[SecurityRatty] tag: advertisement

802.1X-REV: Ya' Heard it Here First!

Fri, 09 May 2008 10:59:51 +0000

Well, you’re not necessarily hearing it hear first, but it’s likely… unless you read IEEEdocs religiously (as I do) or read Paul Congdon’s standards updates at the ProCurve Networking site.

If you have no clue what 802.1X is, read my recent technology primer first. If you’re already familiar with 1X, you’ve probably heard about some of the 802.1X additions- the 802.1AE (MACSec) and possibly 802.1af (the key agreement for MACSec)… but that’s just the tip of the iceberg, and what’s hiding underneath will knock your socks off!

We’re currently at the 802.1X-2004 edition, with the group working on the REV and hoping for an early-2009 release. When IEEE makes additions (such as AE and af) they’re just afterthoughts and changes tacked on to the end of the standard. But when they do a revision , as they are now, they’re opening up the whole can of worms and all parts of the standard are opened for evaluation and modification. Yee-haw!

So, what’s in this new revision and what can we expect from 802.1X-REV? That’s what I wanted to know, and I’m sure you’re curious too. I was lucky enough to catch a quick call with Paul Condon earlier this week and get some of the inside scoop. Paul is ProCurve Networking’s CTO, but more importantly for our purposes today, he’s the Vice -Chair of the IEEE 802.1 working group and is intimately involved in 1X and a variety of other networking, security and authentication standards.

1) Encryption & Key Exchange : The first goal in updating 802.1X was to add security with encryption, specifically on switch-to-switch links. Of course, with encryption comes the need for fast, secure key exchange, so we ended up with 802.1AE and 802.1af as answers to the first set of goals. The encryption will require hardware refreshes, and vendors are already gearing up for that. The benefits of encryption are pretty obvious, so I won’t bore you with that. There are some fun little gems hidden in the AE/af set though. Even without using the encryption piece, we’ll be able to use the key exchange as a means of quickly (in ~4-5 packets) authenticating (or re-authenticating) switches to one another after a reboot. It will be a critical piece for maintaining availability and integrity in the network. And w e can do this piece without a hardware upgrade, which is pretty nifty.

2) Same-Port Multiuser Support: Here’s where the 1X-REV sauce starts tasting really good. The new revision is leveraging some of its security updates to support multi-user modes on a single port. And no, not by using multi-tagged VLANs, this is way cooler than that. In theory, multiple PCs, phones or other connected devices can connect through a single port, which would essentially be running multiple instances of 802.1X, letting each communicate securely. It’ll be similar in practice to how wireless APs segregate and encrypt traffic between the AP and the endpoint. I’m sure at first we’ll see software-based endpoint encryption support and of course, move towards hardware encryption and see NICs with the capability baked in. That’s still down the road, but the road is getting shorter.

3) Network Advertisement/Selection : Now the 1X-REV sauce is the best you’ve ever had- you’re gonna want to put this stuff on everything ! :) The 3rd goal of the revision is to add support for network advertisements on the wired side- which would be a similar experience to selecting the wireless SSID from a list of ones available on your laptop. But, it’s happening on your wired switch. Wild, right? They’re going to leverage the EAPOL types here to communicate from client to network. Imagine the possibilities…

All these new functions and features give 802.1X numerous new use cases. I think you’ll see parts of these technologies leveraged in various parts of critical networks everywhere. Sponsor ballots come at the end of the year, and they’re hoping to see something solid and released in early 2009.

You can see why I’m excited. The 802.1X-REV may be the evil stepchild for a while, but it’s coming. When it does, it’s going to rock our little network worlds and flip our thinking about wired security and network segregation upside down.

Of course, you’ll be seeing more on this from me, so hang in there!

# # #

Cisco security exec has big plans for Ironport technology

Mon, 21 Apr 2008 20:00:00 +0000

Cisco is looking to aggressively incorporate its reputation and monitoring gear into security gear, all under the direction the former CEO of Ironport, the company Cisco bought for its reputation technology.

Key Elements to an Effective Business Continuity Plan	Advertisement
Learn to develop a plan that clarifies what is critical and sets specific recovery requirements.

China faced with growing botnet problem

Mon, 21 Apr 2008 20:00:00 +0000

China faces a growing threat from botnets, networks of computers infected with software that allows them to be controlled remotely for denial-of-service attacks and to send spam, according to a report issued by China's National Computer Network Emergency Response Technical Team (CNCERT).

Key Elements to an Effective Business Continuity Plan	Advertisement
Learn to develop a plan that clarifies what is critical and sets specific recovery requirements.

Interop Las Vegas 2008 planning guide

Sun, 20 Apr 2008 20:00:00 +0000

Download your FREE BUSINESS IP TELEPHONY EBOOK!	Advertisement
Get your free 96 Page IP Telephony eBook! 11 Chapters on DEPLOYMENT, COST SAVINGS, SECURITY & more.

Wi-Fi users to be monitored in Russia

Thu, 17 Apr 2008 20:00:00 +0000

Business travellers to Russia might want to keep their laptops and iPhones well-concealed - not from muggers,necessarily, but from the country's recently formed regulatory super-agency, Rossvyazokhrankultura (short for the Russian Mass Media, Communications and Cultural Protection Service).

Web Penetration & App Testing	Advertisement
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!

CEO subpoena scam fires up anew

Wed, 16 Apr 2008 20:00:00 +0000

After tricking several thousand executives into downloading malicious software earlier this week, online scammers started up their subpoena phishing scam again Wednesday, but on a much smaller scale.

Get a FREE MICROSOFT DYNAMICS ERP/CRM RESOURCE DVD	Advertisement
See how ERP and CRM solutions from Microsoft Dynamics work BETTER with your everyday software.

MySpace hack reveals profile visitors

Wed, 16 Apr 2008 20:00:00 +0000

A security problem with MySpace has the potential to botch up law-enforcement efforts to track bad actors on the social-networking site.

Enterprise IP Goes Mobile	Advertisement
To maximize full productivity, companies must integrate their mobile applications with the IP network.

Privacy advocates: Consumer education isn't enough

Wed, 16 Apr 2008 20:00:00 +0000

The efforts of e-commerce sites and online advertisers to educate U.S. consumers about privacy and targeted advertising aren't enough because many consumers won't take the time to understand the issues, privacy advocates said Thursday.

Web Penetration & App Testing	Advertisement
Web Penetration Security Services. 300+ Clients. Free, Quick Quotes!

Kingston shows super secure USB stick

Tue, 15 Apr 2008 20:00:00 +0000

The evolution of USB sticks from detested security hazard to data respectability has continued with the announcement of a new product certified to stringent U.S. government levels of security.

Experience The Benefits Of Intel® vPro™ Technology	Advertisement
Get Built-In Security And Remote Management Capabilities. Meet Critical Business Challenges.

Google Apps hit by session-stealing attack

Tue, 15 Apr 2008 20:00:00 +0000

A security researcher has uncovered a serious flaw in Google Spreadsheets, which could give an attacker access to all of a user's Google services.

Enterprise IP Goes Mobile	Advertisement
To maximize full productivity, companies must integrate their mobile applications with the IP network.