Trusted Computing Group, Convergence and IF-MAP: Part II

| 0 Comments | 0 TrackBacks

Page:   1   2  Next  »

End users could choose best-of-breed products, pay less for them and operate under better security policies if systems generating data about physical and logical security actions could easily publish and/or receive that data using a standard protocol instead of custom programming or middleware solutions.

That's one of the assertions discussed in the second part of Security Squared's conversation with three members of the Trusted Computing Group, who have been demonstrating a standards-based physical access to network access data-sharing solution. The demo features Hirsch Electronics' Velocity security management software sharing information with a Juniper Networks' network access control appliance via a Metadata Access Protocol (MAP) server from Infoblox, a network services platform vendor.
 
The TCG created the IF-MAP protocol that its members say could enable data to easily move among physical and logical systems--provided the systems support the protocol. The implications of a standards-based communication solution were discussed by Bob Beliles, vice president, enterprise business development, Hirsch Electronics; Stuart Bailey, chief technology officer, Infoblox, and chairman of the IF-MAP subgroup with the Trusted Computing Group; Rick Kagan, vice president of marketing, Infoblox; Steve Hanna, distinguished engineer, Juniper Networks and Co-Chair, Trusted Network Connect Work Group, Trusted Computing Group; Moinul Kahn, product line manager for Juniper's Unified Access Control (UAC) product line; Jay Kelley, product marketing manager, UAC, for Juniper.

What follows is a transcript of the second half of our conversation, edited for clarity and length.
Part One contains an overview of the IF-MAP protocol capabilities.
*****

Sharon J. Watson
, Security Squared: Bob, what you demonstrated at ASIS, the Infloblox MAP server, the Juniper NAC appliance and Hirsch Velocity, can someone buy that as a package? If someone is interested in that, how do they go about getting it?

Bob Beliles, Hirsch: We're still putting all of the pieces together.  Today what would happen is that you would need to have the capability in the Hirsch Velocity software that would communicate with the IF-MAP server. We're making that available.  Likewise a customer would need to go to Juniper separately, say I would like to buy the Unified Access Control server and Moinul would have to help out there with a special code to support that.  If you wanted to use the MAP server capability, different vendors have it, Juniper has a version of it and Infoblox does too. So you could go there.
 

In terms of offering a bundled solution with all three of the vendor's products in one part number, we haven't gone that far down that path but we do see opportunities in doing some joint marketing, maybe some joint sales work and maybe at some point in the future there might be a bundle or something, but at this point we aren't making that claim or saying that's going to happen. We do recognize customers would be getting parts from two or three different vendors. Any other comments there from Juniper or Infoblox?

Stuart Bailey, Infoblox: I'm chairman of the MAP subgroup of TCG, so with that hat on, I'd like to make this comment: One of the value propositions of IF-MAP for the end-user is that much like the way TCP-IP allows end users to take best-of-breed products from all areas, IF-MAP as a standard allows the same thing for this metadata integration--which, as alluded to earlier, can be done today when companies partner together and say they're going to exchange data over their proprietary APIs.
 
But what happens then is a kind of an implicit decision tree for end-users. They pick one company for a particular function and that company may only have partnered with a handful of other companies, and that may not be for competitive reasons but often for cost control. It costs money to support partnerships with other companies if they're proprietary. When if there's a standard exchange mechanism like IF-MAP, a customer has so many more choices, and it's cheaper for the vendor. Those are two kinds of benefits that seem to drive successful standards in the market. We see both of those properties emerging with IF-MAP.  So as Bob mentioned we don't need to worry so much about how these things are bundled together from an end-user perspective today.

SJW: There are a lot of situations where a company, through acquisition or it hasn't had particularly strict internal controls, winds up with more than one physical access control system. Their network elements may be pretty standard, but the systems at the doors of their different facilities are very different. In a situation like that, if someone was running an IF-MAP server and it was connected to network access control and identity management database, would there be any sort of workaround if the physical access control systems are not tied into identity management or only some of them are?  Could IF-MAP help with a situation like that?

