Tops in innovation

Selected by five of our columnists, these products step beyond the norm with interesting solutions for today’s enterprise network problems.

Swinging into wireless with ease

Trapeze Networks’ Trapeze Mobility System

Ready or not, wireless LANs are popping up in corporations. IT brings some in through the front door, while users tiptoe others in through the back door. Either way, WLANs pose unique management challenges.

Coverage, integration with wired networks, security and detection of rogue access points require thoughtful management. Fortunately, companies such as Airespace, Aruba Wireless Networks, Bandspeed, Bluesocket, ReefEdge, Trapeze and Vernier Networks stepped out in 2003 with enterprise-grade WLANs. Of these, Trapeze stands out for its comprehensive offering.

Trapeze Mobility System does for WLANs what structured wiring systems do for wired LANs. Thus, Trapeze calls its solution “structured air.” But that’s only part of the story: Trapeze takes wire, glass and wireless media and creates a network with integrated mobility.

Trapeze Mobility System is for companies that see mobility as an essential component of their network strategy. To reap the full benefits, the corporation must standardize on Trapeze’s access points. Although Trapeze offers a starter kit, the payoff is greatest for customers with diverse applications, a large number of mobile users or both.

The system consists of four major elements: RingMaster, Mobility System Software, Mobility Exchange and Mobility Points. The RingMaster tool suite is for planning, configuring and optimizing the WLAN. The process begins by importing AutoCAD (or other) floor plans. A software wizard calculates the number and locations of Trapeze Mobility Points (access points) and Mobility Exchanges (switches) to be installed. Once these are in place, RingMaster uploads their configurations and verifies coverage. RingMaster continues to gather statistics, detect rogue access points and plan changes from that day forward.

Mobility Exchanges support what Trapeze calls “identity-based networking.” Instead of linking users to physical ports for authentication, security and management, Trapeze focuses on user identities and transfers user attributes from one Mobility Exchange to another as the user roams the network. With other systems, users must re-log on as they roam; with Trapeze, users log on once. The Mobility Exchanges also offload many RADIUS/AAA server tasks for maximum responsiveness and scalability.

Mobility Points avoid the extremes of “thin” and “fat” access points to optimize security and guarantee availability at lower total cost of ownership. For example, they feature redundant data and power-over-Ethernet ports. Thus, each Mobility Point can be associated with two Mobility Exchanges. While other systems require 100% access point redundancy to guarantee availability, Trapeze can accomplish the same with just 25% access point redundancy.

Trapeze Mobility System has a nice security feature too. It continuously monitors the airwaves, alerting IT when it detects rogue access points.

One drawback is that the Trapeze Mobility System forces replacement of pre-existing access points. Still, for companies with big mobility plans, that’s a small price to pay for a qualitatively more secure, scalable and manageable system. Pricing for the system averages about $250 per user, assuming between 10 and 15 users per access point, with 450 to 6,000 users total. This price does not include user adapter cards.

Brodsky also likes Orthogon Systems’ OS-Gemini product for non-line-of-sight wireless applications. Read more.

Brodsky is president of Datacomm Research in Chesterfield,Mo. Reach him at ibrodsky@datacommresearch.com.

To top

A one-two punch for securing e-mail and instant messages

Sigaba’s Secure Email 4.0/Secure Instant Messaging 1.2

Picking a single product to represent an entire year is always a challenge. Of course the solution should have great technology and features. But I look for more. Specifically, it must illustrate a trend – better still, multiple trends – that will be significant this year. It has to fill a clearly defined market gap. And it should garner rave reviews from IT executives.

My pick for this year is Sigaba’s Secure Email 4.0/Secure Instant Messaging 1.2, introduced last October. This product combination provides privacy, auditing and management for electronic communications, including e-mail and instant messaging, and it addresses three key trends for 2004.

First is the focus on security. IT executives increasingly need to secure, track and manage all forms of communication. Thanks to legislation such as the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley and Sarbanes-Oxley, the penalties for data tampering (or working unknowingly with tampered data) now include jail time for senior executives. Compliance with this legislation is critical – and will continue to be for years to come.

Second is the emergence of IM in the enterprise. In a recent Nemertes Research benchmark, 90% of IT executives reported using IM at work. Increasingly, IM is an IT-supported initiative: 37% of IT executives say their companies are using enterprise-class IM, while another 43% say they will be doing so within the next six to 24 months.

Last comes the growing requirement for encryption key management that can be controlled and audited centrally but administered in a distributed fashion. This is particularly necessary when a group at headquarters is responsible for guaranteeing the accuracy of data exchanged among far-flung sites. As the chief security officer of a major global manufacturing firm tells me, an effective messaging encryption tool has been his Holy Grail for the past three years. His major challenge is being able to manage keys at a regional level without the knowledge of the local general managers (which might be necessary, for example, if one of those individuals is suspected of unethical behavior).

