[SecurityRatty] tag: blown

Improve Security with "A Layer of Hurt"

Thu, 31 Jul 2008 15:13:00 +0000

Hello, Michael here.

I got a lot of interesting comments from my TechEd 2008 presentation entitled, "How To Review Your Code And Test For Security Bugs," but the most comments and questions were reserved for fuzz testing; I was blown away by the number of people who thought fuzz testing was hard, or that you only left fuzz testing to ‘leet hackers.

During the presentation I mentioned in some depth how to perform fuzz testing, and what parts of an application should be fuzz testing targets. I also introduced an idea (that's not new) to help people who have never performed fuzz testing begin fuzz testing with very little cost and friction. The idea is to add a small layer of code to an application to automatically mutate untrusted data as it comes into an application; I called that code layer "a layer of hurt."

Before I continue, I want to point out that fuzzing is an SDL requirement, but the idea in this blog post is not an SDL requirement, it's just another way to help meet SDL fuzzing requirements.

Adding a layer of hurt, as shown in the picture below, is pretty simple as it involves adding code to an application to tweak data as it comes into an application. You can work out where to place the fuzzing code by looking at your threat models to see where data crosses trust boundaries. You could also simply grep the code looking for APIs that read data, for example:

Read from files: fread, ReadFile
Reading from sockets: recv, recvfrom
For .NET code, any stream.Read

You get the picture.

The fuzzing code should appear right after the API that reads that data.

For example, C or C++ code that reads from a UDP socket and then fuzzes the data before it's consumed by the rest of the application might look like this:

char RecvBuf[1024];
int BufLen = sizeof(RecvBuf);

int result = recvfrom(
   RecvSocket,
   RecvBuf,
   BufLen,
   0,
   (SOCKADDR *)&SenderAddr,
   &SenderAddrSize);

#ifdef _FUZZ
Fuzz(RecvBuf,&BufLen);
#endif

Or, in C#, code that reads from an untrusted file:

FileStream fileStream = new FileStream(filename, FileMode.Open, FileAccess.Read);
uint len = (uint)(fileStream.Length);
byte[] fileData = new byte[fileStream.Length];
fileStream.Read(fileData, 0, (int)len);
fileStream.Close();

#if _FUZZ_
Malform pain = new Malform();
fileData = pain.Fuzz(fileData);
#endif

In both code examples, Fuzz() mutates the incoming data. In the C++ case, the fuzzing code looks like this:

void Fuzz(_Inout_bytecap_(*pcbBuf) char *pBuf,
_Inout_ size_t *pcbBuf) {

if (!pcbBuf || !pBuf || !*pcbBuff || *pBuf) return;
if ((rand() % 100) > 5) return; // fuzz about 5% of Buffers

size_t cLoop = 1 + (rand() % 4);

for (size_t j = 0; j < cLoop; j++) {

    size_t i=0,
      iLow = rand() % *pcbBuf,
      iHigh = 1+rand() % *pcbBuf,
      iIter = 1+rand() % 8;

    if (iLow > iHigh)
      {size_t t=iHigh; iHigh=iLow; iLow=t;}

char ch=0;
switch(rand() % 9) {

      case 0 : // reset upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] &= 0x7F;
        break;

      case 1 : // set upper bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] |= 0x80;
        break;

      case 2 : // toggle all bits
        for (i=iLow; i < iHigh; i++)
          pBuf[i] ^= 0xFF;
        break;

      case 3 : // set to random chars
        for (i=iLow; i < iHigh; i++)
          pBuf[i] = (char)(rand() % 256);
        break;

      case 4 : // set NULL chars to (possibly) non-NULL
        for (i=iLow; i < iHigh; i++)
          if (!pBuf[i])
            pBuf[i] = (char)(rand() % 256);
        break;

      case 5 : // swap adjacent bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          {char t=pBuf[i]; pBuf[i] = pBuf[i+1]; pBuf[i+1]=t;}
        break;

      case 6 : // set to random chars every n-bytes
        for (i=iLow; i < __max(iHigh-1,iLow); i+= iIter)
          pBuf[i] = (char)(rand()%256);
        break;

      case 7 : // set bytes to one random char
        ch=(char)(rand() % 256);
          for (i=iLow; i < iHigh; i++)
            pBuf[i] = ch;
        break;

      default: // truncate stream
        *pcbBuf = iHigh;
        break;
     }
   }
}

The sample C# and C++ fuzzing code is available as a ZIP file at the end of this post.

