Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel.  The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate.  Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers.  It was good to run into a number of StillSecure customers here at the show.  Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors.  One fellow I spoke to was Phil Neray of Guardium.  Guardium is best known for providing database security to many of the largest financial institutions and other large companies.  They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations. 

For me the active versus passive mode of security is one that transcends different layers of security.  Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect.  Often times the ability to detect is a major step up from what was available before.  The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market.  Everyone is always afraid of blocking the wrong user, the wrong email message or other request.  I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic.  This has been true in every security technology I have seen.  Eventually active response does win out, but it takes time and there are always doubters.  It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not.  We will have to watch.

Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel.  The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate.  Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers.  It was good to run into a number of StillSecure customers here at the show.  Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors.  One fellow I spoke to was Phil Neray of Guardium.  Guardium is best known for providing database security to many of the largest financial institutions and other large companies.  They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations. 

For me the active versus passive mode of security is one that transcends different layers of security.  Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect.  Often times the ability to detect is a major step up from what was available before.  The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market.  Everyone is always afraid of blocking the wrong user, the wrong email message or other request.  I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic.  This has been true in every security technology I have seen.  Eventually active response does win out, but it takes time and there are always doubters.  It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not.  We will have to watch.

With Junipers long awaited release of their EX switch line, many have said that there is just nothing distinguishing about the line up.  Just speeds and feeds.  Others are saying that the real secret sauce is the JUNOS.  That very well may be.  However, Tim Greene in this article says that Junipers built in NAC may be Junipers not-so-secret weapon. He quotes two analysts, Phil Hochmuth of Yankee Group and Rob Whiteley of Forrest-er.  The article rightfully points out that Junipers competition in the switch market is Cisco and HP ProCurve. 

It then goes on from there to talk about Junipers new ability to perform access control at layer 4 with identity based access control with ACLs in addition to VLANs. You can perform QoS as part of a users access rights and they can mirror traffic and send it to a Juniper IDP for post-admission NAC. Juniper wants to evolve NetScreen Security Manager into a central policy-control platform.  This is all great stuff, however it ain't new.  My research shows that HP ProCurve (the 2nd leading switch vendor) actually does much if not all of this right now. Using the ProCurve IDM (identity driven management) application which is now bundled on ProCurve's NAC appliance  with their NAC application, they can do this already. They can do the QoS thing as well as sending the traffic to several IPS brands.  In fact a close reading of what ProCurve's security capabilities show that there is little if anything ground breaking in what Juniper is advocating and what these analysts seem to be eating up.

Yes, Junipers entry I think does spell C-O-M-P-E-T-I-T-I-O-N for the likes of Nevis and ConSentry (sorry Dan and Dom), but that is not what Juniper is in this game for.  They have to keep their eye on the prize. And the prize is taking market share from Cisco and HP ProCurve.  If this is all they got, I am going to have to agree with those folks who are asking Juniper "where's the beef?"

… LINX, the London Internet Exchange, doesn’t work that way, so I’d no previous inkling when they recently gave me their 2007 award for a “conspicuous contribution”.

This award was first given in 2006 to Nigel Titley, who was a LINX council member from its 1994 formation through to 2006, and his contribution is crystal clear to all. My own was perhaps a little less obvious. I have regularly attended LINX general meetings from 1998 onwards — even after I became an academic, because attending LINX meetings is one of the ways that I continue to consult for THUS plc (aka Demon Internet), my previous employer. I’ve often given talks at meetings, or just asked awkward questions of the LINX board from the floor.

But I suspect that the main reason that I got the award is because of my contribution to many of LINX’s Best Current Practice (BCP) documents, on everything from traceability to spam. These documents are hugely influential. They show the industry the best ways to do things — spreading knowledge to all of the companies, not keeping it within the largest and most competent. They show Government and the regulators that the industry is responsible and can explain why it works the way it does. They educate end-users to the best way of doing things and — when there’s a dispute with an abuse@ team — that other ISPs will take the same dim view of their spamming as their current provider (which reduces churn and helps everyone to work things out sensibly).