Bob Beliles, Hirsch: From a physical access control perspective, to the degree you are able to communicate using the IF-MAP protocol, which again is an open standard that anyone can adopt, you would certainly have some of the capabilities to do some of these things. Now it's up to each vendor to figure out, do they just want to publish information and that is as far as it goes, or do they want to be a subscriber and recipient of information.
 
We've talked a lot about the physical event information triggering a network response. It is entirely possible to take a network event or frankly even an event that's from a system tied into the network, like a SCADA system and then if the vendor in the physical access control world uses IF-MAP and says I'm not just going to publish events but I'm going to subscribe to them, then you can start taking these network or other system events and have a physical access control system response or even a physical facility response, for that matter. That's the beauty of this being an open standard.

In terms of tying disparate multiple physical access control systems together, you raise a good point: it would be entirely possible if multiple vendors used IF-MAP, you could start to bridge some of those disparate situations and have multiple different vendors systems all working together where they're using IF-MAP as a common protocol to communicate with one another.

SJW: But that's a decision each vendor would have to make and they would have to incorporate IF-MAP into what they're offering or somehow link to [the MAP server].

Steve Hanna, Juniper: We're really spending a lot of time and effort with our customers, talking to vendors, encouraging them to implement IF-MAP. The Trusted Computing Group is talking to vendors about the benefits they get in terms of reduced development costs, reduced implementation costs from doing a one-time implementation of IF-MAP instead of having to integrate manually with all of the different customers they might have to work with and integrate separately with them.
 
What I've seen over the years is that it takes a little while for a standard to catch on but as it catches on, there's an exponential growth curve as its adoption proceeds, and we're seeing that with IF-MAP as well.  It's been out there 18 months now, and it seems the number of vendors to implement it doubles every year.

SJW: Is IF-MAP the basic differentiator between the [identity aware security] solution Juniper is offering and what Alcatel Lucent and Cisco and perhaps 3Com are offering, particularly Alcatel Lucent, when they talk about identity aware network devices/switches? 

Steve Hanna, Juniper: Yes, definitely.  Everybody has identity-aware networking gear, everybody has identity-aware switches. That's built into the basic standards for switching these days--802.1X provides you with that capability, it's an IEEE standard. So where we are able to go beyond that is to integrate with Juniper gear--not just our switches but all of our gear--and to do so based on open standards instead of having just the very basic functionality required by the IEEE standards.

We are able to integrate in our security equipment and even our partners' security equipment and even potentially our competitors' security equipment. So if you look at a customer who has switching gear from multiple vendors in place already, that can all work with the Juniper Unified Access Control box. We can work with those switches from other vendors and then we can connect them into the IF-MAP interface because we support that.

If you look at what other vendors are supporting, generally they are just tying together their own equipment. We are able to tie together multiple vendors' equipment. By virtue of doing so, we are able to provide more functionality to the customer because we are able to partner with a Hirsch Electronics or a Lumeta or other companies that provide capabilities that go way beyond what Juniper alone can provide.

That openness has real concrete benefits to our customers because it opens their world and their set of options even with the equipment they already have in place.

Page:   1   2  Next  »

End users could choose best-of-breed products, pay less for them and operate under better security policies if systems generating data about physical and logical security actions could easily publish and/or receive that data using a standard protocol instead of custom programming or middleware solutions.

That's one of the assertions discussed in the second part of Security Squared's conversation with three members of the Trusted Computing Group, who have been demonstrating a standards-based physical access to network access data-sharing solution. The demo features Hirsch Electronics' Velocity security management software sharing information with a Juniper Networks' network access control appliance via a Metadata Access Protocol (MAP) server from Infoblox, a network services platform vendor.
 