This code is an example of dumb-fuzzing, which is fuzzing with little or no regard for the data structure being manipulated. If you've never performed any kind of fuzz testing in the past, then you will probably find bugs with this simple fuzzing technique. Once you have weeded out the low-hanging bugs, you may need to turn your attention to smarter fuzzers. For example, in theory, this code would find few if any bugs in a PNG parser, because PNG files have a built in check-sum, so if you fuzz a PNG file, you'd have to recalculate the checksum to get decent code coverage.

When I showed this code during my presentation, I urged people to add it to their applications today if they currently don't do fuzz testing, and simply run their applications through their normal testing processes. Within three days of my presentation I received emails from people saying they had found bugs. I have no doubt others did too.

One of the comments I made during the session was,"If you can't spend the time on great fuzzing, fuzz anyway" and adding a "layer of hurt" is a reasonable start.

Please feel free to sound off if you have ideas to help improve the code and let us know what you think, either through email or comments to this post.

Keeping corporate secrets - the data centric security approach

Mon, 28 Jul 2008 16:13:00 +0000

Just read the eWeek summary for the new book Blown to Bits... (btw, what's up with tag lines and subheadings in books - these seem to be filling up the font page!). The authors discuss the right mix of people, process and security technology that organizations can use to prevent such breaches...

Interestingly enough, the trends they talk about are very data-centric - "Secure the message as well as the medium" and "Address data at rest, in flight and in use"...

In particular I like this paragraph...

"Even with SSL (Secure Sockets Layer) and VPN, strong passwords, fire walls and a flood of security patches, the medium (the network and the attached servers) should be considered inherently insecure. The greatest security comes from protecting the data itself. Even a gargantuan data breach will be of no real consequence if the data is undecipherable."

Could not have said it better - and I could not agree more...

Gonzo: Two Thumbs In and Up

Thu, 17 Jul 2008 06:10:12 +0000

Just saw the Hunter S. Thompson movie - Gonzo, and if you are a fan you should to. Lots of good stuff in there, the film links various part of his life and career, and gives a pretty unvarnished view of the high highs and the low lows. Weaves in writing, politics, and fame seamlessly. I have never really had as much fun as early on in my career in the early-mid 90s I was a web programmer in Aspen, hacking CGI/PERL. Among the most fun things was building and running HST's site. My boss, Ed, was his neighbor. Ed was also seriously allergic to bees. One day he was alone in his house and got stung. He was dying. Luckily Hunter was due over to his house to watch a basketball game, walked in and called 911. My boss woke up in the ambulance with Hunter pounding on him chest and screaming at him. Ed said - "Waking up to that face screaming at me, I didn't know if I was alive or dead." Seeing the movie it was also great to see a lot of the Woody Creek folks again like George Stranahan, who lovingly said about Hunter - "my friend and neighbor who never paid his rent, broke up my marriage and taught my children to smoke dope. " Of course, there was no way he could match his early productivity and this is true of almost all artists. Most of the last two decades were wasted from a writing standpoint. However his piece written on 9/11 is as good as its gets:

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:

Security

by Hunter S. Thompson (1955).

Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut?

Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes?

Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences.

As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?

A ship is safest at port, but thats not why we build ships.

I took the plunge for an iPhone 3G

Sun, 13 Jul 2008 16:56:13 +0000

When the original iPhone came out I thought it was pretty cool, but at the end of the day it did not do for me what my Windows Mobile Smartphone did. Namely gave me 3G access speed and Exchange integration. Those two things alone were enough to keep me a Windows smarthphone user.

As I wrote earlier July 4th my phone got wet in my backpack and though I have blown dried it often since than, it has just never come back. I can make a call now and than and use, but you never know when it is going to whig out and I have to reboot (actually it was like that before it got wet, but it is much worse now). So having had this phone over a year, it really was time for a new phone.

I was not totally sold on the iPhone and it was not my only choice. I wanted no part of the lines and crowds, so I waited until Saturday to go to the ATT store and see what my options were. Frankly, I didn't have many options. The upgrade for my current phone is the HTC Tilt. Nice phone and I would consider it, but not at the $450 dollars that they wanted to charge me. After that, there was the Blackjack, not interesting. A few others and than Blackberries. I need the Exchange integration. So when it came down to it, you could not beat the $199 price for the iPhone. The 2 year contract didn't scare me, as I am at ATT wireless user for about 10 years already. The only bad part is that they did not have any in stock and I had to order mine. It should come within 5 to 7 days, but all set up for me to just plug in to iTunes and away I go!