Fortunately for him, the Sigaba platform handles authentication, authorization, distribution of encryption keys, and signing and non-repudiation of messages. And, it lets security managers maintain a detailed trail of user actions for auditing purposes.

Users are equipped with a variety of clients: an IM desktop, IM for browsers and e-mail plug-ins that provide a “Send securely” option to 20 of the top e-mail packages. These clients integrate into a range of servers, including a presence server, an IM server and the e-mail gateway server. Features such as virus scanning, content filtering and policy management functions run on these servers. Most importantly, IT executives can manage the software locally and globally, as needed.

Users who have rolled out the Sigaba software love it (in fact, I first learned about this product from an IT executive). An entry-level system starts at about $25,000 and runs on AIX, Solaris, Linux, and Windows servers.

Johnson is president and chief research officer at Nemertes Research. She can be reached at johna@nemertes.com.

To top

Adding a jolt to PKI-based messaging

Voltage Security’s Voltage Security Platform (Voltage SecurePolicy Suite, Voltage SecureMail and Voltage SecureFile)

Secure messaging still hasn’t broken into the enterprise mainstream, in spite of considerable vendor innovation over the past several years. Among deployed secure-messaging systems, public-key-infrastructure-based solutions predominate.

However, PKI-based secure-messaging products are still too complex to set up and administer within and among diverse organizations. Automatic and transparent handling of key issuance, management and retrieval, on demand, would help considerably. Identity-based encryption (IBE), implemented in Voltage Security’s Voltage Security Platform product family, is a breakthrough PKI approach that does this.

The fundamental innovation behind Voltage’s IBE is that a message sender doesn’t need to know whether an intended recipient has a public-key certificate. Users needn’t ever obtain an X.509 certificate to participate in IBE-based secure communications. Instead, people can use any arbitrary character string – such as their e-mail address – as their public key. Consequently, public-key issuance becomes an implicit, latent and automatic component of e-mail account setup. Any recipient can simply assume a public key based on identity information retrieved from existing directories.

Under this IBE-based architecture, companies don’t need infrastructure components such as certificate authorities and repositories. The sender simply addresses and sends the secure message to recipients as he normally would, using the recipient’s e-mail address. The sender’s e-mail client uses the recipient’s e-mail address as the public key when encrypting or signing messages bound for the recipient. The Voltage server-side infrastructure – the SecurePolicy Suite or hosted SecurePolicy Service – takes care of binding IBE-based public keys to freshly minted, short-lived private keys, and distributing private keys to recipients, on demand.

To read secure e-mail, the receiver requests a private key from the sender’s SecurePolicy Suite (or the hosted Voltage SecurePolicy Service). The server-side infrastructure provisions plug-in software – Voltage SecureMail – to recipient desktops, and authenticates senders and recipients against existing directories.

Voltage’s IBE approach simplifies key management. Other secure-messaging vendors surely will take note and attempt their own IBE-based solutions (an approach that has been around since the 1980s, but Voltage introduced the first commercial version last July).

However, Voltage doesn’t appreciably simplify the configuration of secure-messaging environments. Users must have Voltage client software integrated with leading e-mail clients, including Microsoft Outlook. And it doesn’t provide qualitatively superior secure-messaging features. Many of Voltage’s other secure-messaging features – including short-lived private keys, server-side key revocation, and ad hoc enrollment and provisioning – can be found elsewhere.

Voltage SecurePolicy Suite costs $50,000 per server; SecureMail, $50 per user; and SecureFile, $20 per user. Clients are available in packages ranging from 1,000 to 100,000 users, and in corporate volume discounts. The company also provides subscription pricing as an alternative.

Kobielus is a senior analyst in Alexandria, Va., with Burton Group. He can be reached at jkobielus@burtongroup.com.

To top

Time travel for DSU/CSUs

Visual Networks’ Visual UpTime Select

Short of modems, thinking of a less-innovative product than a DSU/CSU is tough. The sole innovation for the DSU/CSU market over the past 10 to 15 years has been to make these devices the independent reference point and measurement tool for troubleshooting and service-level agreement verification. So coming out with a “category breaker” in this space takes true innovation – even if that comes in the form of taking an old idea and adding new features.

This is exactly what market leader Visual has done with Visual UpTime Select. Not content to sit back and continue with a business-as-usual model, Visual raises the ante with this product by creating a pay-as-you-go model for advanced DSU/CSU functions.

The market for enhanced DSU/CSU products has always presented a dilemma for users. On the one hand, you can pay an increased price for the unit and have excellent network management capabilities. Or you can take your chances with a generic, run-of-the-mill unit and probably squeak by for less money. And while I’ve always advocated the former path, in these cash-strapped times many firms have chosen the latter route.

