Security Uncorked

Well, you’re not necessarily hearing it hear first, but it’s likely… unless you read IEEEdocs religiously (as I do) or read Paul Congdon’s standards updates at the ProCurve Networking site.

If you have no clue what 802.1X is, read my recent technology primer first. If you’re already familiar with 1X, you’ve probably heard about some of the 802.1X additions- the 802.1AE (MACSec) and possibly 802.1af (the key agreement for MACSec)… but that’s just the tip of the iceberg, and what’s hiding underneath will knock your socks off!

We’re currently at the 802.1X-2004 edition, with the group working on the REV and hoping for an early-2009 release. When IEEE makes additions (such as AE and af) they’re just afterthoughts and changes tacked on to the end of the standard. But when they do a revision , as they are now, they’re opening up the whole can of worms and all parts of the standard are opened for evaluation and modification. Yee-haw!

So, what’s in this new revision and what can we expect from 802.1X-REV? That’s what I wanted to know, and I’m sure you’re curious too. I was lucky enough to catch a quick call with Paul Condon earlier this week and get some of the inside scoop. Paul is ProCurve Networking’s CTO, but more importantly for our purposes today, he’s the Vice -Chair of the IEEE 802.1 working group and is intimately involved in 1X and a variety of other networking, security and authentication standards.

1) Encryption & Key Exchange : The first goal in updating 802.1X was to add security with encryption, specifically on switch-to-switch links. Of course, with encryption comes the need for fast, secure key exchange, so we ended up with 802.1AE and 802.1af as answers to the first set of goals. The encryption will require hardware refreshes, and vendors are already gearing up for that. The benefits of encryption are pretty obvious, so I won’t bore you with that. There are some fun little gems hidden in the AE/af set though. Even without using the encryption piece, we’ll be able to use the key exchange as a means of quickly (in ~4-5 packets) authenticating (or re-authenticating) switches to one another after a reboot. It will be a critical piece for maintaining availability and integrity in the network. And w e can do this piece without a hardware upgrade, which is pretty nifty.

2) Same-Port Multiuser Support: Here’s where the 1X-REV sauce starts tasting really good. The new revision is leveraging some of its security updates to support multi-user modes on a single port. And no, not by using multi-tagged VLANs, this is way cooler than that. In theory, multiple PCs, phones or other connected devices can connect through a single port, which would essentially be running multiple instances of 802.1X, letting each communicate securely. It’ll be similar in practice to how wireless APs segregate and encrypt traffic between the AP and the endpoint. I’m sure at first we’ll see software-based endpoint encryption support and of course, move towards hardware encryption and see NICs with the capability baked in. That’s still down the road, but the road is getting shorter.

3) Network Advertisement/Selection : Now the 1X-REV sauce is the best you’ve ever had- you’re gonna want to put this stuff on everything ! :) The 3rd goal of the revision is to add support for network advertisements on the wired side- which would be a similar experience to selecting the wireless SSID from a list of ones available on your laptop. But, it’s happening on your wired switch. Wild, right? They’re going to leverage the EAPOL types here to communicate from client to network. Imagine the possibilities…

All these new functions and features give 802.1X numerous new use cases. I think you’ll see parts of these technologies leveraged in various parts of critical networks everywhere. Sponsor ballots come at the end of the year, and they’re hoping to see something solid and released in early 2009.

You can see why I’m excited. The 802.1X-REV may be the evil stepchild for a while, but it’s coming. When it does, it’s going to rock our little network worlds and flip our thinking about wired security and network segregation upside down.

Of course, you’ll be seeing more on this from me, so hang in there!

# # #

Visualization is not a new concept to me- I’ve been turning data into various types of trends, charts, graphs, maps and 3D images for years. But, the concept of viewing and interpreting security and network data through visualization is relatively new- and I think you’re going to be seeing a lot more of this in the coming months and years.

One of the things I have the… pleasure… of doing, is consulting with various manufacturers to see how they can make their products and interfaces more usable. Specifically, I try to help them understand what to add or change in order to allow customers to interpret and use the data that’s being delivered to them. How can they take all this stuff, make sense of it, and correlate it to events on the network.

