December 7th, 2007
If you would have asked me two years ago if my company’s products would be broadly deployed by large universities, hospitals, and government I would have said yes. As expected, these types of customers have deployed our products and are starting to get quite sophisticated in their use of authenticated networks. However, if you would have suggested that community colleges would have found our offering compelling I might have though you a bit crazy. However, much to my surprise, community colleges are deploying Identity Engines’ products (and authenticated networks in general) regularly.
If you think about it for just a moment, it makes perfect sense. Community colleges have among the highest user turnover rates of any type of organization; thousands of users are often coming and going each semester. The faculty at these colleges is often a mix of full-time staff and part-time instructors with day jobs in the marketplace. Additionally, most community colleges have multiple campuses through a geographic area and need to coordinate access policies among them. Guest access is another key requirement as community colleges engage with the residents of their host city in a significant way.
Kevin Jones of Metropolitan Community College (MCC) and I recently gave a talk at the League of Innovations CIT 2007 conference. This is a conference focused on community colleges and their unique IT needs. We discussed MCC’s deployment of authenticated networks and delivered the presentation to a standing-room only crowd. So much for convention wisdom…
Posted in 802.1X, Network Authentication | No Comments »
November 21st, 2007
I generally don’t blog about the various webinars that I do for my company but this last one was very interesting. I moderated a panel discussion on 802.1X with Pat Cronin, Steve Pettit, and Fred Collett. Pat is a VP at Bridgewater State College, Steve is the president of Great Bay Software, and Fred is a senior consultant at CBE Technologies. All of these guys have extensive experience in 802.1X deployments and Pat even walks through the details of his own rollout. Also of note is the massive interest we saw in the subject matter; over 500 people registered for the webinar. I really think we’re starting to see 802.1X get legs for more than just wireless. So all in all a useful way to spend an hour if you are considering 802.1X or role-based access control. You can view the archive here. Just as fair warning, registration is required and I would expect someone from Identity Engines’ sales organization to contact you afterwards. Happy Thanksgiving everyone!
Technorati Tags: 802.1X, Supplicant
Posted in 802.1X | No Comments »
October 23rd, 2007
I recently had a short piece published in the Fall issue of the ACUTA Journal. It doesn’t look like they make the journal available to non-members but I got permission to share just the portion that I wrote. It is a high-level summary of role-based access control (RBAC) and how it relates to some of the emerging regulatory requirements for higher-education networks. Here’s the opening paragraph:
As recently as 10 years ago, we had it easy: Users stayed put at desktop machines, IP addresses never changed, and IT wasn’t on any lawmaker’s agenda. Solutions focused on the threats of the time, which, compared with today, weren’t many. But now technologies and threats are changing so fast that it’s hard to keep up. We can no longer count on a fixed IP address or even on a single device for a given user. We all want network access from the increasingly large pool of devices and access methods, and this has dramatically complicated the security task.
Technorati Tags: AAA, Identity Management
Posted in Network Authentication | No Comments »
October 23rd, 2007
Things have been busy over at the OpenSEA Alliance and its Open1X project. Today we announced a call for participation to the community around the latest release of Xsupplicant. Due to the multitude of desktop software permutations and the resulting hardware interactions, Xsupplicant needs more testing than your average piece of software. The alliance and its members can only take this so far, we need your help! Whether it is just downloading the client and giving it a try on a test machine or getting more involved in the identifying and closing out of bugs, head on over to the Open1X project’s website and pitch in!
Technorati Tags: 802.1X, Supplicant
Posted in 802.1X | No Comments »
September 24th, 2007
Well besides all the good news on the open supplicant front, it has been a while since I mentioned 802.1X adoption in general. We’re certainly seeing more interest in wired 802.1X at my company but it is seen often in the news these days as well. Here are a couple examples: first up is Intel adding hardware 802.1X support to its latest motherboards (the implications of this on virtualized OS instances could be interesting). And second, Linksys is expanding its low-end SMB line into the security arena with support for 802.1X. This adds more evidence to my contention that the core enforcement capabilities in network infrastructure are becoming commodities. I firmly believe that the future of network security will not be about more sophisticated packet inspection or manipulation techniques but rather the intelligent control of the methods we already have.
Technorati Tags: 802.1X, security, Supplicant
Posted in 802.1X, General Security | No Comments »
September 17th, 2007
I’m pleased to relay the news that a development version of XSupplicant (an open source 802.1X supplicant) is now available for download. The OpenSEA alliance formed a while back and this is some of the initial results of the group (well really the talented developers of the Open1X project within OpenSEA). While this is most definitely a development release and should not be used in production, the developers are actively seeking feedback. So if you have the time and interest, they’d love any comments you may have.
