After my “used car salesman of NAC” series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that “SC Magazine awarded ForeScout’s CounterACT a four-out-of-five star rating, lauding the product’s ability to “function like a firewall, an IPS and a NAC device all rolled into one”.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, “The ForeScout CounterACT was the device which took the most time to install and configure.”  Later on the reviewers had this to say, “The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.”  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

After my ???used car salesman of NAC??? series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that ???SC Magazine awarded ForeScout???s CounterACT a four-out-of-five star rating, lauding the product???s ability to ???function like a firewall, an IPS and a NAC device all rolled into one???.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, ???The ForeScout CounterACT was the device which took the most time to install and configure.???  Later on the reviewers had this to say, ???The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.???  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

First it was Bradford Networks announcing they had raised another 8 million dollars in venture funding to help them break out beyond the edu market. Now comes word that Forescout has raised a like amount  amount of additional capital. This was based upon a 80% growth rate for Forescout.  This is well below the numbers I have seen Ray, Ken and Gordon throw about in interviews and at presentations.   I guess you can spin all you want about how many customers you have or have won, but when it comes to raising cash, you can't play as fast and loose as you do in your marketing.

Also this is a series E round for Forescout and brings their total raise to 44 million dollars.  That makes for a tough number to make work.  They need to roll some hard ways to make that bet pay off.  I was led to understand they just raised 6 million last September.  That makes 14 million in a little under a year.  Can you spell big B-U-R-N. 

The thing about both of these raises is that in the present market, just like the gas you put in your own tank, the gas these NAC vendors are putting in their tank is I am sure quite expensive!

First it was Bradford Networks announcing they had raised another 8 million dollars in venture funding to help them break out beyond the edu market. Now comes word that Forescout has raised a like amount  amount of additional capital. This was based upon a 80% growth rate for Forescout.  This is well below the numbers I have seen Ray, Ken and Gordon throw about in interviews and at presentations.   I guess you can spin all you want about how many customers you have or have won, but when it comes to raising cash, you can't play as fast and loose as you do in your marketing.

Also this is a series E round for Forescout and brings their total raise to 44 million dollars.  That makes for a tough number to make work.  They need to roll some hard ways to make that bet pay off.  I was led to understand they just raised 6 million last September.  That makes 14 million in a little under a year.  Can you spell big B-U-R-N. 

The thing about both of these raises is that in the present market, just like the gas you put in your own tank, the gas these NAC vendors are putting in their tank is I am sure quite expensive!

Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

Synopsis:Blue Box #68: Top 14 VoIP Vulnerabilities, Asterisk security, VoIP hacker, IMS, P2P, Skype, industry moves, VoIP security news, listener comments and more...

Welcome to Blue Box: The VoIP Security Podcast #68, a 46-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 


• 01:03 - Programming notes:
  
  • New comment line – 206-350-7280
  
  
  • Slight web site changes
  
  
  • Books from Peter Thermos and Ari Takanen – anniversary show promotion
  
  
• 03:27 - NetworkWorld: Top 14 VoIP Vulnerabilities – and also this comment in reply


• 07:08 - blog.spywareguide.com: Bubbles… for Kids! (spyware that propagates via Skype IM)


• 09:25 - Voice of VoIPSA: What would your security roadmap for Asterisk be? and 3Com to sell/support Asterisk


• 18:11 - Voice of VOIPSA: VoIP Hacker Goes to Jail pointing to Information Week interview with Robert Moore which is similar to the Telecom Junkies interview I did earlier with Robert Moore.


• 19:14 - Converge!Digest: Defending the IMS Core (sponsored by Sonus)


• 20:56 - Processor: Getting Tough with P2P= which relates to Dan’s recent issues with using Skype at a hotel


• 26:36 - PC World: Attack of the Killer Bots


• 28:57 - News Releases
  • Sipera Secures $10 Million to Further Advance VoIP/UC Security=
  
  
  • Bandwidth.com Bands with Acme Packet (finally, security for SIP trunking!)
  