The TCG created the IF-MAP protocol that its members say could enable data to easily move among physical and logical systems--provided the systems support the protocol. The implications of a standards-based communication solution were discussed by Bob Beliles, vice president, enterprise business development, Hirsch Electronics; Stuart Bailey, chief technology officer, Infoblox, and chairman of the IF-MAP subgroup with the Trusted Computing Group; Rick Kagan, vice president of marketing, Infoblox; Steve Hanna, distinguished engineer, Juniper Networks and Co-Chair, Trusted Network Connect Work Group, Trusted Computing Group; Moinul Kahn, product line manager for Juniper's Unified Access Control (UAC) product line; Jay Kelley, product marketing manager, UAC, for Juniper.

What follows is a transcript of the second half of our conversation, edited for clarity and length.
Part One contains an overview of the IF-MAP protocol capabilities.
*****

Sharon J. Watson
, Security Squared: Bob, what you demonstrated at ASIS, the Infloblox MAP server, the Juniper NAC appliance and Hirsch Velocity, can someone buy that as a package? If someone is interested in that, how do they go about getting it?

Bob Beliles, Hirsch: We're still putting all of the pieces together.  Today what would happen is that you would need to have the capability in the Hirsch Velocity software that would communicate with the IF-MAP server. We're making that available.  Likewise a customer would need to go to Juniper separately, say I would like to buy the Unified Access Control server and Moinul would have to help out there with a special code to support that.  If you wanted to use the MAP server capability, different vendors have it, Juniper has a version of it and Infoblox does too. So you could go there.
 

In terms of offering a bundled solution with all three of the vendor's products in one part number, we haven't gone that far down that path but we do see opportunities in doing some joint marketing, maybe some joint sales work and maybe at some point in the future there might be a bundle or something, but at this point we aren't making that claim or saying that's going to happen. We do recognize customers would be getting parts from two or three different vendors. Any other comments there from Juniper or Infoblox?

Stuart Bailey, Infoblox: I'm chairman of the MAP subgroup of TCG, so with that hat on, I'd like to make this comment: One of the value propositions of IF-MAP for the end-user is that much like the way TCP-IP allows end users to take best-of-breed products from all areas, IF-MAP as a standard allows the same thing for this metadata integration--which, as alluded to earlier, can be done today when companies partner together and say they're going to exchange data over their proprietary APIs.
 
But what happens then is a kind of an implicit decision tree for end-users. They pick one company for a particular function and that company may only have partnered with a handful of other companies, and that may not be for competitive reasons but often for cost control. It costs money to support partnerships with other companies if they're proprietary. When if there's a standard exchange mechanism like IF-MAP, a customer has so many more choices, and it's cheaper for the vendor. Those are two kinds of benefits that seem to drive successful standards in the market. We see both of those properties emerging with IF-MAP.  So as Bob mentioned we don't need to worry so much about how these things are bundled together from an end-user perspective today.

SJW: There are a lot of situations where a company, through acquisition or it hasn't had particularly strict internal controls, winds up with more than one physical access control system. Their network elements may be pretty standard, but the systems at the doors of their different facilities are very different. In a situation like that, if someone was running an IF-MAP server and it was connected to network access control and identity management database, would there be any sort of workaround if the physical access control systems are not tied into identity management or only some of them are?  Could IF-MAP help with a situation like that?

Bob Beliles, Hirsch: From a physical access control perspective, to the degree you are able to communicate using the IF-MAP protocol, which again is an open standard that anyone can adopt, you would certainly have some of the capabilities to do some of these things. Now it's up to each vendor to figure out, do they just want to publish information and that is as far as it goes, or do they want to be a subscriber and recipient of information.
 
We've talked a lot about the physical event information triggering a network response. It is entirely possible to take a network event or frankly even an event that's from a system tied into the network, like a SCADA system and then if the vendor in the physical access control world uses IF-MAP and says I'm not just going to publish events but I'm going to subscribe to them, then you can start taking these network or other system events and have a physical access control system response or even a physical facility response, for that matter. That's the beauty of this being an open standard.

In terms of tying disparate multiple physical access control systems together, you raise a good point: it would be entirely possible if multiple vendors used IF-MAP, you could start to bridge some of those disparate situations and have multiple different vendors systems all working together where they're using IF-MAP as a common protocol to communicate with one another.