A lot of times that means finding ways to map data sources to known devices on the network, and parsing out what’s expected vs unexpected, or anomalous. We do this for WAN and LAN-based data, and for sources within the network, the DMZ and externally. It’s a lot of work and still not as wizard-like as we might hope.

But, I think I’ve just found my new favourite toy- and it came via Splunk. When I saw it, I just had to have it. :)

I didn’t get far with the Splunk demo at RSA, but totally made up for it at Interop, by way of an extremely knowledgeable woman - Christina Noren, the VP of Product Management there at Splunk. Talk about someone who knows her stuff. I was really amazed with what this little log search engine can do. And, add to that the overview of visualization I got from Raffy Marty, Chief Security Strategist, and I was totally blown away. With Splunk, you can quickly gain insight into the events happening on your network, and the visualization tools give you a unique and easy-to-interpret representation of the data.

The two together build a foundation for some great security tools, and ways to visualize data and trends for everything from PCI compliance to Change Management to Phishing attacks… and more.

Why is this important? I’m always looking for new ways to present data to customers. We can throw all the gadgets we want to on the network, but ultimately someone (not someTHING) needs to know what’s going on- especially in a world now where people are being held personally responsible for security- or lack there of. There’s a lot of data and events, and we need a way to turn that information into something useable. 

Go forth and play… You can download Splunk (yes, for free) at Splunk.com. Check out the blogs and SplunkBase to get more cool tools and plug-ins. In a couple of months, Raffy’s new book Applied Security Visualization will be released and includes more in-depth information on using visualization in your environment. I strongly suggest you read it. Need more reasons to check it out? They have the BEST t-shirts ever…

Expect to see more from me on this topic, and some tips and tricks for Splunk…

# # #

We always talk about ‘layered security’ and ‘defense in depth’ as strategies for securing the network. And, usually, we’re talking about these as good strategies. However, with more and more security ‘stuff’ on the market, the layered security solutions are starting to lose some of their value.

Why? Well, the problem with layered security is that we tend to assume if Layer X isn’t providing a particular protection, Layer Y must be… and we all know what assuming does.

In the good ol’ days, we relied on firewalls- perhaps nested firewalls, or ones positioned strategically on the LAN as well as the WAN. Because of our network architecture at the time, that was the primary (and probably only required) protection. After years of de-perimeterization and the increase of threats from both remote-access and insiders, we have a much different landscape.

The addition of resources and availability in the network has lead to the addition of vulnerabilities and threats.

Now… our schools need to protect children from material online. Now… we need to stop Trojans from sneaking in with VoIP apps. We need to access our corporate network securely from Starbucks. Our corporations need to protect their network from users accessing or publishing illegal content on the Internet. We need to protect our email, make sure its virus-free and not allowing employees to send sensitive information to the outside world.

All these increased risks and threats lend to the need for more protection in the environment. There’s just no single silver bullet or cure-all for the problems we’re facing.

What does this mean? It means we’re adding security products to the network to address these issues. We need content filtering. We need layer-7 visibility on the WAN for inbound/outbound application control. We need data leakage prevention. We need email security. We SSL-VPNs for secure remote access… the list goes on.

So, what’s the problem? We’re living in a world of security buzzwords and ‘hot topic’ solutions. But the problem is 2-fold.

Problem 1- We forget to KISS IT. In the frenzy to understand and implement these hot new products, we’re losing sight of some basic security functions and overlooking some really important security fundamentals. Remember to KISS IT and keep your basic security solutions simple- then layer on top of that. Your hot new NAC or DLP solution won’t seem so impressive if your basic firewall rules haven’t been properly configured.

Problem 2- We forget thy layers. After you KISS IT, you need to start layering responsibly. That means having a CLEAR understanding of what each solution does- or does not- do. You wouldn’t believe how many customers call and want to hear about Widget A for a certain solution that Widget A is not designed to fix. I deal with it daily and I blame (for the most part) vendors for mis-advertising their product as a fix-all. Whether its hardware or software- know what each piece of your security solution is designed to do, what it’s actually doing, and keep that information documented. Documented- I’m going to say it again. Your firewall/UTM may offer content filtering and gateway AV, but are you using it? Are you using a WAN optimization product to stop prohibited applications, or is your web filter doing that? Do you even know?

