Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

About Milton Security Group LLC

Success in the 21st century is defined by your agility in a changing time. This includes adapting to the needs of your employees, contractors, outsource providers on the workforce side and the changing landscape of how to provide the right access to each one of these groups. Your current infrastructure may be limited in its ability to change as well. Real time auditing and control is required in this age, The Age of Compliance(T).

Milton Security Group LLC is a security company with a consulting practice. The Principals and Staff at Milton Security are dedicated individuals with many years of experience with diverse organizations from small businesses to government agencies. Combined with this and our unique range of experience and knowledge, Milton Security serves only one purpose, helping our customer's succeed.

OK, not really too much there. They are a security company with a consulting practice. I did a little more digging. They have two job openings posted, one for a Sr Systems Engineer for the current and next generation of MSG NAC products. I guess this is the guy who will continue on the development of the Vernier line.

But you guys don't pay me what you do to stop there do you? I did some more digging. Seems that Milton Security is the brainchild of its founder and CEO, James McMurray. I did some more digging and it seems James is the former head of the SE group at Vernier, what a surprise! Looks like he was able to get them to let him take over the IP and run with it. I bet he and his friends paid little if anything for this.

People lets get real here. I applaud James for biting this off and wish he and his band of merry men the best of luck. But is this fair to the people who spent all that money on the Vernier boxes. At best Milton will be pressed to keep up with the snort and nessus signatures the Vernier boxes use. I guess being this small, without VC money behind them, they might be just better off using the Tenable and Sourcefire signatures and hope that those guys figure they are too small to sue.

If you are a Vernier customer you have to be checking your underwear. I mean do you want Milton-Bradley supporting your NAC system? This isn't board games we are talking about here. There are too many replacement and trade up offers from StillSecure and other NAC vendors for you to want to be a guinea pig in yet another experiment from the folks at Vernier. How many times do you have to get burned before you learn? You deserve better!

hackme1.irongeek.com
hackme2.irongeek.com
dosme1.irongeek.com

    Try out Nmap, Nessus, Metasploit and other tools on these boxes. Please let me know your findings. Thanks to my hosting provider Dreamhost. If you want to know more about Dreamhost check out my review (and coupon codes), they have been pretty good to me.

]]> Mon, 31 Mar 2008 21:00:00 +0000 irongeek wargame servers computer security skills provider dreamhost coupon codes dreamhost check host names review metasploit Irongeek's Infosec Wargame Servers http://securityratty.com/article/c960dc03b52138212a94130ce5290bca http://securityratty.com/article/c960dc03b52138212a94130ce5290bca

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market.  Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with.  But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago.  This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde.  Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way.  In short time it became apparent  to me that Lockdown was looking to move out of the VM business.  Rob realized that just scanning and reporting was not going to make it.  He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network.  My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints.  That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later. 

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC.  We ran into them on deals from time to time, especially in many of our major partner/OEM deals.  The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block.  Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win.  Than we began hearing that they were looking for less and less money.  Also, their PR began becoming more and more desperate.  That is when I began calling them on it in my blogging.  Evidently that got their attention.  A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out.  I apologized and said hey I call them as I see them.  At RSA or another show after that Brett walked right by me and tried his best to diss me.  People from NY don't get dissed that easy though.  I just laughed it off, but it was the last time I spoke to anyone at Lockdown. 

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's.  I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode.  In many ways a company shutting down is a death of a thousand dreams.  The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit.  Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems.  Those people made a bet that Lockdown would be there to solve the issues and provide a great solution.  They as much as anyone lost that bet. 

As they do on Ebay, here is a second chance for Lockdown customers.  We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown.  Lockdown's misfortune does not have to be yours.  We are here to help and are here to stay.  So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you.  You all made a great effort and you made us try harder which resulted in our product being developed faster than it would have otherwise.  For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market.  Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with.  But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago.  This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde.  Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way.  In short time it became apparent  to me that Lockdown was looking to move out of the VM business.  Rob realized that just scanning and reporting was not going to make it.  He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network.  My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints.  That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later. 