SJW: But that's a decision each vendor would have to make and they would have to incorporate IF-MAP into what they're offering or somehow link to [the MAP server].

Steve Hanna, Juniper: We're really spending a lot of time and effort with our customers, talking to vendors, encouraging them to implement IF-MAP. The Trusted Computing Group is talking to vendors about the benefits they get in terms of reduced development costs, reduced implementation costs from doing a one-time implementation of IF-MAP instead of having to integrate manually with all of the different customers they might have to work with and integrate separately with them.
 
What I've seen over the years is that it takes a little while for a standard to catch on but as it catches on, there's an exponential growth curve as its adoption proceeds, and we're seeing that with IF-MAP as well.  It's been out there 18 months now, and it seems the number of vendors to implement it doubles every year.

SJW: Is IF-MAP the basic differentiator between the [identity aware security] solution Juniper is offering and what Alcatel Lucent and Cisco and perhaps 3Com are offering, particularly Alcatel Lucent, when they talk about identity aware network devices/switches? 

Steve Hanna, Juniper: Yes, definitely.  Everybody has identity-aware networking gear, everybody has identity-aware switches. That's built into the basic standards for switching these days--802.1X provides you with that capability, it's an IEEE standard. So where we are able to go beyond that is to integrate with Juniper gear--not just our switches but all of our gear--and to do so based on open standards instead of having just the very basic functionality required by the IEEE standards.

We are able to integrate in our security equipment and even our partners' security equipment and even potentially our competitors' security equipment. So if you look at a customer who has switching gear from multiple vendors in place already, that can all work with the Juniper Unified Access Control box. We can work with those switches from other vendors and then we can connect them into the IF-MAP interface because we support that.

If you look at what other vendors are supporting, generally they are just tying together their own equipment. We are able to tie together multiple vendors' equipment. By virtue of doing so, we are able to provide more functionality to the customer because we are able to partner with a Hirsch Electronics or a Lumeta or other companies that provide capabilities that go way beyond what Juniper alone can provide.

That openness has real concrete benefits to our customers because it opens their world and their set of options even with the equipment they already have in place.

<!--nextpage-->

Jay Kelley, Juniper: To add to what Steve said, the customer can leverage what they have today with Juniper UAC. They can leverage their heterogeneous network today without having to rip and replace or massive changes. We work with what's there. Based on standards--802.1X, IPSec--we work with all those standards. TNC [Trusted Network Connect] is one of our foundations. What we have is the ability to work across a diverse network environment and apply identity and role-based access control, role-based policies, and disseminate those policies across an enterprise network.  Even like working with SSL VPN for remote access as well. That's one of the core differences between UAC and a lot of the other access control solutions on the market.

Moinul Kahn, Juniper: Sharon, if you look at the NAC solutions, network admission control, the way I see it is like a Swiss Army knife. Most of the switching vendors, what they focus on in terms of NAC is the endpoint posture assessment. All the endpoints that are getting connected to your network have to be somewhat healthy. I'd say that's what most of the switching vendors focus on.  Our biggest differentiation is the role-based, identity-based access control.  As far as the authentication and authorization and endpoint assessment, that's pretty much table stakes--that's been out there for at least seven years.
 
What we try to do is leverage other Juniper security technology and provide a very strong ecosystem as far as identity-based and role-based access control is concerned. As an example, our UAC can work with our firewall products, it can also work with our IDP products and that pretty much does application level access control. In other words, you can specify a set of users within your corporate LAN environment and say 'this set of users is allowed to use Facebook and this set is not allowed to use Facebook.' So really looking at the role of that user in the network, you can provision their accesses based on applications, where they are located, etc.

That is one of the biggest differentiators. Now with IF-MAP, we are taking this role-based access control to the next level, next-generation UAC, if you will. We have already integrated IF-MAP protocols into our two product lines, the SSL VPN product line has IF-MAP, the UAC line has IF-MAP. That enables us to bring remote users and corporate LAN users together, so with the new client we are launching very soon, Junos Pulse, we will be able to seamlessly migrate user sessions from a remote location to a corporate LAN location. So IF-MAP is now enabling us to take our NAC solution to the next level.

