Archive for the ‘Security’ Category

Information Security – The Second Lebanon War vs. The Gaza Operation

January 8, 2009

During August 2006 Israel mounted an operation against the Hezbollah in Lebanon. In Israel this is refered to as the second Lebanon war. During that time the Israeli Defense Forces (IDF) had allowed freedom of information in a form and shape that was not allowed until then. Reporters were standing at the boarder between Israel and Lebanon reporting about any army movement they observed. The various Israeli news channels were showing, in details, the different advancement moves the army had made to the detail. Any incident was reported in nearly real-time including casualties and the unit names that were hit. Reports about missile hits on Israeli civilian targets were also reported, and in some cases those reports allowed the Hezbollah to align their fire. The different Internet forums were buzzing with information and rumors.

The army had learned its lesson.

During the current Gaza operation the Israeli army went from one extream to the other. The entire area that the army had assembled its forces before the attack had been closed to civilians and to the media. Soldiers had to give away their mobile phones before entering into battle. The media is completely shut off from the battle field as reporters are not allowed in. The Internet forums are monitored, and the army censorship is tight.

With regards to the safty of the soldiers then there is no doubt this is the right course of action to take. For the civilians (and for the media) this had created a situation where not a lot is known, and bits and pieces are uncovered as the battle goes on.


The UK Home Office Adopts a Hack Free Policy for the Police

January 5, 2009

The UK Sunday Times Online reports that the “The Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.”. Seems like the Home Office has adopted this policy after an EU council of ministers in Brussels has approved this policy to be used across the EU. This allows police ‘remote searching’ on computers…

In my opinion the issue here is that warrents are not needed for this activity. This removes the balances the justice system has (through the courts which grant those warrents) over the police and opens a room for misuse.

No complete and accurate inventory? == No Security

December 15, 2008

IT networks are commonly referred to as a modern jungle by their own IT managers. The traditional inventory and asset management tools an organization may use simply cannot cope with the complexity and the dynamic nature of the IT networks. At best they provide information about 50%-60% of the organizational devices. On most organizations one may plug in a device without the knowledge of IT, receiving an IP address and being able to interact with the rest of the network.

The worst part is the effect over the Security of the IT networks. If one is unaware of a certain device then it is also unable to defend it, or defend against it. The security products we buy, and let’s assume they are all best of breed, are deployed only against known devices and entities.

This creates a dangerous situation in which we secure what we know about only. A large number of devices, 20%-50% of additional devices the organization is unaware of,  jeopardizes the stability, the availability and the integrity of the IT networks and the data they carry.

In order to truley security our IT networks we must have a compelte and accurate knowledge with regards to the inventory of the devices that are attached to our networks. an inventory that reflects a true picture of the currently connected devices and must be used as the basis for any security operations.

Apple and Security: When will this bubble blow up?

December 6, 2008

Apple is thinking that security through obscurity is the right way to handle security on their products. The latest example is with their KB article on the support site related to anti-virus. A KB which was posted last year, and only now being discovered by the media.

So, what is wrong saying you may need an anti-virus for your operating system?

Does Apple think that malware and other security hazards would not hit Mac OS X for ever? This is a very bad assumption. What happens is that as the popularity of Apple based products are on the rise so does the number of people with direct access and interest.

What would the future would look like? Well, not as it is with Windows, but in my opinion it would certainly drive sleep away from Apple users as well. Treating security as another something that needs to be taken care of can cost Apple dearly especially if it would hurt those that use its products because of their related simplicity.

Security Magazines: Reality vs. Fiction

July 5, 2008

During the weekend I have read several articles that I had interest in from a number of security magazines / online publications.

What I have found is that most of the reporters that wrote these articles simply do not have the experience to know when they are being fed with FUD.
There is a big difference between on paper to the real world of deployment in the field. Some technologies which look great simply cannot scale or do not work as expected in the real world.

The problem is with the experience of the reporter that writes about the technology. The experience is not always there (there are exceptions of course) and therefore the FUD is spade.

Virtualization: The Enemy of Most NAC Solutions

March 18, 2008

Tim Green is at it again targeting NAC and virtualization. I believe that he could have written about some more issues with NAC and virtualization that most NAC vendors are suffering from.

Specifically, what happens when you have a virtualized environment on a Server that might host multiple guest operating systems?