Solving the Cube. Layered security is like solving a Rubik’s Cube. You may think you’re on the right track after you get one side solved… but the other 5 are just a huge mess. There are patterns and algorithms you must follow to solve all sides together. Your layered security solution is no different. Understand what each piece is doing, how it fits in, and when to twist one layer here to implement a solution as part of a different layer over there.

# # #

Recently, I’ve been asked to explain my choice of terminology when describing 802.1X during various talks and presentations. One piece of verbiage I tend to use is that an 802.1X-enabled port is ‘shut off’ or ‘closed’ prior to endpoint authentication.

My choice of words seems to raise a few eyebrows with my audience. You, like several others, may ask- “That seems like an ‘untechnical’ term, shouldn’t you say it ‘disables’ the port?” 

Well, no, we shouldn’t say that. When we talk about ‘enable’ and ‘disable’ for ports, that’s actually a port property designation within the switch. When we disable a port in the switch, we’re turning it off and preventing it from passing any traffic.

When we have an 802.1X-enabled port that’s unauthenticated, it still has to pass SOME traffic types, such as EAP (and possibly discovery protocols, such as Cisco’s CDP). Otherwise, we’d never be able to authenticate, right?

So, I, like many others in the NAC world, usually refer to an unauthenticated 1X port as being ‘shut off’ or ‘closed’ just as a means to distinguish it from ‘disabled’ which does have its own meaning.

# # #

I said I’ve been a bad blogger for the past couple of weeks, and I promised to tell you why. It’s really a combination of projects and a culmination of various responsibilities, but one that has taken a lot of my time recently has been the planning of our IT Hot Topics Conference & Golf Tourney.

I’m sooooo excited about this year’s event. This is the 6th year our company, Carolina Advanced Digital, has hosted the event, along with our partners. What started as a small customer appreciation event has morphed into a full-fledged conference.

Last year we moved the event from a small local country club to the Grandover Resort & Conference Center in Greensboro, NC. My bosses (aka parents) were a bit skeptical at first, but the event turned out great, with over 80 attendees from NC and surrounding states. This year, we’re making another leap of faith by extending the event to 2 full days (yikes!).

At our Hot Topics Conference, we identify what we and our customers think are the current ‘hot” IT and security topics and we plan the event and presentations around that. This year, we have an amazing line up, including technical breakout sessions, a special keynote, directors reception, industry expert panels, half-day technical workshops and (of course) the Golf Tourney.

I’m especially excited about our panels- we have a NAC Industry Panel with Mauricio Sanchez (ProCurve), Lisa Lorenzin (Juniper), Patrick Wheeler (Symantec), moderated by fellow security blogger buddy Alan Shimel of StillSecure. Our other panel is participating in the Hot Topics Roundtable discussion, led by John McCumber with a panel comprised of industry experts, technical gurus and even legal expertise to weigh in on Web 2.0 issues. It’s going to be awesome!

Here’s an overview of our 2008 IT Hot Topics Conference:

Event Dates & Location
IT Hot Topics Conference 2008
Grandover Resort & Conference Center
Greensboro, NC

May 15th & 16th, 2008
Thursday 9:30am - 5:00pm*
Friday 8:30am - 4:00pm
Register Online: http://www.HotTopicsConference.com

What topics are on tap for 2008?

2008 Features
• 12 Breakout Sessions
• Half-day Technical Workshops
• Special CISSP Prep Sessions
• Directors Reception Thursday Night*
• Special Keynote
• NAC Industry Experts Panel
• Hot Topics Roundtable
• Earn CPE Credits at Hot Topics
• Hot Topics Golf Tourney (optional)
• Win a Nintendo Wii Gaming System!

2008 Topics

• Security Visualization
• Web 2.0 in Enterprise
• Application Acceleration
• Network Management & Logging
• Data Leakage Prevention & Encryption
• NAC (Network Access Control)
• Wireless Trends & 802.11n
• Email Security for 2008
• Virtualization

Our 2008 partners include: ProCurve Networking, Juniper, Symantec, Winmagic, Packeteer, SonicWALL, StillSecure, splunk>, NetApp, Littler and ISSA.

You can check out the event website at www.HotTopicsConference.com. Aside from the Golf Tourney, the event is FREE for qualified attendees.

# # #