Bob Beliles, Hirsch: Having had a past life in this world and also just making sure from a physical access control perspective that readers appreciate and understand: There's an awful lot of work on the network and IT side relative to identity management systems and technology... When you go into an HP or Juniper, understand in many cases they are specifically talking identity that only pertains to the network.

SJW: The logical identity.

Bob Beliles, Hirsch: Right, the logical identity.  Even as we came out and introduced the [PAC-MAP server-NAC] demo to the world at Interop this past spring, we had many attendees to the show who were truly excited about it. They may have heard or been involved in discussions about tying physical access identity information in with the network, and maybe to some people that's just the common credential.  What we're doing is not just one credential, it can actually be two different credentials between the network and the physical access side. But there is this communication path that really links them together that in itself is not as common as you might think if you were just reading headlines.

Most of these other vendors I think do not have that linkage. If they do, it would be fair to say it's been done as a one-off proprietary solution to just one other vendor's system as opposed to being an open standard. We certainly believe working with Infoblox and Juniper and being part of the Trusted Computing Group, what we are delivering is one of the industry's first open standards-based implementation.

But there are a lot of different uses of the word 'identity' and 'identity management' by access control and smart card companies relative to the IT community, so be a little careful in understanding there are gradations. You can't make the assumption the network access control guys are using the same language as physical access control.

SJW: How interested are IT people in bringing the physical identity to the logical identity, in having that extra piece of data that enhances all of the logical device security? Are you finding that people want this or is this a solution looking for a home?

Bob Beliles, Hirsch: Mind you, the first couple of events we were involved in were IT oriented events. So the IT managers quickly got the concept, understood the power of the concept, and several of them said 'Yes, we would definitely like to go there.' Others are saying 'we know we would like to go there but we're not there yet.' As we chat with the IT people of Hirsch customers, they are starting to say 'that's great.'  Also, there was a multivendor physical security seminar that one of my peers was involved with [recently]. He reported there were three or four company representatives, they were probably physical security folks, and they jumped up and were very excited by the technology and were aggressively looking to do more with it, so there's some real opportunity out there.

SJW: Rick, Steve, Moinul, what are you seeing in terms of customer interest in having that physical security information?

Steve Hanna, Juniper: In government circles, that's very much something of interest. They need to be very concerned with physical locations, as the Secret Service recently discovered.

Moinul Kahn, Juniper:  I won't be able to share names but over the last several months, quite a few large enterprise customers, large corporations that are some of our biggest UAC customers, [have shown] a lot of interest in this IF-MAP integration with third party vendors. They were asking what you actually asked, when are we going to the GTM strategy, will there be an SKU, a consolidated thing available. These are the companies with large engineering organizations. Typically they have a certain number of engineers allowed to go to certain labs, because all of these projects are stealth projects. Even within the same engineering team, two engineers are allowed to look at a particular project versus those two are not allowed to look at it. So that's one of our biggest UAC implementations, and this customer is showing a lot of interest.

I have seen personally a lot of customer inquiries for our Lumeta integration, the Lumeta box can detect a data leakage, publish that event information to the MAP server, and UAC can subscribe to that and provision user access. So we've seen a lot of interest from the customer side over the last several months.

Stuart Bailey, Infoblox: As the CTO of Infoblox, it's my job to bring in a lot of the bleeding edge or mind-blowing demonstrations of technology.  In general, our IT people are often very blasé about what is on the horizon.  Physical and logical network security integration is one of the very few demos and concepts where our internal IT organization kind of tasks me and says 'We want to know more about this, we want to see it running.'
 
Bob Beliles, Hirsch: It's a great technology. We're very excited about it.  A lot of people have talked about it but now we're seeing the fruition of what convergence really can be to the physical security world and it goes well beyond just saying, 'I'm going to connect everything to an IP network.'
# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/157

Leave a comment