  
  • Radware Unveils Industry First Behavioral Server Protections as Part of its Full Spectrum Protection Technology
  
  
  • Alcatel-Lucent Bolsters its Security Solutions in Worldwide Reseller Agreement with CloudShield Technologies
  
  
  • Clavister Announces New Version of its IP-Based Security Operating System (see also press release )
  
  
  • ForeScout Continues Innovation Leadership with Latest Network Access Control Offering=
  
  
  
  
• 32:24 - 3Com bought by Bain Capital, Huawei


• 34:58 - Skype CEO out, eBay takes $1.4 million charge


• 37:08 - Nokia to buy Navteq


• 38:26 - Vonage loses patent trial
  


• 39:29 - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON


• 39:58 - Comment (email) from Peter Thermos


• 42:15 - Comment (email) from Frank Leonhardt about Skype malware


• 42:24 - Comments (blog) about video edition #1


• 42:51 - Brief commentary from Dan about using TalkPlus to call a SIP URI from a cell phone


• 45:39 - Review of the last week's traffic on the VOIPSEC public mailing list 


• 46:00 - Wrap-up of the show
  


• 46:51 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:Blue Box #68: Top 14 VoIP Vulnerabilities, Asterisk security, VoIP hacker, IMS, P2P, Skype, industry moves, VoIP security news, listener comments and more...

Welcome to Blue Box: The VoIP Security Podcast #68, a 46-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 


• 01:03 - Programming notes:
  
  • New comment line – 206-350-7280
  
  
  • Slight web site changes
  
  
  • Books from Peter Thermos and Ari Takanen – anniversary show promotion
  
  
• 03:27 - NetworkWorld: Top 14 VoIP Vulnerabilities – and also this comment in reply


• 07:08 - blog.spywareguide.com: Bubbles… for Kids! (spyware that propagates via Skype IM)


• 09:25 - Voice of VoIPSA: What would your security roadmap for Asterisk be? and 3Com to sell/support Asterisk


• 18:11 - Voice of VOIPSA: VoIP Hacker Goes to Jail pointing to Information Week interview with Robert Moore which is similar to the Telecom Junkies interview I did earlier with Robert Moore.


• 19:14 - Converge!Digest: Defending the IMS Core (sponsored by Sonus)


• 20:56 - Processor: Getting Tough with P2P= which relates to Dan’s recent issues with using Skype at a hotel


• 26:36 - PC World: Attack of the Killer Bots


• 28:57 - News Releases
  • Sipera Secures $10 Million to Further Advance VoIP/UC Security=
  
  
  • Bandwidth.com Bands with Acme Packet (finally, security for SIP trunking!)
  
  
  • Radware Unveils Industry First Behavioral Server Protections as Part of its Full Spectrum Protection Technology
  
  
  • Alcatel-Lucent Bolsters its Security Solutions in Worldwide Reseller Agreement with CloudShield Technologies
  
  
  • Clavister Announces New Version of its IP-Based Security Operating System (see also press release )
  
  
  • ForeScout Continues Innovation Leadership with Latest Network Access Control Offering=
  
  
  
  
• 32:24 - 3Com bought by Bain Capital, Huawei


• 34:58 - Skype CEO out, eBay takes $1.4 million charge


• 37:08 - Nokia to buy Navteq


• 38:26 - Vonage loses patent trial
  


• 39:29 - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON


• 39:58 - Comment (email) from Peter Thermos


• 42:15 - Comment (email) from Frank Leonhardt about Skype malware


• 42:24 - Comments (blog) about video edition #1


• 42:51 - Brief commentary from Dan about using TalkPlus to call a SIP URI from a cell phone


• 45:39 - Review of the last week's traffic on the VOIPSEC public mailing list 


• 46:00 - Wrap-up of the show
  


• 46:51 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.