Browse >
Home / Archive: May 2008
etwork Access Control (NAC) promises to allow only authorized and compliant devices to access and operate on a network. If implemented properly, NAC can improve the security profile of a network and lower the overall security risks faced by an enterprise.
The various approaches to NAC have created a significant and even highly contested debate across the IT security industry. The benefits of NAC are clear, although have yet to be realized on a widespread basis.
Many NAC offerings today are still expensive propositions that require network re-architecture and are based on a comxplex set of bypassable technologies. At the same time, many vendors failed to deliver on their claims by offering NAC solutions that do not offer full network coverage and leave an enterprise exposed to security vulnerabilities.
Any agent-based NAC solution requires a network discovery project prior to deployment to obtain the inventory of all the devices attached to the network. However, the standard discovery process is lengthy, requires significant manual input and cannot identify all devices, especially those that are firewalled or unmanaged. Likewise, appliance-based NAC solutions are not practical from a budgetary or deployment perspective in large, geographical distributed IT environments.
The result is a confused and increasingly skeptical marketplace.
Despite this, NAC is achievable. You can implement complete and real-time NAC with your existing network setup. Your NAC deployment can be accomplished within your budgetary and implementation expectations. You can ensure that all the devices connected to your network are and remain authorized and compliant throughout their lifecycle on your network.
Visibility – The Starting Point for NAC Deployments
Visibility and real-time device detection are the first building blocks of the NAC process and, if achieved, remove significant attack vectors and enable NAC coverage to be applied to the entire network infrastructure. If a NAC solution cannot identify all devices connecting to the network in real-time, IT managers will likely find that their network access controls will only cover known devices and will regularly miss unmanaged and rouge devices, which are the source of most security vulnerabilities.
Audit and Compliance – Understanding the Network before Activating NAC
Device profiling provides contextual information about each device on the network, including its user information, function and running software and hardware. Based on this vast audit information, an IT manager can determine the devices that are authorized to access the network according to the organization’s policy regarding device and software configuration. In parallel, this audit information can enable an IT manager to identify non-compliant, unmanaged and rogue devices that should not be operating on the network even before activating the NAC processes.
NAC – Ensuring Full Network Coverage
A NAC solution must operate in real-time. Every device must be detected and included in the NAC process as it is being attached to the network. Without real-time detection, a device and/or its user is given a window of opportunity to maliciously act the network.
The quarantine mechanism used should not depend on the underlying IT infrastructure in any capacity. Internal political issues among the different departments in a large enterprise will prevent a NAC solution that relies on the IT infrastructure from scaling across the entire network. In addition, any configuration changes to the network of a bank or financial services company will never be authorized in the first place.
The user experience for managed and compliant devices should be as transparent as possible. A user of managed and compliant devices should pass through the NAC process without even knowing that the device was assessed by the NAC solution.
A NAC solution must scale across the entire IT infrastructure. The deployment must include all sites and not just a certain portion of the network. A NAC solution that is dependent on an appliance and/or the switching fabric is not a practical option in segmented networks. In addition, allowing guest users access only is the equivalent of putting your head in the sand. Any user can just connect a device to an uncovered network segment and gain access to any network resource.
Final Thoughts
NAC should be treated as a security methodology. Any worthwhile NAC solution must first allow provide intimate knowledge the network by profiling all devices connected to the network and identifying the non-compliant, rogue and unmanaged devices, even before the NAC processes are activated. This enables an IT manager to assess the impact of turning on the NAC solution. Finally, a NAC solution must be highly scalable with a relatively easy deployment across the entire IT infrastructure in order to deliver a fast time-to-value at a reasonable cost. Opinion piece submitted by Ofir Arkin, CTO, Insightix
I got a real kick out of a tech article about the new House of Hackers social network site. The site says it is supposed to help security researchers get together and help each other collaborate, and behave ethically in the process. That would generally be a good thing. However if they want to establish and maintain credibility as a go to site for quality security research, they really need to up their standards a bit. Frankly from my look around, the notable posts seemed to be primarily wannabes as opposed to a real place to go to to find quality researchers.
Before I go on, I will state that a critical aspect of finding someone you should hire for research is that you are putting an awful lot of faith in their technical ability to find vulnerabilities otherwise missed by teams of skilled developers. I will also note that the really elite hackers/security researchers already have well established networks. It is true that some people might be really talented and need a place to rise to the top.
I spent awhile going through site posts, and it was much more of a social network than a place to find quality researchers. For example, there were many posts telling females how hot they were. One person claimed he wanted to start a company doing security research and randomly invited people to join. One person accepted, but said they had no programming experience. They were promptly offered a position doing social engineering. Yeah, I want to hire that company for critical work.
Ira Winkler
People stealing their neighbours’ wireless Internet (what is known as “leeching”) could now face the threat of a criminal record in the UK following an apparent crackdown by police. It may seem a trivial offence, but it could still be seen as hacking, a Wi-Fi thief hijacks someone else’s connection by means of using poorly secured networks. And merely stealing some Internet could also lead to more serious crimes such as identity theft and cyberfraud.
