CTO Chronicles

What's there?

We recently commissioned a survey of IT staff on network security concerns generally and NAC adoption plans specifically.  What we found, interestingly enough, was that 86% of the respondents had controlling network access as a priority, but 45% of them were not sure what was connecting to their networks at any given time.  I feel a bit like a political spin machine on this, since the basic visibility components of NAC implementation has often been a topic for me, but it seems to just keep coming up in its own right.  802.1x can help authenticate the endpoints in your network (and that seems to be on peoples' list, at least according to Gartner), and may help judge the posture of devices as we move forward.  However, failing back to MAC based authentication for MAC addresses you know little to nothing about seems too circular to be useful.  Any meaningful policy springs from at least basic knowledge of what you have connecting today.

I think this is a particular challenge for NAC vendors, since (a) it's basic blocking-and-tackling of NAC implementation so it needs to work; and (b) it's not really a huge business bang for your NAC buck.  However, there has to be opportunity here as well, since it appears none of the current tools in the IT toolbox is stepping up to do a satisfactory job at this.

You can read the full study here.

Actually, birthing.  We've received a notice of allowance from the USPTO for our patent application around address resolution based restriction of devices post-admission to the network.  Ironically or no, this was pretty much the first patent the company filed; yet it remains extremely relevant.  I've written recently on the importance of post-admission controls, as well as the reasons and (some of the) methods of our ARP based approach to quarantine.  Our initial patent protects ARP based quarantine for the purposes of enforcing authentication of devices onto the network.  Once issued, this one will protect ARP based quarantine of devices as a result of threat detection at any time during the device's network lifecycle.

We're excited about this.  Two down, 8 more to go.

I thought I would take somewhat of a break from beating the standards and post-admission drums, and share some thoughts on how companies might bring embedded OS devices (generically) and SCADA   devices (specifically) under a NAC umbrella.  The move away from serial communications and towards Ethernet and TCP/IP is not a new phenomenon for SCADA devices, nor are the security vulnerabilities and concerns that come as part of the move.

In May of this year, the GAO conducted an audit on the Tennessee Valley Authority, with less than stellar results.  The North American Electric Reliability Council now has a set of ratified "Critical Infrastructure Protection" (CIP) standards designed to address these and other concerns.  The CIP standards end up setting up roughly as one would expect:  Identify critical assets, segment and protect them, control physical access, patch machines, manage security events, etc.

NAC should be able to help with at least some of those.  Given the specialized function of these devices, though, as well as the specialized nature of their OS, care must be taken.  To wit:

First Do No Harm

What's generally true about network security engineering is doubly true here.  Any "security" apparatus that causes lights to go out, or a cooling plant to shut down, is quite obviously bad.  In essence, this is a two-fold model change for NAC.  First, it is a view that is geared more towards protecting the critical devices, as opposed to protecting the environment from them.  Second (and somewhat related), access to the network is presumed as a normal case and restricted only in an extraordinary case.

Passive Device Fingerprinting

Some identification mechanism is necessary to fingerprint these devices and classify them correctly (see below).  Given specialized OS platforms, though, performing that fingerprint via agent software seems unworkable.

On-Segment Protection

The segment containing these devices must be protected from all threats, foreign and domestic:  malware-infected hosts, mal-intentioned users, mis-informed users, unauthorized hosts, etc.  Of course, this includes ongoing protection of the segment, not just protection from device entry.

MAC-Based Authentication for 802.1x

At some point, organizations likely want to meld this under an overarching 802.1x umbrella.  Given the likely lack of 802.1x supplicants for these devices, MAC based authentication is required.  This is also where the fingerprinting piece comes in to plug the holes inherent in MAC based network admittance.

Generically, of course, this governance problem is applicable to any number of other devices (medical, HVAC, badge readers, etc.) that now have Ethernet connections and IP addresses.  The set of Critical Infrastructure Protection standards for the utility industry just provides an additional driver for the IT and Security teams in that industry to do something (or a set of somethings).  It is both a challenge and opportunity for NAC vendors to find a way to help, but help in a way that takes into account the specialized nature of these devices.

Blackhat's underway, and while Kaminsky's DNS vulnerability continues to garner the lionshare of attention, there are other interesting malware-related developments that I thought would be worth surveying here.  This is not an exhaustive list, of course.  Just ones that caught my eye for one reason or another.

For all the Facebook/MySpace lovers out there, blackhat researchers are due to demonstrate a file that the web server treats as a Gif, but the endpoint processes as a jar archive.  Kaspersky as also identified a worm that is spreading through MySpace and Facebook.

Storm continues to chug along and find ways to add people to its botnet.  The latest is attempt is via an "FBI vs Facebook" spam.  Given Storm's history of looking to capitalize on events around the world, I'd look for more as the Summer Olympics gear up.

In a development that surprises none of us, but is a bummer for all of us, Information Week has an article on a recent Websense survey that 75% of sites serving malicious code are legitimate sites that have been compromised.  According to the article this is a 50% jump over the previous 6 months.

Finally, Twitter has apparently reached a level where it is now also worthy for use as an attack vector, prompting users to download malware disguised as an updated codec for Adobe Flash player.

What's any of this to do with NAC?  It highlights two points that I've drummed on before:  (1) the critical importance of a post-admission security and detection strategy, and (2) the importance of isolation and cleanup of infected hosts.