Now you can have your cake and eat it too. You can get enhanced functions by buying the base DSU unit and the software licenses, or you can buy the software licenses at a later date (from mid-2004). Using special code, you would be able to unlock the enhanced functions when you need them on a site-by-site basis. A basic T-1 unit costs $1,200, with the additional software functions ranging in price from $650 to $1,700 per site.

Let’s suppose you’re experiencing a problem in Albuquerque, N.M., for the first time in several years. With UpTime Select, you will have the option of purchasing a license to unlock the advanced capabilities only in Albuquerque to solve the problem at hand.

But, in the tradition of the famous Ginsu knife commercials, “But wait! There’s more!” Two additional factors make Visual UpTime Select product even more interesting.

The first of these is the ability to do time travel. Let’s say the problem in Albuquerque started on a Tuesday, but it didn’t rise to the top of the trouble-ticket stack until Thursday. Even though you previously hadn’t purchased the historical-analysis capabilities, UpTime Select has been tracking the problem all along. When you activate the software on Thursday, the stats from Tuesday are available to you.

The second of the two cool factors that make this a category breaker is that these functions might even be included as a part of your router software. For years, users have been forced to decide between the economy of using an integral DSU/CSU or the added capabilities of an external enhanced DSU/CSU. This year, the full Uptime Select capabilities are expected to be included with Cisco’s integral DSU/CSUs, although the availability of the full suite will lag a bit behind the stand-alone units. Consequently, you’ll have the option of on-demand pay-as-you-go management without an upfront commitment – even when using an integrated DSU/CSU in your router.

In fairness, the development has a downside. Historically, the DSU/CSU has provided a clear demarcation point between the service provider and user networks. Even with services such as AT&T’s Frame Plus frame relay service that includes an enhanced DSU/CSU, the router is off-limits to the service provider. However, with highly manageable DSU/CSU capabilities built into the router itself, this demarcation point is becoming significantly less distinct. In fact, the demarcation point becomes a software function within the router.

I’m betting you’ll be willing to live with this. The potential is too great to ignore.

Taylor is president of Distributed Network Associates in Greensboro, N.C., and publisher of Web-torials.com. He can be reached at taylor@webtorials.com.

To top

Luring hackers with an open source honeypot

Open source community’s Honeyd

I think lying to criminals is a good thing. They do it to us!

And I don’t hate hackers; they do more good than harm for the state of security. But I have no use for criminal hackers, identity thieves or other miscreants who disguise their hostile activities as “hacking for mankind.” That’s pure BS. So let’s lie every chance we get to protect our networks.

My choice for product of the year is an open source honeypot called Honeyd, maintained by Niels Provos, a Ph.D. candidate and experimental computer scientist at the Center for Information Technology Integration of the University of Michigan.

I became acquainted with the idea of deception and lying to one’s ‘Net enemies in 1996, from Fred Cohen and his Deception Tool Kit. The object was simple: Tell the intruders one thing (not the truth), and fool them into believing they are getting through your defenses. In reality, you put them into a secure “trap” where their activities are harmless, you can capture all of their activities (for research of course!) or feed them erroneous information.

In 1999, I wrote about deception and honeypots from military and network defense standpoints in my book Time Based Security. Just consider how much deception we used in World War II and throughout the Cold War. Part and parcel of the espionage job was to suck in your enemy and get him to believe your lies to put him off path. Good stuff in the real world now being applied to the world of network security. Still, no such real products could be called highly effective security tools.

It wasn’t until I met the incredible and energetic Lance Spitzner, co-founder of the Honeynet Project, that I realized a small industry had been born that was based on these principles. Spitzner and I became close friends after I heard him speak in Dublin, Ireland, with eloquent passion about techniques in which I strongly believed.

Version 0.2 of Honeyd, a small daemon that creates virtual hosts on a network, appeared about a year and a half ago. A 1.0 version, under development by Provos and the open source community, is on the horizon.

With Honeyd, you can configure hosts to run arbitrary services and adapt their personalities so they appear to be running certain operating systems. Honeyd, which can claim up to 65,536 IP addresses, is used primarily for threat detection and assessment. By using various configuration tools, Honeyd deters adversaries by hiding real systems in the middle of virtual systems.

Since this field is so new and the developments coming so fast, I felt more comfortable picking a free honeypot rather than commercial software. Also, Spitzner considers Honeyd the most powerful honeypot.

That said, a couple of commercial products to watch are KeyFocus’ KFSensor, a low-interaction honeypot that monitors an extensive amount of ports and services; Symantec’s Decoy Server, a high-interaction honeypot used not only to detect or deceive bad guys, but also to gain additional information about them; and NetBait’s managed service honeypot.

If you want to follow or participate in the growth of this area, I suggest you hang around www.honeynet.org.

Schwartau is the president of Interpact and the author of many books on security. He can be reached at winns@gte.net.