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC.  We ran into them on deals from time to time, especially in many of our major partner/OEM deals.  The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block.  Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win.  Than we began hearing that they were looking for less and less money.  Also, their PR began becoming more and more desperate.  That is when I began calling them on it in my blogging.  Evidently that got their attention.  A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out.  I apologized and said hey I call them as I see them.  At RSA or another show after that Brett walked right by me and tried his best to diss me.  People from NY don't get dissed that easy though.  I just laughed it off, but it was the last time I spoke to anyone at Lockdown. 

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's.  I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode.  In many ways a company shutting down is a death of a thousand dreams.  The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit.  Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems.  Those people made a bet that Lockdown would be there to solve the issues and provide a great solution.  They as much as anyone lost that bet. 

As they do on Ebay, here is a second chance for Lockdown customers.  We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown.  Lockdown's misfortune does not have to be yours.  We are here to help and are here to stay.  So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you.  You all made a great effort and you made us try harder which resulted in our product being developing faster than it would have otherwise.  For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

I guess maybe if you sell to the .edu crowd a lot, after a while you start thinking that all of your users are juvenile.  As a result you start thinking in terms of your product protecting against adolescents who are not smart, mature or capable enough of taking care of themselves.  You start thinking of yourself and the people who use your product as the grown ups, here to be the custodians of these addled brained users of the network. Or so it seems reading Gord Boyce's advertorial in Enterprise Networks and Servers titled "Are your users smarter than a 5th grader". 

You know what I mean by advertorial right? A piece in a magazine or e-zine that comes across looking like a real piece of journalism and is really a thinly veiled advertisement for your company's products.  Some people say my blog could be put in the same boat. If that is how you feel, so be it, I am not going to waste time arguing about it with you.

Gord's gist seems to be that users need parenting and that security and network administrators can administer the proper discipline or love in one of two personas.  You can be the Beaver's mom, Mrs. Cleaver or you can be Nurse Diesel (from High Anxiety for those too young to remember).  Frankly I find this view of network users arrogant and condescending.  For most enterprises their users are not some ill behaved child exhibiting bad manners.  They are legitimate users who have to access the network in order to get their work done.  And here is a lesson for all of you who subscribe to the "parenting approach" to network security, if those same users we are trying to discipline or raise into responsible adults don't get on the network and do their work, you may not have a paycheck!  So spare us the analogies to children accessing the network unless you are selling to schools.  Its time we treat our network users and legitimate guests as the adults they are. Adults who we are counting on to do their work and make our companies profitable and put food on our tables.

This same "teach the kids to mind their manners" approach to NAC is what has caused too many to think of NAC as being all about the quarantine.  It is not and should not be.  Quarantine should be something you do as a last resort. If someone has a legitimate right to be on the network, it should be the job of the NAC product to make sure they are on securely, in compliance and safely.  If they are deficient in some configuration lets get it fixed.  They should be allowed to go where they are allowed to go, not more or not less.  But I think we can spare the user the finger wagging and lectures. 

Unlike Gord, I actually think that time can be better spent in social engineering of NAC. Educating your network users is key.  The more time you spend making them understand why rules are in place and what they can do to help and make everyone more successful, the better off you are going to be.  I think the technology of NAC is only one piece of entire solution.  Security awareness and education are also key.  Also, unlike Gord I don't think that agentless NAC is the only way to test devices.  Especially if like Gord's product, all you are using to do so is nMap and an old version of Nessus (btw, Gord do you include the source code with your use of those open source products?). I think to truly test the full spectrum of devices accessing the network you need a combination of agentless, agent and web delivered testing options. You need a purpose built NAC testing engine.  If you want to provide continuous monitoring, you need to do more than recycling your failed IDS technology.

Here is the bottom line for me. If you think the people accessing your network are like the Beaver and Wally, Gord's product may be just what you are looking for. If you have adults trying to do business and make you and your company succeed perhaps another NAC solution might be best for you.