December 2009 Archives

Making certain the log-in data coming from a particular PC, laptop or mobile device is actually being entered by the specific human it's assigned to seems like a security no-brainer. Yet as Security Squared has detailed, accomplishing that task is not easy today for most enterprises. Despite its difficulty, the need for physical-logical identity management is growing exponentially with the increasing use of mobile computing and the explosion of cloud computing.

Network infrastructure vendors, including Alcatel-Lucent, Cisco Systems, 3Com (being acquired by HP) and Juniper Networks now talk about identity-aware network gear, though mainly in terms of linking logical identity management to network access control. That's why we were intrigued to see a physical access to network access solution demonstrated at ASIS in September 2009. The demo featured Hirsch Electronics' Velocity security management software sharing information with a Juniper Networks' network access control appliance via a Metadata Access Protocol (MAP) server from Infoblox, a network services platform vendor.
All three companies are members of the Trusted Computing Group, a not-for-profit organization creating standards for interoperability in several core computing/networking areas. Other members include Microsoft, IBM, HP, Gemalto, HID Global. (A full member list is here.)  The TCG created the IF-MAP protocol that enables Hirsch software to make physical security data available to a Juniper network access control point--and vice versa.

So as part of our research into what today's network access control capabilities offer for physical-logical identity management, Security Squared's Sharon J. Watson spoke earlier this month with representatives from Hirsch, Infoblox, Juniper and the Trusted Computing Group to better understand the IF-MAP protocol and what it might mean for converged security solutions.

The participants included Bob Beliles, vice president, enterprise business development, Hirsch Electronics; Stuart Bailey, chief technology officer, Infoblox, and chairman of the IF-MAP subgroup with the Trusted Computing Group; Rick Kagan, vice president of marketing, Infoblox; Steve Hanna, distinguished engineer, Juniper Networks and Co-Chair, Trusted Network Connect Work Group, Trusted Computing Group; Moinul Kahn, product line manager for Juniper's Unified Access Control (UAC) product line; Jay Kelley, product marketing manager, UAC, for Juniper.

What follows is a transcript of our conversation, edited for clarity and length. In Part 1, we discuss the IF-MAP protocol basics as well as its potential enterprise security applicability.

Sharon J. Watson, Security Squared: One of the things that intrigued me a lot is the PAC-NAC solution as presented in a white paper Bob [Beliles] wrote, which is a combination of Hirsch's Velocity, the Juniper NAC [network access control] equipment and then this metadata [server] from Infoblox, which uses the IF-MAP standard protocol. Can we talk a little bit about that box, and what it accomplishes because it seems very important to being able to link the information coming in from a Hirsch PAC device and the NAC element.

Rick Kagan, Infoblox: I can try that one. It is actually a MAP server. MAP is metadata access point. It's not a policy decision point, it's a database. The way we like to think about it is it's almost like Facebook for things on an IP network. It's a way for different devices to publish information about what's going on about themselves or other devices on the network. Just like you can get a Google alert when something changes out in the world and you get an automatic alert telling you that it happened, various systems can subscribe to the MAP database and look for changes in things of interest.

December 2009 Archives