Sean Convery

Well besides all the good news on the open supplicant front, it has been a while since I mentioned 802.1X adoption in general. We’re certainly seeing more interest in wired 802.1X at my company but it is seen often in the news these days as well. Here are a couple examples: first up is Intel adding hardware 802.1X support to its latest motherboards (the implications of this on virtualized OS instances could be interesting). And second, Linksys is expanding its low-end SMB line into the security arena with support for 802.1X. This adds more evidence to my contention that the core enforcement capabilities in network infrastructure are becoming commodities. I firmly believe that the future of network security will not be about more sophisticated packet inspection or manipulation techniques but rather the intelligent control of the methods we already have.

Technorati Tags: 802.1X, security, Supplicant

I’m pleased to relay the news that a development version of XSupplicant (an open source 802.1X supplicant) is now available for download. The OpenSEA alliance formed a while back and this is some of the initial results of the group (well really the talented developers of the Open1X project within OpenSEA). While this is most definitely a development release and should not be used in production, the developers are actively seeking feedback. So if you have the time and interest, they’d love any comments you may have.

Technorati Tags: 802.1X, Supplicant

My favorite techno-contrarian Nick Carr has a post linking to an article he just had published in Director magazine. It contains 10 common-sense approaches to reducing IT costs. Many of his points are good but in particular I want to confirm a growing trend he calls out: customers’ general distaste for significant infrastructure migrations. More and more, companies want to take advantage of what they already have. He writes:

Since then [2001] exciting new technologies have also emerged that have allowed businesses to use their existing IT equipment more effectively and avoid buying new gear. Suddenly, companies are finding they can cut their IT budgets and still have the computing capabilities they need. Smart IT management is all about getting more for less.

As I talk to customers about identity management for networks many of them approach it assuming that a new overlay network is not an acceptable solution. They are looking for a layer of intelligence to let them take advantage of what they already have in place, even if their LAN infrastructure is a few years old. I expect this trend to result in more challenges for the nascent inline LAN security market beyond Caymas’ closure. I’ve been maintaining for a while that we’ve got most of the core packet processing capabilities that we need, now it’s all about intelligent management of our existing investment.

Technorati Tags: Identity Management, security

I’m sure most folks have probably seen this already–as Bruce Schneier blogged about it–but I’ll post it here just the same; it is just too darn funny: Matt Blaze has a new game.

John Roese, Nortel’s CTO, has a nice post on why he thinks we are almost at the point where enterprise network infrastructure can go wireless only. He’s careful not to say we’re exactly there now, but certainly sees Nortel as a leader in this space. He writes:

It is our position that, after a decade of evolution, both Wi-Fi and broadband wireless (4G) technologies are getting close enough to the expectations of the customer that we are becoming able to build the Unwired Enterprise from an access perspective.

I’m seeing this as well, though I think wired will be around for a long time to come. At Identity Engines, we have a prominent enterprise customer that finally decided to deploy wired at a new facility only because the VoIP quality wasn’t yet there for wireless. Furthermore, our experience in the education market shows that wireless only is already here in principle for many university students and staff; these university users frequently never connect to the wired network, even in their home location. The next several years will be interesting indeed, Roese thinks they might even shift the vendor landscape:

This is great for mobility and productivity from a customer view, but it is also an inflection point that can force a re-thinking of the enterprise LAN architecture. That is something that happens very rarely but, when it does, the market can be remade and the vendor landscape can be transformed.

I tend to agree but I think it might cause more of a trend towards commodity, standards-based, network infrastructure coupled closely with robust identity management for the network. Then again, I could be a bit biased in this regard…

Technorati Tags: 802.1X, wireless

OK, last post today…I think:

Speaking of hard computing problems, according to Wired’s Danger Room blog, robots with machine guns have now been deployed in Iraq. These robots (dubbed special weapons observation remote reconnaissance direct action system [SWORDS]) have not fired yet but:

Michael Zecca, the SWORDS program manager, tells DANGER ROOM. “But that’ll be happening soon.”

Speaking as someone whose seen commercial security systems fail repeatedly during my time in the industry, I certainly hope their software is better than our software. Something tells me that there isn’t a “powered by Windows Mobile” sticker anywhere on the bot. However, with commercial OSs performing more and more functions for the government, it doesn’t seem completely outside the realm of possibility.

Setting the ethical implications aside of turning war into a game of network Doom, the repercussions of a crypto or software failure in the transmissions from the controller to the bot are enormous. I wonder what they are using and what sort of testing they underwent. I wouldn’t be surprised to see some security through obscurity in there somewhere. On a related note, Steven Murdoch over at Cambridge has an interesting post explaining why software problems are as big or bigger than crypto problems in e-voting systems. The same applies here as well (note his mention of rocket launches):

Good software engineering is necessary but, in the case of voting systems, may be especially difficult to achieve. In fact, such systems have more similarities to the software behind rocket launches than more conventional business productivity software. We should thus expect the consequential high costs and, despite all this extra effort, that the occasional catastrophe will be inevitable.

