA board member Matthew Gast several times. I can’t find a free copy online so here’s a link to the abstract (with an option to buy the article). Hopefully there will be a free version online somewhere soon.

Technorati Tags: 802.1X, OpenSEA

William Green at UT Austin gave a great talk at Educause about their experiences with 802.1X rollout in their wireless network. If you have been watching 802.1X from the sidelines are are interested in a real-world deployment it is worth a look.

Technorati Tags: 802.1X

I just saw this story from iPhone Matters listing a petition with over a thousand names looking for 802.1X support in the iPhone. Somewhat comically, the article refers to 802.1X as 802.11X, 802.1, and 802.1x. Though I’m sure Apple will get it right, I don’t care what they call it, so long as they add it. The iPhone WiFi capability has been far less useful than I was expecting; I generally only use it at home. The time the iPhone takes to check for available networks and let you choose is often longer than the time EDGE would take to complete your request. Also, the Google WiFi network in Mountain View periodically asks for re-authentication via an HTTP captive portal but the iPhone can’t tell when this is requested without me opening Safari. Consider the following scenario:

1. I am presented with “GoogleWiFi” as an available SSID and select it.
2. I now have to open Safari and enter my Google ID and password before I get a connection.
3. From this point on, my iPhone will remember that I use GoogleWiFi but it won’t track when my password is requested.
4. So if I’m walking downtown and decide to check my email I’ll never know that Google wants my ID again without always loading Safari first. Want to check weather? Same problem. Essentially, the whims of Google prompting me for my password determine when my phone’s data connection works. If I’m sitting at a stoplight and want to check traffic on Google maps, that is a horrible time to be asked to enter an eight digit user ID and a 13-digit password (what can I say, I’m a security guy).
5. Also, the iPhone makes no attempts to determine the signal strength before joining one of your “preferred” networks. So if you happen to get a whiff of GoogleWiFi while at that stoplight and then drive away while your request is being processed, you may wind up in network limbo for far longer than it would take for EDGE to do the job.

As a result, I turned off the “Ask to Join Networks” feature since it mostly wastes my time. Apple needs to do a couple things to really improve the iPhone WiFi capability:

1. Add 802.1X Support (Google has an 802.1X option that would largely address my inconsistent authentication concerns). This would also make office connectivity much easier.
2. Add a selection when joining a WiFi network to “Join once, then forget.” If you join a pay-to-play open wireless network, you don’t want to rejoin this every time as you won’t have connectivity the next time without reentering your credit card info. This makes the Tmobile Starbucks iTunes connectivity almost more nuisance than novelty. If you connect to Tmobile for free to use the iTunes WiFi store, the rest of your data services stop working until you disconnect from that WiFi network, or pay them some money.
3. Be able to set a minimum signal strength prior to joining any previously known wireless network.
4. Instead of showing which wireless networks are locked in the “ask to join” screen, instead show which allow network connectivity (i.e. giving out DHCP addresses and not asking for HTTP authentication). I realize this is probably unsolvable as the battery life involved in joining and probing all those wireless networks is probably far too high. Additionally, probing networks is probably a bit unsportsmanlike. I suppose you could implement an “active scan” option on the “ask to join” screen and have a confirmation before you allow it to happen. This would address the battery issue and also perhaps keep Apple out of any direct culpability.

Until then, I’ll deal with EDGE. I actually have been pleasantly surprised by EDGE’s performance. After turning off “ask to join” on WiFi, the phone can get right to making the request, speeding things up considerably.

Technorati Tags: 802.1X, Supplicant, wireless

If you would have asked me two years ago if my company’s products would be broadly deployed by large universities, hospitals, and government I would have said yes. As expected, these types of customers have deployed our products and are starting to get quite sophisticated in their use of authenticated networks. However, if you would have suggested that community colleges would have found our offering compelling I might have though you a bit crazy. However, much to my surprise, community colleges are deploying Identity Engines’ products (and authenticated networks in general) regularly.

If you think about it for just a moment, it makes perfect sense. Community colleges have among the highest user turnover rates of any type of organization; thousands of users are often coming and going each semester. The faculty at these colleges is often a mix of full-time staff and part-time instructors with day jobs in the marketplace. Additionally, most community colleges have multiple campuses through a geographic area and need to coordinate access policies among them. Guest access is another key requirement as community colleges engage with the residents of their host city in a significant way.

Kevin Jones of Metropolitan Community College (MCC) and I recently gave a talk at the League of Innovations CIT 2007 conference. This is a conference focused on community colleges and their unique IT needs. We discussed MCC’s deployment of authenticated networks and delivered the presentation to a standing-room only crowd. So much for convention wisdom…

I generally don’t blog about the various webinars that I do for my company but this last one was very interesting. I moderated a panel discussion on 802.1X with Pat Cronin, Steve Pettit, and Fred Collett. Pat is a VP at Bridgewater State College, Steve is the president of Great Bay Software, and Fred is a senior consultant at CBE Technologies. All of these guys have extensive experience in 802.1X deployments and Pat even walks through the details of his own rollout. Also of note is the massive interest we saw in the subject matter; over 500 people registered for the webinar. I really think we’re starting to see 802.1X get legs for more than just wireless. So all in all a useful way to spend an hour if you are considering 802.1X or role-based access control. You can view the archive here. Just as fair warning, registration is required and I would expect someone from Identity Engines’ sales organization to contact you afterwards. Happy Thanksgiving everyone!

Technorati Tags: 802.1X, Supplicant