What is wrong with this scenario? Let’s take those NAC vendors that use the underlying switch infrastructure to place an element into quarantine VLAN until it’s posture is validated. Quarantine VLAN is a per port per device ‘technology’ meaning that is cannot be used for virtualization since it re-assigns the switch port’s VLAN ID to that of the quarantine VLAN. By doing this all the elements (virtual elements) using that switch port for their connectivity will also be assigned to that VLAN (meaning no communications for all).

Others may claim that the internal communications between the hosts is the problem. I disagree. I think that if the virtualization server’s administrator is installing another guest machine she is not doing that to break into the organization. It may be an unauthorized install, but not for malicious intents. The guest machine must be disallowed network access so communication with other systems on the network would not be possible (until either the guest machine is authorized and/or its posture is validated).

This brings me back mentioning that NAC solutions must first take care of rogue devices and network access (S-E-C-U-R-I-T-Y) and only then with compliance.

NAC Agents – Not The Solution To Look For

March 18, 2008

I have been speaking about this for some time now – a NAC solution that relies on agents is a solution, which would be bound to fail in deployment. The problem is more emphasized on large-scale deployments.

I can count several reasons like the problem of identifying all the elements that the agent needs to be installed on (organizations do not know what they have on the network as is. …And most of the NAC vendors do not know that to…), the NAC agent is one among many other agents that may already be installed on the element, a performance impact that may result from the agent, management overhead, and the fact that the agent is a target for a security breach.

Seems like I am not alone talking against the NAC agent approach. Tim Green of Network World published in his newsletter an article about issues with NAC agents.

NAC deployment must be complete

February 17, 2008

NAC must scale. The deployment must include all sites, and not just a certain portion of the environment. If dependent on an appliance and/or on the switching fabric, it is bound to fail (time-to-value, effort and money).

Any NAC deployment must cover the entire environment, so other venues accessing the network would not be possible.

One good example is with guest access. Enforcing guest access on specific locations, such as meeting rooms, etc. would fail once the guest will connect to those unprotected locations.

Financial institutions and NAC

August 13, 2007

As one that had worked for and consulted to a few large financial institutions I was surprised to learn that many people do not know what are the challenges that NAC solutions face at financial institutions.

Financial institutions are notoriously known for the strict roles they impose over changes to their infrastructure (external and internal). Usually, when a change is needed, a series of signatures are required to authorize the change, which could only be performed in a designated window of time (usually once a week on Sunday). If the change cannot be performed, or caused another problem, a role-back is performed, and the change is pushed back to the next week (if at all).

During some periods of time in the year a change freeze is in effect. No changes to the infrastructure are allowed. This is usually done between November – January, which represents the high season for shopping, etc.

So what are the barriers for NAC vendors? Just think about NAC solutions that use the Quarantine VLAN method to isolate devices, dynamically assigning VLAN IDs to switch ports, etc. As one can understand, a definitely no-no in a controlled environment.

Actually, any read-write access, which is required to the infrastructure switches would not be allowed.

Another interesting affect is the use of software-based agents, where most of the financial institutions would not be that happy to install (along a long list of other client-based software that they may already have on the desktop).

Testing NAC Solutions

August 9, 2007

Recently we read about some NAC product comparisons performed by various magazines. The one thing that I find the most interesting is the test criteria and the parameters, which are being used in order to perform the comparisons and tests.

For example, one magazine just checked that NAC solutions can perform user authentication against Microsoft Active Directory, and Radius servers, and that they are able to provide with host-based checks and remediation.

What was the testing environment? One new Cisco switch capable of doing 802.1x, 2x VLANs were defined, about five managed Windows XP SP2 machines were used and a patch management server.

What is wrong with this picture? Well, first of all this cannot mimic a true network setup. And in a true network setup there are a lot of parameters you must include in the equation when you enroll a NAC solution. The second issue I find is even more problematic. The parameters, which were used to test the NAC solution, are simply, in my mind, the wrong parameters to check for.

I have written about this in the past when I have discussed parameters to add to a NAC RFI/RFP. Where is the check for proper element detection? Where are the questions in regards to how Quarantine is being done? Or how enforcement is performed? Three simple questions that opens a Pandora box.

If I were you, I would do my home work and verify that a comparison NAC test I read about was done in an appropriate manner, and that the parameters and tests it went through makes sense for NAC…