The Sys-Security Group

Why wouldn’t Apple sell an iPhone SIM free? Many people around the world would not wait a second before placing an order to get the iPhone. But according to the rumors that I have read lately, part of Apple’s agreement with the Telecom companies (i.e. Orange France, O2 England, and Vodaphone in Germany) is to receive a 10% of the revenue from those who would buy an iPhone. So for Apple, the revenue potential is not only coming from the expensive hardware (I paid, I know) but also from its usage.

If you think about this, this is a brilliant move. So why allowing iPhone SIM free were Apple cannot collect? This is why, in my opinion, there would not be an iPhone SIM free, and this is also the reason why Apple is chasing those who claim they have unlocked the iPhone.

As one that had worked for and consulted to a few large financial institutions I was surprised to learn that many people do not know what are the challenges that NAC solutions face at financial institutions.

Financial institutions are notoriously known for the strict roles they impose over changes to their infrastructure (external and internal). Usually, when a change is needed, a series of signatures are required to authorize the change, which could only be performed in a designated window of time (usually once a week on Sunday). If the change cannot be performed, or caused another problem, a role-back is performed, and the change is pushed back to the next week (if at all).

During some periods of time in the year a change freeze is in effect. No changes to the infrastructure are allowed. This is usually done between November – January, which represents the high season for shopping, etc.

So what are the barriers for NAC vendors? Just think about NAC solutions that use the Quarantine VLAN method to isolate devices, dynamically assigning VLAN IDs to switch ports, etc. As one can understand, a definitely no-no in a controlled environment.

Actually, any read-write access, which is required to the infrastructure switches would not be allowed.

Another interesting affect is the use of software-based agents, where most of the financial institutions would not be that happy to install (along a long list of other client-based software that they may already have on the desktop).

Recently we read about some NAC product comparisons performed by various magazines. The one thing that I find the most interesting is the test criteria and the parameters, which are being used in order to perform the comparisons and tests.

For example, one magazine just checked that NAC solutions can perform user authentication against Microsoft Active Directory, and Radius servers, and that they are able to provide with host-based checks and remediation.

What was the testing environment? One new Cisco switch capable of doing 802.1x, 2x VLANs were defined, about five managed Windows XP SP2 machines were used and a patch management server.

What is wrong with this picture? Well, first of all this cannot mimic a true network setup. And in a true network setup there are a lot of parameters you must include in the equation when you enroll a NAC solution. The second issue I find is even more problematic. The parameters, which were used to test the NAC solution, are simply, in my mind, the wrong parameters to check for.

I have written about this in the past when I have discussed parameters to add to a NAC RFI/RFP. Where is the check for proper element detection? Where are the questions in regards to how Quarantine is being done? Or how enforcement is performed? Three simple questions that opens a Pandora box.

If I were you, I would do my home work and verify that a comparison NAC test I read about was done in an appropriate manner, and that the parameters and tests it went through makes sense for NAC…