Sean Convery

My 2007 predictions are, of course, now open to criticism. I figure I’ll call myself on some things preemptively and then folks can give me some feedback via comments.

1. “NAC as a term will grow out of favor…” As I said last year, some of these are tough to measure but I think at least a B on this one is appropriate. NAC as a term is growing out of favor and/or morphing in meaning. The definition has shifted away from pure endpoint security controls and more towards identity. So even when the NAC term is used, it means something more today than a year ago. As another data-point, take Cisco’s marketing introduction of TrustSec for example. In their white paper describing the proposed solution the word “posture” appears four times, the word “identity” appears 12 times, and the acryonym “NAC?” Zero.
2. “One of today’s NAC vendors will go under…” This one is clearly an A, Caymas shut its doors in the first half of last year.
3. “One of today’s NAC vendors will get acquired by a larger firm…” AV vendor Sophos picked up NAC vendor Endforce in January so this is another clear-cut A grade. I expect more consolidation in 2008.
4. “An open-source 802.1X supplicant will emerge as a viable alternative to commercial and OS-native supplicants…” OpenSEA was announced, has garnered wide industry support, and is set to find its way into multiple commercial offerings (see my previous posts on this topic). My company was a founding member and we’ve seen lots of participation in the group. JANET(UK) is in the midst of testing the client and has a user-base of 18 million. Though the supplicant is not yet GA, I expect that soon. Given all this an A might be appropriate but I think given where customers are with their production Xsupplicant deployments a B is a safer assessment. As an aside, momentum for Xsupplicant going into 2008 is huge.
5. “Wired 802.1X turns the corner from rare occurrence to early-adopter chic…” I don’t have any objective data to draw from yet but I think this is happening now. At my company we’re seeing much more interest in wired 802.1X; with wired you now authenticate everywhere and so role-based access control (RBAC) is completely viable. That said, I expected more production deployments by now so a B seems fair.

Technorati Tags: 802.1X, NAC, security

OpenSEA just announced that HP and Aruba have joined the Alliance. HP even indicated that it might bundle the supplicant in their PCs. There’s some fairly thoughtful analysis by Ric Turner at Computer Busienss Review here. All in all this bodes well for the Alliance and 802.1X in general. I look forward to having more members to announce in 2008!

In related news, the Open1X project just shipped 2.0.0 of the supplicant. It is now in feature freeze mode meaning the only new development to this branch will be bug fixes.

Technorati Tags: 802.1X, Supplicant

If you would have asked me two years ago if my company’s products would be broadly deployed by large universities, hospitals, and government I would have said yes. As expected, these types of customers have deployed our products and are starting to get quite sophisticated in their use of authenticated networks. However, if you would have suggested that community colleges would have found our offering compelling I might have though you a bit crazy. However, much to my surprise, community colleges are deploying Identity Engines’ products (and authenticated networks in general) regularly.

If you think about it for just a moment, it makes perfect sense. Community colleges have among the highest user turnover rates of any type of organization; thousands of users are often coming and going each semester. The faculty at these colleges is often a mix of full-time staff and part-time instructors with day jobs in the marketplace. Additionally, most community colleges have multiple campuses through a geographic area and need to coordinate access policies among them. Guest access is another key requirement as community colleges engage with the residents of their host city in a significant way.

Kevin Jones of Metropolitan Community College (MCC) and I recently gave a talk at the League of Innovations CIT 2007 conference. This is a conference focused on community colleges and their unique IT needs. We discussed MCC’s deployment of authenticated networks and delivered the presentation to a standing-room only crowd. So much for convention wisdom…

I generally don’t blog about the various webinars that I do for my company but this last one was very interesting. I moderated a panel discussion on 802.1X with Pat Cronin, Steve Pettit, and Fred Collett. Pat is a VP at Bridgewater State College, Steve is the president of Great Bay Software, and Fred is a senior consultant at CBE Technologies. All of these guys have extensive experience in 802.1X deployments and Pat even walks through the details of his own rollout. Also of note is the massive interest we saw in the subject matter; over 500 people registered for the webinar. I really think we’re starting to see 802.1X get legs for more than just wireless. So all in all a useful way to spend an hour if you are considering 802.1X or role-based access control. You can view the archive here. Just as fair warning, registration is required and I would expect someone from Identity Engines’ sales organization to contact you afterwards. Happy Thanksgiving everyone!

