The Sys-Security Group

Tim Green is at it again targeting NAC and virtualization. I believe that he could have written about some more issues with NAC and virtualization that most NAC vendors are suffering from.

Specifically, what happens when you have a virtualized environment on a Server that might host multiple guest operating systems?

What is wrong with this scenario? Let’s take those NAC vendors that use the underlying switch infrastructure to place an element into quarantine VLAN until it’s posture is validated. Quarantine VLAN is a per port per device ‘technology’ meaning that is cannot be used for virtualization since it re-assigns the switch port’s VLAN ID to that of the quarantine VLAN. By doing this all the elements (virtual elements) using that switch port for their connectivity will also be assigned to that VLAN (meaning no communications for all).

Others may claim that the internal communications between the hosts is the problem. I disagree. I think that if the virtualization server’s administrator is installing another guest machine she is not doing that to break into the organization. It may be an unauthorized install, but not for malicious intents. The guest machine must be disallowed network access so communication with other systems on the network would not be possible (until either the guest machine is authorized and/or its posture is validated).

This brings me back mentioning that NAC solutions must first take care of rogue devices and network access (S-E-C-U-R-I-T-Y) and only then with compliance.

I have been speaking about this for some time now - a NAC solution that relies on agents is a solution, which would be bound to fail in deployment. The problem is more emphasized on large-scale deployments.

I can count several reasons like the problem of identifying all the elements that the agent needs to be installed on (organizations do not know what they have on the network as is. …And most of the NAC vendors do not know that to…), the NAC agent is one among many other agents that may already be installed on the element, a performance impact that may result from the agent, management overhead, and the fact that the agent is a target for a security breach.

Seems like I am not alone talking against the NAC agent approach. Tim Green of Network World published in his newsletter an article about issues with NAC agents.

NAC must scale. The deployment must include all sites, and not just a certain portion of the environment. If dependent on an appliance and/or on the switching fabric, it is bound to fail (time-to-value, effort and money).

Any NAC deployment must cover the entire environment, so other venues accessing the network would not be possible.

One good example is with guest access. Enforcing guest access on specific locations, such as meeting rooms, etc. would fail once the guest will connect to those unprotected locations.

So it seems Apple will be releasing a new version of its iPhone now with a 3G capability sometime next year.

The information was confirmed (leaked?) by no other then AT&T’s CEO Randall Stephenson.

One of the interesting things to watch will be the battery lifetime when the iPhone will have 3G capabilities.

From my own experience I can tell that when you use WiFi the battery drains fast (ok not fast as with playing Video).

Apple had released firmware version 1.1.1 for the iPhone. If you have software hacked iPhone that allows you to place any SIM card and use any GSM-based network, your phone will be bricked. i.e. you will not be able to use it.

The question asked is why Apple is trying to angry its customers? I have already written in the past about the new Apple cash cow, which is the percentage it takes from the net profit for the iPhone customers of the carriers, which have exclusive deals with Apple.

Apple is actually doing more then this. If you will show up in an Apple store with a bricked iPhone the chances are that your iPhone will not be replaced and that your warranty is voided.

In my opinion Apple had gone too far with this. Instead of being happy that the iPhone is a big success, and it sells in big numbers, Apple is fighting its own users. According to various sources Apple had already sold more then 1 million of iPhone units. So even if 5% of them are hacked and can use any SIM, why does Apple bothers so much about this?

One aspect would be to show the carriers it is doing something. The other is to maintain the exclusivity.

This also ties with another mistake (my opinion) Apple did by lowering the price of the iPhone by 200$ two months after it had been introduced.

Sure, if you are gadget guy you need to pay more. But on the other hand you do not expect that only 2 months will pass and that the price will be cut by 33%?