So a few more days of this water logged brick and than on to joining the "mod squad".

A bloggers network to be proud of

Sat, 05 Jul 2008 07:54:00 +0000

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate. When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world. When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading. I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days. I had over 160 articles cued up in the feed. Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers! The content is king. Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality. There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed.

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months. Stay tuned for details, but in the meantime keep reading, you won't be sorry!

A bloggers network to be proud of

Sat, 05 Jul 2008 06:54:00 +0000

CheckPoint's SIEM software offers some good data viewing tools, but lacks other essential elements

Sun, 29 Jun 2008 20:00:00 +0000

CheckPoint's Eventia is delivered similar to many of its other products as either a full-blown hardware appliance or as a "software appliance", which is essentially a CD set that installs a fresh Linux-based operating system (as modified by CheckPoint, of course) and the Eventia application on a range of Intel-based systems.

The Inevitable iPhone 3G Post

Wed, 11 Jun 2008 08:37:46 +0000

Yes, I touched an iPhone 3G: At Apple's big developer event kickoff on Monday, Steve Jobs introduced the iPhone 3G. Later that day, in a briefing, I was able to handle and use the phone briefly. It's lovely. But its inclusion of 3G service coupled with Wi-Fi, as well as a real GPS chip coupled with assistive cell-tower triangulation and Wi-Fi network location approximation means that you have a device that might fairly replace a computer for many purposes. I've had an iPhone with 2G (EDGE) service since its release, and I recently took a two-day trip with my older son leaving my computer behind. (I was able to use a relative's machine, but only did so to be able to type email more efficiently.) If Apple would simply allow the use of the Bluetooth HID profile (human interface devices) for keyboard and mouse support, a compact foldable keyboard would be the only accessory I would need.

Note that the iPhone 2G and 3G aren't more powerful than other, similar devices. Symbian platform devices from Nokia and others are in notably short supply in the US, but come in great quantities and varieties elsewhere, and have some pretty impressive computational power; Nokia owns nearly 50 percent of the worldwide smartphone market. Likewise, you can run desktop-to-mobile programs under Windows Mobile that let you have real computer applications repackaged for better use in the smaller form.

But that's not what the iPhone is about. It's a non-compromise device, even when a little compromise might help. The lack of a touch-typist keyboard hinders data entry, but it doesn't restrict any other purpose of the device. The inclusion of those keyboards is a huge compromise for all its competitors, even though it allows those competitors to act more like little computers.

And that's where it's odd for me. The iPhone is much more like a full-blown computer than any smartphone I've used. It might be the superior browser, and the fact that a single company and design vision has ensured the maximum CPU is available for each current task, and that the interface and actions are nearly always consistent across every piece of software. Contrast that with many smartphones that don't just have ugly interfaces, crippled Web browsers, and varying input methods, but also require you to learn a different approach to using nearly every different piece of software on the phone.

Apple isn't about to kill its competitors, but they are providing an odd amount of support for killing a laptop.

On a slightly tangential front, Apple CEO Steve Jobs claim that their phone's 3G speed was nearly that of Wi-Fi requires some explanation. Jobs needed a footnote: "compared to typical Wi-Fi hotspots that have about 1.5 Mbps of downstream backhaul." The iPhone is clearly processor limited for how fast it can render Web pages and handle network processing. If you stick an iPhone on a 10 Mbps-backed network via Wi-Fi, the browsing experience isn't very different than on a 1.5 Mbps-backed Wi-Fi hotspot, in my experience with the current phone.

So clearly, there's more optimization to be done and more hardware upgrades to come in order to have a mobile device that can live up to whatever network it generally works on. For the iPhone 3G, Wi-Fi is an alternative, but it's clearly not intended as a superior alternative.

Two HSBC breaches with similar circumstances

Mon, 02 Jun 2008 05:40:52 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")

Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)

Victims:
Customers

Number Affected:
Unknown, "hundreds of bank customers" in Canada

Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK

Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."

Reference URL:
CTV News Toronto
Wigan Observer

Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer

Response:
From the online sources cited above:

In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.

he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?

the bag belonged to the HSBC branch at Bayview and Major Mackenzie

"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."

he tried to contact the bank but didn't have much luck

York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.

In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?

The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.

The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.

Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them

She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.

The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.