Technorati Tags: 802.1X, Supplicant

I recently had a short piece published in the Fall issue of the ACUTA Journal. It doesn’t look like they make the journal available to non-members but I got permission to share just the portion that I wrote. It is a high-level summary of role-based access control (RBAC) and how it relates to some of the emerging regulatory requirements for higher-education networks. Here’s the opening paragraph:

As recently as 10 years ago, we had it easy: Users stayed put at desktop machines, IP addresses never changed, and IT wasn’t on any lawmaker’s agenda. Solutions focused on the threats of the time, which, compared with today, weren’t many. But now technologies and threats are changing so fast that it’s hard to keep up. We can no longer count on a fixed IP address or even on a single device for a given user. We all want network access from the increasingly large pool of devices and access methods, and this has dramatically complicated the security task.

Technorati Tags: AAA, Identity Management

Things have been busy over at the OpenSEA Alliance and its Open1X project. Today we announced a call for participation to the community around the latest release of Xsupplicant. Due to the multitude of desktop software permutations and the resulting hardware interactions, Xsupplicant needs more testing than your average piece of software. The alliance and its members can only take this so far, we need your help! Whether it is just downloading the client and giving it a try on a test machine or getting more involved in the identifying and closing out of bugs, head on over to the Open1X project’s website and pitch in!

Technorati Tags: 802.1X, Supplicant

Well besides all the good news on the open supplicant front, it has been a while since I mentioned 802.1X adoption in general. We’re certainly seeing more interest in wired 802.1X at my company but it is seen often in the news these days as well. Here are a couple examples: first up is Intel adding hardware 802.1X support to its latest motherboards (the implications of this on virtualized OS instances could be interesting). And second, Linksys is expanding its low-end SMB line into the security arena with support for 802.1X. This adds more evidence to my contention that the core enforcement capabilities in network infrastructure are becoming commodities. I firmly believe that the future of network security will not be about more sophisticated packet inspection or manipulation techniques but rather the intelligent control of the methods we already have.

Technorati Tags: 802.1X, security, Supplicant

I’m pleased to relay the news that a development version of XSupplicant (an open source 802.1X supplicant) is now available for download. The OpenSEA alliance formed a while back and this is some of the initial results of the group (well really the talented developers of the Open1X project within OpenSEA). While this is most definitely a development release and should not be used in production, the developers are actively seeking feedback. So if you have the time and interest, they’d love any comments you may have.

Technorati Tags: 802.1X, Supplicant

My favorite techno-contrarian Nick Carr has a post linking to an article he just had published in Director magazine. It contains 10 common-sense approaches to reducing IT costs. Many of his points are good but in particular I want to confirm a growing trend he calls out: customers’ general distaste for significant infrastructure migrations. More and more, companies want to take advantage of what they already have. He writes:

Since then [2001] exciting new technologies have also emerged that have allowed businesses to use their existing IT equipment more effectively and avoid buying new gear. Suddenly, companies are finding they can cut their IT budgets and still have the computing capabilities they need. Smart IT management is all about getting more for less.

As I talk to customers about identity management for networks many of them approach it assuming that a new overlay network is not an acceptable solution. They are looking for a layer of intelligence to let them take advantage of what they already have in place, even if their LAN infrastructure is a few years old. I expect this trend to result in more challenges for the nascent inline LAN security market beyond Caymas’ closure. I’ve been maintaining for a while that we’ve got most of the core packet processing capabilities that we need, now it’s all about intelligent management of our existing investment.

Technorati Tags: Identity Management, security

I’m sure most folks have probably seen this already–as Bruce Schneier blogged about it–but I’ll post it here just the same; it is just too darn funny: Matt Blaze has a new game.