In fact, recent research conducted by price comparison website Moneysupermarket.com indicates that lax wireless protection puts up to a quarter of the UK’s population at “serious risk” of identity theft and cyberfraud. People increasingly have Wi-Fi in their homes, but many do not enable basic security features, leaving their network vulnerable to even an unsophisticated attack. “It is bad enough if your neighbour can use your Internet connection for free, but this becomes far more sinister if someone uses your wireless connection for criminal activity,” commented Jason Lloyd, who heads the broadband department at Moneysupermarket.
All this has lead to more attention from the police, who seem to be taking the problem increasingly seriously. As reported in The Guardian, two people have already been detained in the past month in Worcestershire in two unrelated incidents. Both subsequently received a caution “for dishonestly obtaining electronic communication services with intent to avoid payment.” Police Constable Tony Humphreys from West Mercia police warned users: “Wireless networks don’t stop at the walls of your home - without the necessary protection, neighbours or people in the road may be able to connect to your network. This might slow down your service, or more importantly, your connection could be used for unlawful purposes.”
Konstantin Kornakov
A “serious security flaw” in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.
INSERT, the Information Security Research Team, has created a proof of concept that exploits the “trust hierarchy” that exists between mail service providers. By exploiting a flaw in the way Google forwards messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.
The report notes that with the rising volume of spam, e-mail providers have turned to whitelists and blacklists to help root out IP addresses of known spammers. Because Gmail falls into the trusted-whitelist category, messages are allowed “carte blanche” to bypass spam filtering.
INSERT’s report notes that no extraordinary Internet expertise is necessary to exploit the flaw:
In this regard, this document presents a vulnerability report and a proof-of-concept attack that demonstrate how anyone with no special Internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail account in order to be granted nearly unrestricted access to Google’s massive whitelisted SMTP relay infrastructure.
Google has offered no official comment on the report.
Michael Goodwin
Written by admin · Filed Under Archive
The National Institute of Standards and Technology is seeking comments on draft recommendations for derivation of additional keying material from a secret key using pseudorandom functions.
A secret symmetric encryption key shared by multiple parties can be used to generate additional keys that can be used for other purposes, such as message authentication codes. Or a trusted party can create separate keys for other parties from a single master key. An improperly defined key derivation method can crate keys that are vulnerable to attacks. SP 800-108 specifies several families of key derivation functions that use pseudorandom functions.
A pseudorandom function is the basic building block in constructing a key derivation function in this recommendation. The publication contains a formal description of pseudorandom functions, which produce a variable computationally indistinguishable from a genuine random function defined on the same domain.
Comments on Draft Special Publication 800-108, “Recommendation for Key Derivation Using Pseudorandom Functions,” should be e-mailed to draft-SP800-108-comment@nist.gov, with “Comments on SP800-108″ in the subject line. Comments are due by June 28.
IPAA security guidance for comments
NIST also has released a draft revision of Special Publication 800-66, “An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act Security Rule.” This publication is intended to improve understanding of security terms used in the HIPAA Security Rule and of the security standards set out in the rule. It also directs readers to information in other NIST publications on topics addressed by the rule. The publication does not replace the HIPAA Security Rule.
Comments on the draft of SP 800-66 Revision 1 can be made through June 13 to 800-66comments@nist.gov or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-66 Rev. 1, NIST, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930.
More news on related topics: IT Security, IT Management
By William Jackson
Written by admin · Filed Under Archive
It appears that CNN has been and will be the target of choice for Chinese hackers to show their displeasure with Western media coverage over “pro-independence protests in Tibet.” It would seem that some people in China have been offended by this coverage and are calling form attacks according to the website The Dark Visitor. They have provided details on several Chinese websites calling for attacks on www.cnn.com starting at 8:00 PM Beijing Time (8:00 AM EDT or 12:00 PM GMT) today April 19, 2008. However, according to another update on The Dark Visitor’s website, these attacks have seen been called off and are to be rescheduled.
According to a recent update on the CNN website, they have already observed several attacks that occurred this past Thursday. They took action to limit access to the site from certain regions and users in Asia may have experienced minor disruptions. These attacks appear to be either coincidental or preemptive in nature as they came two days earlier than called for. Arbor Networks is also monitoring this situation and has reported they have observed at least 36 different attacks thus far.
While the attacks have been “called off” for now, it will be interesting to see if they continue regardless — as scheduled or at a later date. It appears that attacks are expected and are being planned for. We can hope that they are unsuccessful regardless of the level of participation. We will update more if we learn anything new.
Written by admin · Filed Under Archive
Welcome to my site. Where am I ? Why are you here ? What’s going on there ? People always ask these questions to the mirrors. The interesting thing is to behave out of a human inside the mirror you see yourself.
What an incredible world we breath..