Neither understood the significance of the papers – although Mrs Stewart immediately did.

She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.

"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.

"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!

"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."

A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.

"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?

"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.

"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.

A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."

"I have been with this bank since I was a young lad and it is very disappointing indeed."

Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.

Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.

Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours

Top 5: Why Customers Consider NAC

Sat, 31 May 2008 18:10:33 +0000

On a daily (and nightly) basis I have the wonderful experience of talking to, chatting about, presenting on or asking questions of customers about NAC.

At each of these opportunities, I like to ask ‘Why are you considering NAC?”

Here’s my Top 5 of Why Customers Consider NAC (or think they want NAC). This is not based on any other organization’s research or polls, nor is it based on analyst analysis. It’s not based on forethought or musings of an ‘expert’. It’s just my personal experience from my daily interactions.

#1: Endpoint Compliance
I put this one first, because I think it’s the most-hyped and possibly least significant. I know, that’s harsh, especially when endpoint compliance seems to be the big bat NAC carries around. Truth be told, it’s more of an ‘icing on the cake’ for the people I talk to. Until the auto-remediation features are a little more mature, the idea of checking for much beyond presence of anti-virus and possibly patches is unattractive. Frankly, endpoint compliance for LAN-based devices can be a Charlie Foxtrot except under the most ideal circumstances. There are many large organizations and DoD groups that need endpoint compliance, and that’s a primary driver for them. For the rest, one of the other reasons below is a primary compelling feature and endpoint checking is just another knob they can play with.

The lack of fervent interest in endpoint checking is why I had to disagree so strongly with Stiennon’s when he advises in his NWW article “Don’t even bother investing in NAC”. The entire premise of his issues with NAC center around various endpoing checking. (You can check out Shimel’s response too Stiennon’s blog here.)

#2: Guest Access
Believe it or not, the most frequent response I get for “why are you considering NAC” is “guest access”. Guest access seems to be a thorn in every organization’s side. It’s a simple problem with impossibly complex solutions… or so they think. For years, we’ve been provisioning safe and secure guest access for customers with the use of clean and simple protocol-less VLANs and so, I know that about 82% of the time, there are much simpler ways to offer guest access than by rolling out a full NAC implementation. If guest access is your primary and only goal with a NAC solution, there’s probably a better, faster and less expensive solution. If money and time are no object, then NAC can be a good way to get from point A to B and give you a few fun technical trinkets to play with.

#3: Edge Port Security
After guest access, the next thing I hear most is interest in adding edge port security with a 802.1X NAC solution. (We call this Layer 2 NAC.) I tend to think for the time being, this is NAC’s sweet spot. Note I said ‘for the time being’, I think this may change in the next 18-24 months. But for now, the ability to lock down edge ports and secure switch-to-switch links is an extremely attractive feature. Outside of the 802.1X protocol, there aren’t really any other ways to skin this cat. I know what you’re thinking… you don’t have to do NAC to use 802.1X… and that’s certainly true, but for a network of any size, NAC makes an 802.1X implementation easier to manage and monitor centrally and gives you more of that NAC icing we all love.

When the 802.1X-REV comes out (probably early 2009) I think you’ll see organizations that have previously blown off 1X seriously considering it for all the added security and multi-user support it will bring to the table.

#4: User & Resource Accounting
Unless you have a 3rd party solution or want to dig through mounds of RADIUS syslogs, you probably don’t have a good way to account for user authentication and accountability of resource access throughout the network. Most vendors’ NAC solutions already have pretty good logging and reporting features built in today. Depending on the solution and integration of other devices, you may even get detailed accounts of which user viewed exactly what, when and from where. This is a great selling point to organizations that are trying to follow strict regulations for accountability of financial or extremely sensitive resources. The standards bodies (IEEE, TNC framework and IETF) are coming out with more and more ways to leverage 3rd party security devices within NAC. The IF-MAP is a great example and we’ll be seeing more I’m sure.

#5: Dynamic VLAN Assignment
Lastly, but not least, I hear a lot of customers that are looking for a good way to dynamically provision attributes, such as VLAN assignment and QoS to users or devices. It makes switch configuration and management much simpler, and eliminates the need to assign port-based VLANs. The ability to leverage your existing user directory and define both broad and very granular attributes is certainly a draw, and NAC is a great way to offer that.

That wraps up my Top 5. Of course, there are plenty more drivers, both business-based or technology-based, but these are the 5 I hear most.

# # #