The Sys-Security Group

Recently we read about some NAC product comparisons performed by various magazines. The one thing that I find the most interesting is the test criteria and the parameters, which are being used in order to perform the comparisons and tests.

For example, one magazine just checked that NAC solutions can perform user authentication against Microsoft Active Directory, and Radius servers, and that they are able to provide with host-based checks and remediation.

What was the testing environment? One new Cisco switch capable of doing 802.1x, 2x VLANs were defined, about five managed Windows XP SP2 machines were used and a patch management server.

What is wrong with this picture? Well, first of all this cannot mimic a true network setup. And in a true network setup there are a lot of parameters you must include in the equation when you enroll a NAC solution. The second issue I find is even more problematic. The parameters, which were used to test the NAC solution, are simply, in my mind, the wrong parameters to check for.

I have written about this in the past when I have discussed parameters to add to a NAC RFI/RFP. Where is the check for proper element detection? Where are the questions in regards to how Quarantine is being done? Or how enforcement is performed? Three simple questions that opens a Pandora box.

If I were you, I would do my home work and verify that a comparison NAC test I read about was done in an appropriate manner, and that the parameters and tests it went through makes sense for NAC…

The iPhone makes an excellent example of how a marketing hype and a cool product can turn into a security nightmare. As a product gets more visibility and its number of its users is on the rise the chances of having a security issue found with the product are higher. This holds true not only for the iPhone but also for other products (Oracle DB and David Litchfield for example) and technologies (VoIP).

It is not like Apple was not warn when they shipped the beta versions of Safari for Windows that the product is less then satisfying with regards to its security. It did not take long for people to post security issues they have found. But the warning was not enough to change things at Apple.

You do expect a company at that size to act. But this is not different with any major security issue they had with Mac OS X, which always takes them some time to fix.

The iPhone is extremely popular and it is doubtful that the security issues found with Safari on the iPhone will drive people away from it. But the bad feeling is creeping in. For Apple to resolve all they need is a software update to fix, and not to wait too much.

What would it take now to find issue with the mail.app? and how that would affect Apple’s Mac OS X (i.e. no viruses no Trojans advertisement)? Just curious.

Welcome to the real world.

I will be speaking at Defcon 15 about NAC vulnerabilities and bypass issues.

The talk has a considerable amount of new vulnerability information, which I have collected in the past year and kept quite about. So you should stay tuned for some interesting new stuff.

Don’t be a stranger and come say hello.

Dark Reading had published an interesting article about the “most dangerous and least-discussed” IT security vulnerabilities they have seen in the recent weeks. This list includes NAC vulnerabilities, PHP issues, rogue Anti-Spyware stuff and other interesting issues.

You can read the article here.

Very early in my professional career I have learned the rule and the importance of best of breed. The rule is simple, if there is one vendor better then the other, technology wise, for a particular product you go with the best of breed solution (there are other parameters to the equation like price, deployment, etc.).

This rule also nicely combines with another. The defense-in-depth rule which mandates the use of multiple solutions from multiple vendors for the same problem. It is to prevent a situation in which a flaw or a technological limitation would prevent a solution from defending the organization against a certain attack.

For example, the use of firewalls from multiple vendors, the use of different A/V product on the GW, on the mail server and on the desktop, etc.

Today, the best of breed approach is sometimes shadowed by the all-in-one approach.
Putting everything, or a lot of things, inside a single box, sometimes look as an advantage for many. Firewalls with embedded IPS, A/V, and anti-spam are a good example. Are all of those features can be considered best of breed?

In most cases they are not.

For the majority of vendors the protection level these all-in-one products provide is not more then the average. The false sense of security is the one winning the battle for many here.