Technorati Tags: biometrics, security

Since my last two posts have been about biometrics how about one related concerning crowd facial recognition? Bruce Schneier points to German test results (in German):

Two hundred frequent travellers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).

Facial recognition in a crowded public place seems like an extraordinarily hard computing problem to solve. Oditogre, an early commenter to Bruce’s original post raises an interesting question:

Google translator mangled it pretty badly, but I got the gist enough that it didn’t seem to say how many false positives there were. That would be the biggest issue, to me. If they can achieve 30% recognition rate with 0% false positive rate, that could well be a very effective system for catching fugitives, but otherwise, it’s just going to be a bad waste of money.

I personally don’t see how you can have a 30% success rate with zero false positives. Network IDS systems can’t prevent false positives and they’re working with binary data. Later on in the comments it appears that the false positive rate was .1%. While this may seem good, imagine how many folks will walk past a particular point in Times Square today or the Otemachi metro station in Tokyo.

Technorati Tags: biometrics

Dr. Terry Boult, of the University of Colorado Vision and Security Technology Lab, responded to my last post with some excellent research that is much more current than the paper I originally mentioned. I haven’t had time to drill into all of it but the first paper from Arun Ross, Jidnya Shah, and Anil Jain entitled From Template to Image: Reconstructing Fingerprints from Minutiae Points was very interesting. Based on my cursory examination, it seems to confirm the 2003 paper’s hypothesis that reconstructing biometric data is possible for other types of biometric systems beyond those employing facial recognition:

The salient feature of this noniterative method to generate ridges is its ability to preserve the minutiae at specified locations in the reconstructed ridge map. Experiments using a commercial fingerprint matcher suggest that the reconstructed ridge structure bears close resemblance to the parent fingerprint.

He also points to some research on “cancelable biometrics” including a paper of his own (link is dead for some reason). The IBM Exploratory Computer Vision Group has a brief description of how one system works. The full paper can be found here. In short, the system seems to distort the original biometric in a repeatable way so that each time the biometric is entered it is only stored in its distorted form, never in its original form. If it gets compromised you can issue a new biometric “distorted” in a different way. I haven’t looked through the other papers yet but if they work similar to the IBM proposal I have some questions.

I’m not sure exactly how this is different from the “template” of a normal biometric except perhaps that the user could control the process? Assuming it is different, the problem I see is how do you know whether the biometric system you are using supports this capability? Say your OS supported this function but your bank or government didn’t. If you are using fingerprints for all of them we’re back to the same problem that Dr. Boult calls the “biometric dilemma.” Also, doesn’t the biometric scanner need to keep your biometric data originally (even if only briefly) in order to distort it? If so, we’re back to my “perfect system” assumption.

It still seems to me that the way to truly revoke a biometric has more to do with medicine and surgery than it does with information technology. I look forward to getting better educated on this in the future and I’m glad to see research underway.

Technorati Tags: biometrics

To the surprise of–I’m hoping–fewer and fewer people, Andy Adler at the University of Ottawa has published a paper showing how the digital template of biometric data can be reformed into a close approximation of the original biometric data. The example uses facial recognition but according to the paper, “While results are demonstrated for face recognition algorithms, the conceptual framework should be applicable to any biometric algorithm.”

Kim Cameron’s blog pointed me to this, though the paper’s header seems to indicate it was published in 2003. Late last year I revisited my thinking on Biometrics here; it all still applies. Any security system will have vulnerabilities of some sort or another. One of the considerations though, is what the impact is of any single vulnerability. With biometric systems, because the same biometric data can be used in multiple places, the impact could well extend beyond the exposed system. This makes the security of your biometric data only as strong as the weakest place that stores it. When that reality is coupled with the truism that you can’t revoke your biometric data, we wind up with a real problem.

Technorati Tags: biometrics

Part two of a two-part article titled Network Authentication, Authorization, and Accounting was just published in the Internet Protocol Journal. I wrote the article to be a survey of the entire AAA space and so it covers a lot of ground without spending too much time in one place. If you are new to AAA or are looking for a conceptual model of AAA to help others grasp its concepts, please take a look. Here’s a snippet:

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And finally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The first part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and high-level approaches to achieving specific AAA goals. It was published in IPJ Volume 10, No. 1. This second part of the series discusses the protocols involved, specific applications of AAA, and considerations for the future of AAA.

Although AAA is often thought of as the exclusive province of the Remote Authentication Dial-In User Service (RADIUS) protocol, in reality a range of protocols is involved at various stages of the AAA conversation. This section introduces these AAA protocols, organized according to the parties involved in the communication. We divide AAA communications into the following categories: Client to Policy Enforcement Point (PEP), PEP to Policy Decision Point (PDP), Client to PDP, and PDP to Policy Information Point (PIP).

You can get the HTML or the PDF.

Technorati Tags: 802.1X, AAA, IPJ