Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion- I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

• The endpoint security. StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog  posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have).

• User management. Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.

• Switch security. The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.

• Zero-day protection. It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)

• Full integration. Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…

# # #

After my “used car salesman of NAC” series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that “SC Magazine awarded ForeScout’s CounterACT a four-out-of-five star rating, lauding the product’s ability to “function like a firewall, an IPS and a NAC device all rolled into one”.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, “The ForeScout CounterACT was the device which took the most time to install and configure.”  Later on the reviewers had this to say, “The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.”  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

After my ???used car salesman of NAC??? series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that ???SC Magazine awarded ForeScout???s CounterACT a four-out-of-five star rating, lauding the product???s ability to ???function like a firewall, an IPS and a NAC device all rolled into one???.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, ???The ForeScout CounterACT was the device which took the most time to install and configure.???  Later on the reviewers had this to say, ???The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.???  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

With the release of Firefox 3.0 there has been a bit of controversy over how it handles self-signed certificates.  It seems that Firefox makes it difficult to use self-signed certificates and some people are complaining about it.  Here at StillSecure we use self-signed certs in our products and we had to change how we do things to make it work.  However, there are than people like Lauren Weinstein who says that this is a step backward for Firefox because it makes it harder to send encrypted traffic. While I understand that it does make it harder, I think Lauren misses the forest for the trees here.  The whole point of certificates are to prove identity. In fact they are called identity certificates. 

The underlying reason for certificates is to ensure that the identity of the person or entity sending it is in fact genuine. It enables the the encryption function.  In Weinstein's rant, somehow he has this bass akwards. Identity is secondary to encryption.  He says, "Firefox is now putting so much emphasis on identity confirmation".  For good reason I say!  If we allow the whole idea of identity certs to be subverted for ease of encryption we are opening ourselves up to a whole range of bad things like phishing attacks, man in the middle, etc..

I say in our fervor to encrypt everything, lets not forget the importance of trust of identity that certificates enable.  Without that the whole system crumbles.  Now that being said, I agree that Firefox's GUI around handling these certificates could be better. It appears to be confusing to say the least.  But again we can fix that without sacrificing the validity of certificates.

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy. 

With the release of Firefox 3.0 there has been a bit of controversy over how it handles self-signed certificates.  It seems that Firefox makes it difficult to use self-signed certificates and some people are complaining about it.  Here at StillSecure we use self-signed certs in our products and we had to change how we do things to make it work.  However, there are than people like Lauren Weinstein who says that this is a step backward for Firefox because it makes it harder to send encrypted traffic. While I understand that it does make it harder, I think Lauren misses the forest for the trees here.  The whole point of certificates are to prove identity. In fact they are called identity certificates. 

The underlying reason for certificates is to ensure that the identity of the person or entity sending it is in fact genuine. It enables the the encryption function.  In Weinstein's rant, somehow he has this bass akwards. Identity is secondary to encryption.  He says, "Firefox is now putting so much emphasis on identity confirmation".  For good reason I say!  If we allow the whole idea of identity certs to be subverted for ease of encryption we are opening ourselves up to a whole range of bad things like phishing attacks, man in the middle, etc..

I say in our fervor to encrypt everything, lets not forget the importance of trust of identity that certificates enable.  Without that the whole system crumbles.  Now that being said, I agree that Firefox's GUI around handling these certificates could be better. It appears to be confusing to say the least.  But again we can fix that without sacrificing the validity of certificates.

I should mention that I ran some of my ideas on this issue by Joel Snyder and StillSecure's own Andrew Grealy. 

Server Core is a “minimal install” option of Windows Server that excludes much of the GUI and many applications – such as Internet Explorer and Windows Media Player – that would be present in a default installation.

In this very short report (download the full report), I perform a brief analysis how much smaller the software footprint is for Windows Server 2008 Server Core and examine a theoretical Server Core version of Windows Server 2003 over the past two years to gauge how much Server Core might convey in terms of reducing security updates.

As shown in the chart, looking at the Windows Server Security Bulletins over the past two years, 40% of them would not have applied to a theoretical Server Core build. The results of the analysis are encouraging in terms of security progress.  Check back in a few weeks and I'll publish my 90 day vulnerability study for Windows Server and we'll look at how this potential is being fulfilled...