Of course I haven’t worked on these documents in isolation — the whole point is that they’re a distillation of Best Practice from across the whole industry, and so there’s been dozens of people from dozens of companies attending meetings, contributing text, reading drafts, and then eventually voting for their adoption at formal LINX meetings.

When you step back and think about it, it’s quite remarkable that so many companies from within a fiercely competitive industry are prepared, like THUS, to put their resources into co-operation in this way. I think it’s partly far-sightedness (a belief that self-regulation is much to be preferred to the imposition of standards from outside), and partly the inherent culture of the Internet, where you cannot stand alone but have to co-operate with other companies so that your customers can interwork.

Anyway, when I was given the award, I should have pulled out a neat little speech along the above lines, and said thank you to the whole industry, and thank you to THUS, and thank you to colleagues and particularly thank you to Phil Male who had faith that my consultancy would be of ongoing value… but it was all a surprise and I stammered out something far less eloquent. I’m really pleased to try and fix that now.

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• Programming notes:
• Dan???s new employment with Voxeo
• Dan at VON next week ??? Dean Elwood is doing a VoIPUser dinner ??? perhaps a Blue Box dinner as well?
• We hope you enjoyed Blue Box SE 21 with Phil Zimmermann ??? many thanks to Martyn Davies for helping with that.
• Reporters for some of the spring shows?  (we can probably get you press credentials??? if you are there)
• XSS attack and SQL injection via SIP against Asterisk
• The XSS attack against Linksys SPA-941 we discussed last week was picked up by Secure Computing which resulted in this SearchSecurity.com article: New Attack Methods Target Web 2.0, VoIP (last link sent to us by Rhodri Davies)
• Sipera released a range of vulnerabilities related to Vonage, Grandstream and more ??? note that the Vonage thread has been picked up by ZDNet???s Russell Shaw
• Wired: Phones Aren???t Safe Either, Hackers Say ??? also discussed in Network World and Russell Shaw We???ve toasted so many of these (VoIP) networks??? and Dustin Trammell???s blog (in the list of sessions he attended)
• SANS: Vishing, Skype, and VoIP-Based Fraud (sent in by Craig Bowser)
• CXO Today: The Phishing Epidemic
• PCWorld.CA: The eight most dangerous consumer technologies (Skype and consumer VoIP are #6 on page 2 )
• TMC Net: VoIP Peering in Search of a Viable Interconnect Business Model (note the comments about security toward the bottom)
• Cisco TechWise podcasts Session Initiation Protocol and Security (it???s on the page??? came out 10/18/07 )
• TechRepublic: Sanity check: Will Microsoft be your next phone company? (nice roundup of the MS announcements??? some of the comments are also interesting)
• Comcast
• AP: Comcast blocks some Internet traffic
• Ed Brill notes the impact on Notes/Domino traffic
• cnet post
• TorrentFreak: Comcast Throttles BitTorrent Traffic, Seeding Impossible
• P2PNet: Comcast impedes hi-speed file sharing
• Carnegie Mellon???s CyLab and Nortel Combine Efforts to Research Leading Security Technologies
• SearchVoIP.au: Avaya white paper: VoIP Security for Dummies
• - Upcoming shows:
  
  
  
  • Oct 24-25, New York, USA, Interop
    
  • Oct 29-Nov 1, Boston, USA, Fall 2007 VON
• Comment (email) from Dan Wing about episode 69 and the potential DDoS attack
• Comment (email) from Raul Siles about episode 66
• Comment (email) from Raul Siles about SANS VoIP Security course
• Two-year-anniversary:
  • Comment (audio) from Martyn Davies
  • Comment (audio) from Dean Elwood
  • Comment (audio) from Mike Wallace
  • Comment (audio) from Raul Siles (with Matrix inclusion)
  • Comment (audio) from Carsten Helmuth (cut off)
  • Comment (email) from Scott Tanner
  • Comment (email) from Shlomo Dubrowin
• - Drawing for the book
• - Review of the last week's traffic on the VOIPSEC public mailing list 


• - Wrap-up of the show


• 51:14 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.