Technorati Tags: 802.1X, Supplicant
Posted in 802.1X, Network Authentication | No Comments »
August 15th, 2007
My favorite techno-contrarian Nick Carr has a post linking to an article he just had published in Director magazine. It contains 10 common-sense approaches to reducing IT costs. Many of his points are good but in particular I want to confirm a growing trend he calls out: customers’ general distaste for significant infrastructure migrations. More and more, companies want to take advantage of what they already have. He writes:
Since then [2001] exciting new technologies have also emerged that have allowed businesses to use their existing IT equipment more effectively and avoid buying new gear. Suddenly, companies are finding they can cut their IT budgets and still have the computing capabilities they need. Smart IT management is all about getting more for less.
As I talk to customers about identity management for networks many of them approach it assuming that a new overlay network is not an acceptable solution. They are looking for a layer of intelligence to let them take advantage of what they already have in place, even if their LAN infrastructure is a few years old. I expect this trend to result in more challenges for the nascent inline LAN security market beyond Caymas’ closure. I’ve been maintaining for a while that we’ve got most of the core packet processing capabilities that we need, now it’s all about intelligent management of our existing investment.
Technorati Tags: Identity Management, security
Posted in General Security | No Comments »
August 13th, 2007
I’m sure most folks have probably seen this already–as Bruce Schneier blogged about it–but I’ll post it here just the same; it is just too darn funny: Matt Blaze has a new game.
Posted in Off Topic | No Comments »
August 3rd, 2007
John Roese, Nortel’s CTO, has a nice post on why he thinks we are almost at the point where enterprise network infrastructure can go wireless only. He’s careful not to say we’re exactly there now, but certainly sees Nortel as a leader in this space. He writes:
It is our position that, after a decade of evolution, both Wi-Fi and broadband wireless (4G) technologies are getting close enough to the expectations of the customer that we are becoming able to build the Unwired Enterprise from an access perspective.
I’m seeing this as well, though I think wired will be around for a long time to come. At Identity Engines, we have a prominent enterprise customer that finally decided to deploy wired at a new facility only because the VoIP quality wasn’t yet there for wireless. Furthermore, our experience in the education market shows that wireless only is already here in principle for many university students and staff; these university users frequently never connect to the wired network, even in their home location. The next several years will be interesting indeed, Roese thinks they might even shift the vendor landscape:
This is great for mobility and productivity from a customer view, but it is also an inflection point that can force a re-thinking of the enterprise LAN architecture. That is something that happens very rarely but, when it does, the market can be remade and the vendor landscape can be transformed.
I tend to agree but I think it might cause more of a trend towards commodity, standards-based, network infrastructure coupled closely with robust identity management for the network. Then again, I could be a bit biased in this regard…
Technorati Tags: 802.1X, wireless
Posted in 802.1X, Network Authentication | No Comments »
August 2nd, 2007
OK, last post today…I think:
Speaking of hard computing problems, according to Wired’s Danger Room blog, robots with machine guns have now been deployed in Iraq. These robots (dubbed special weapons observation remote reconnaissance direct action system [SWORDS]) have not fired yet but:
Michael Zecca, the SWORDS program manager, tells DANGER ROOM. “But that’ll be happening soon.”
Speaking as someone whose seen commercial security systems fail repeatedly during my time in the industry, I certainly hope their software is better than our software. Something tells me that there isn’t a “powered by Windows Mobile” sticker anywhere on the bot. However, with commercial OSs performing more and more functions for the government, it doesn’t seem completely outside the realm of possibility.
Setting the ethical implications aside of turning war into a game of network Doom, the repercussions of a crypto or software failure in the transmissions from the controller to the bot are enormous. I wonder what they are using and what sort of testing they underwent. I wouldn’t be surprised to see some security through obscurity in there somewhere. On a related note, Steven Murdoch over at Cambridge has an interesting post explaining why software problems are as big or bigger than crypto problems in e-voting systems. The same applies here as well (note his mention of rocket launches):
Good software engineering is necessary but, in the case of voting systems, may be especially difficult to achieve. In fact, such systems have more similarities to the software behind rocket launches than more conventional business productivity software. We should thus expect the consequential high costs and, despite all this extra effort, that the occasional catastrophe will be inevitable.
Technorati Tags: biometrics, security
Posted in Crypto and VPNs, Off Topic | 1 Comment »