"There is no research guideline. There is no validated protocol for this. There's not even a clear set of indications for when this is to be used except when people are agitated. By saying that it's done by the emergency medical personnel, they basically are trying to have it both ways. That is, they’re trying to use a medical protocol that is not validated, not for a police function, arrest and detention," Miles said. "The decision to administer Versed is based purely on a paramedic decision, not a police decision," Slovis said. It's up to the officer to call an ambulance and determine if a person is in a condition called excited delirium. "I don't know if I would use the word diagnosing, but they are assessing the situation and saying, 'This person is not acting rationally. This is something I've been trained to recognize, this seems like excited delirium.' I don't view delirium in the field as a police function. It is a medical emergency. We're giving the drug Versed that's routinely used in thousands of health care settings across the country in the field by trained paramedics. I view what we're doing as the best possible medical practice to a medical emergency," Slovis said.

While NAC tools are often advertised as plug-and-play, GuideWorks found that the NAC setup required a high level of networking expertise. Fortunately, the Inglewood site had plenty of technical expertise because that’s where many of the company’s developers are stationed. In addition, GuideWorks put one of its front-desk employees in charge of setting up new accounts. But because her technical background was limited, the company had to walk her through a learning curve.

Now the company is planning to deploy the system at its Radnor office, which will be a bit more challenging since there’s less technical expertise there, and that office gets a greater number of visitors. So GuideWorks has been on the search for employees to support the NAC system there. The company expects to have NAC up and running there by the end of the summer.

So 2 years after trial they are rolled out in one office and have to hire employees to support the NAC system at the next office. This was a problem with many of the failed NAC companies over the last few years and I think the problem with this Tipping Point solution. Just providing guest access should not be that hard! Yes the StillSecure Safe Access solution would have been much easier and faster to implement, but to be fair, any of the leading NAC solutions would have been up and running easier as well.

While this article was supposed to serve as reference and case study for the Tipping Point NAC solution, it is far from inspiring. If I were a customer looking into NAC, I don't think this would make run out and look at the Tipping Point solution. Moral of the story is, just because you made a good IPS doesn't mean you have a very good NAC product. When it comes to something like NAC, quality counts and buying a 2nd tier solution can cost you in time to implementation and total cost of ownership.

Primarily because Brooks asked, but also because there are a whole lot of days where I face the “Magic Bunny” problem.

Simply put, in any complex system - say, an application stack which has a backend database, some application servers, some presentation servers and the connecting security stuff and network stuff - there are a number of Subject Matter Experts who need to be at the table when troubleshooting. The issue is that as far as each is concerned, the other areas of expertise are the domain of Magic Bunnies. The Application folks don’t really grok the network glue stuff and so they talk about how one machine “can’t see” the other. The database guys don’t grok the need for a firewall between them and the world because it makes things difficult to administer and there is where you’ll find more Magic Bunnies.

Too often when I get called in on a troubleshooting swat team, it’s because as the security dude, I’m always more aware of the entire picture (grok the whole) than the SMEs and I can walk them through the problem from foundational Layer 0 stuff (is the data centre still there?) through to the Layer 9 stuff (is there a god who cares?) And damn if every time I sit in on one of these sessions, we don’t discover that there isn’t a nice overlap between areas of expertise and there’s a huge number of Magic Bunnies infesting our applications.

Do you have Magic Bunnies?

Is there a spray or ointment?

Chat amongst yourselves.

Or the bunny gets it.

Tags: magic bunnies, security skills, troubleshooting

Nextel had splintered holdings in the 800 MHz band that were difficult to administer, and caused verifiable interference with (and vice versa) splintered public safety spectrum in that band. Sprint agreed to pay the estimated multi-billion-dollar cost of getting new equipment to public safety agencies in exchange for a hunk of spectrum that they wouldn't have to buy at auction from the FCC. The cost for a whole set of swaps, migrations, and givebacks was $4.8b, but there was technically no limit on how much Sprint would have to pay for public safety migration--as much as it cost is the true limit.

Last August, the Wall Street Journal did a lengthy update of the 2005 deal, explaining that the effort was vastly behind schedule, and was vastly underbudgeted, too. One county in Pennsylvania estimated that its costs could run $18.5m to $150m, with the low number far above Sprint's own estimates.

It would be seemingly unfair to allow Sprint's delays in moving fire, police, and first responders off the band to also delay Sprint's requirement in vacating the band. We'll see how the FCC chooses to respond. It could cost Sprint billions and further accelerate the loss of Nextel customers, because Sprint would lose a number of active iDEN sites.

They have no one to blame but themselves. Sprint's management has blundered through this merger for years. They kept separate Kansas and Virginia headquarters, failed to produce high-quality dual-network devices, gave few incentives for Nextel customers to move to Sprint's dominant CDMA network, bled employees, and botched this migration.

Now Sprint did have the problem of needing to help move incumbents in the 1.9 GHz spectrum it received and the 800 MHz spectrum it was giving up. The articles on this court decision don't note whether Sprint's 1.9 GHz network is free and clear, nor whether Sprint had been working for the last three years to get its Nextel users to get dual-band handsets that would work with the new frequency.

With the WiMax plan also on the table, Sprint was basically committed to building or rebuilding and supporting four network architectures: CDMA (for 2G), EVDO (for 3G), WiMax (for 4G), and iDEN (for 2G).

Sprint is in the position where it may variously be sold (to Deutsche Telekom to merge with its T-Mobile USA division, which would add both GSM and UMTS/HSPA to the mix!), sell off its Nextel division (to a public safety venture headed by Cyren Call), and/or spin off its WiMax division or form a broad venture with Clearwire to build and market it.

Montego Networks Prediction:

Virtual Environments will be more secure than their physical counter parts by 2010.

Neil McDonald of Gartner reported in 2007 that throughout 2009, 60% of virtual environment deployments would be less secure than their physical counter parts.

Although I tend to believe Neil’s prediction I’m a bit optimistic about the markets awareness of the security concerns within virtualized environments and feel companies will start to address those concerns by 2009. I also believe that by the end of 2009 the majority of companies virtualizing will have built virtualized environments that are more secure than their physical counter parts.

Now, you may be thinking I’m either crazy or that I’m just one of these guys that just states the opposite of what someone else says!

Well, not at all. I’ve been studying the virtual security market for some time now and after talking with many companies that are deploying virtualization I’m starting to get the sense that people get it (security). It’s pretty evident that when people are made aware of what seems to be the obvious (security), that something clicks and they get it right away. In fact, many times the light bulbs start turning on and people start thinking about more creative ways to secure severs by taking advantage of virtualization which enables them to do things they’ve never been able to do before. 

So, although I agree that there has been this issue of security being once again forgotten and that 60% of virtual environments will be less secure up until 2009, I’m not so sure I’m going to underestimate the market and think that this pattern will continue much longer after that.

Take a look at the following graphic and it depicts the various layers in a network. History has proven itself time and time again that a new network layer is built first and security always comes along afterwards.

Well, one of the challenges we’ve seen with these physical networks is that it’s pretty costly, time consuming and a burden to purchase, install and administer security. Then once it’s in place and being run, you have to fork lift upgrade certain parts of your security infrastructure due to bandwidth demands and changes in application security concerns.

What virtualization brings to the table is not only cost savings for server consolidation, power consumption and datacenter space but the ability to do all of those things for parts of your security infrastructure as well.

Imagine instead of having to deploy engineers to install 20 firewalls across your datacenter, you could sit from a single workstation with a couple of guys and install 20 firewalls in hours vs. days. The reason this is possible is because now firewalls have just went virtual! You can roll them out as software images or virtual appliances without leaving the comfort of your cubical. 

Imagine being able to “virtual-lift upgrade” vs. “fork-lift upgrade” a new firewall, UTM appliance, IPS or whatever by simply powering off a Firewall Virtual Machine and powering on a new one.  Imagine being able to improve your performance by taking advantage of the multi-core processing and blade server computing trends vs. waiting for the next super fast security ASIC chip.

In the past it’s been difficult to get security as close as possible to the servers and desktops without having to deploy host based solutions. The reason for this is because we have been constrained by the physical limitations of our hardware purchases from the likes of Cisco, Extreme and Foundry. Then for vendors that have thought about putting security in a switch there has always been the price per port debate. Also, many don't want to take the risk and replace Cisco for a new startup building a new switch (ie. Force 10's Switch + IPS product).  Typically switching ports are cheap and security is more expensive and when trying to combine the two, you end up with a switch that costs a lot of money. So imagine having a 200+ port switch with a Firewall built in for $300 bucks. How could this be so? Because its virtual, and because its 100% software.

Did he just elude to a firewall for every port?  Does each Server or Desktop have firewalling between every other Server & Desktop on the same switch?  Absolutely! all because of virtualization!

Software makes it easier to bring the price per port down. When things are in software you can deploy multiple copies of them to scale your network capacity without breaking the bank. Virtualization also allows you to do things like “Freeze” and “Thaw” servers and desktops automatically when vulnerability is detected. If a denial of service is occurring against a Virtual Server you can always VMotion that server to a network with more capacity without an administrator having to lift a finger. Imagine an attack happening on a machine and instead of it being quarantined it makes a snapshot image of the infected machine and freezes it in its current bad state so you can go back and analyze how someone broke in. As you can see, there are lots of new capabilities brought to the security round table.

Virtualization will make security solutions even more powerful and increase the adoption rate of security in general due to the massive cost savings that can be appreciated through virtualization. For these reasons I see the market quickly leveraging virtualization to make Virtual Environments more Secure than their counter parts. Virtualization will enable the innovations in security that has been since UTM and Reputation based Anti-Spam.

VMWare, Virtual Iron, Citrix and others, thanks from the security industry for the innovation!

John Peterson, Montego Networks, Co-Founder & CTO