Thursday, September 28, 2006

My New Toy - A Black Dog

This has absolutely nothing to do with Identity Management, but the coolness factor is so freakin cool I had to post about it. I also put my money where my mouth is and bought one so I will have something new to enjoy enduring two days of company meetings...

What it is...

BlackDog is a fully self-contained computer with a built-in biometric reader and a host of other powerful features. Unlike any other computing device, BlackDog is completely powered off of the USB port of your host computer – no external power adapter required!

To access and use your BlackDog, you merely plug it in to your host computer’s USB port and BlackDog takes over! Your host machine’s monitor, keyboard, mouse, and Internet connection are taken over by BlackDog for the duration of your session, when you are done, you simply remove BlackDog and everything on the host is returned to its original state.

Wednesday, September 27, 2006

My ISSA Journal Article - IdM for the Security Professional

You can grab a copy here until October 4th.

Tuesday, September 12, 2006

PCI Specification, Requirement 1

This is a point by point explanation of where TNT's solution satisfies all requirement number 1 specifications. The fact that TNT's solution deploys in hours and can begin enforcement very quickly lets companies move quickly to satisfy the requirements.

The one thing missing from the spec that I feel is VERY important is a baseline audit of the environment you will be working to protect. Without it, you will set yourself up to constantly be trying to change a tire on a moving car and fixing what is wrong with more wrong things, possibly making the envorment more open and less restrictive.

1.1 Establish firewall configuration standards that include the following:

1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration TNT Does this in real time

1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks TNT Auto discovers users, machines, networks, servers, applications (port)

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone TNT will segment and enforce your policies by user, device, group, application, server, or network

1.1.4 Description of groups, roles, and responsibilities for logical management of network components TNT proactively manages this in real time

1.1.5 Documented list of services and ports necessary for business TNT will auto discover ALL ports (even rogue) and allow you to report them and restrict them in real time

1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) TNT logs all connection data between users and ports

1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented TNT will manage access by user and/or machine to all known ports on a server (65,000)

1.1.8 Quarterly review of firewall and router rule sets TNT will enable you to establish and audit policy in real time, before enforcement is enabled, so you get to see what will happen before you shut off access

1.1.9 Configuration standards for routers.

1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. This is what TNT’s solution does

1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:

1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) TNT denies all connections that are not from a specific user, machine, IP address, etc. providing unparalleled control

1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ TNT will allow you to restrict access by known/trusted user and known/trusted device to any network segment

1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network) This is TNT’s core functionality – TNT controls access based on what is in the SYN header of every packet on the network

1.3.4 Placing the database in an internal network zone, segregated from the DMZ TNT establishes a virtual physical zone so that only one user from one machine has access to a single application, even if there are other applications on the server

1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment TNT will do this by user and machine, restricting access to only a few users from a few specific machines

1.3.6 Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration

1.3.7 Denying all other inbound and outbound traffic not specifically allowed TNT was built to do this, by embedding identity information in packets and allowing/denying access by the information in the packets

1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Installing TNT’s solution behind an AP, allows you to track and control every connection through it

1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. TNT’s solution builds a unique and unalterable identity of each machine in the environment and combines this with authenticated user information to create pervasive identity against which access controls are applied

1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). TNT would accomplish this by keeping all non identified users from any and all networks, infrastructure, applications and data in an enforced policy

1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic

1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ.

1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). TNT stops all masquerading of identity because we have a known users FQDN & unique machine ID hashed and encrypted and embedded in every packet. You cannot be anyone else from any other machine

Stay tuned for the Second requirement

identitystuff @

Sunday, September 10, 2006

Payment Card Industry PCI Standard Released

There is a self assessment out there that is designed to give companies an idea of what the actual standard contains, and how to start the process. The actual standard can be found here.

I had a chance to read through it and my first impression is that it is well thought out and pretty darn comprehensive. It contains some things that to me are no brainers (implement strong passwords, establishing processes for testing policies, etc.) and some other things that to me combine facets of audit/compliance, identity management, NAC, and IPS/IDS. In short, validating a multi layer security approach. It also gets into why identity isn't just for users anymore, that device identity is just as important.

The other thing that hit me is how much of the standard can be met with Trusted Network Technologies solution that combines audit, policy management, and enforcement with a single piece of technology. I will spend the next few blogs talking about the 12 requirements and presenting a solution for companies grappling with this, and why using a single piece of technology to satisfy 10 of the 12 requirements specifically is a distinct advantage.

Stay tuned for in essence will be an RFI response laying out where I can help.

identitystuff @

Thursday, September 07, 2006

Watch for my 3 Part Series in the ISSA Journal

For those of you who are members of the ISSA, I wanted to give you a heads up that I am writing a 3 part series on Identity Management and what it means to the security professional. I will also throw in a plug for the organization as it's one of the more active and useful groups to which I belong.

The groups I am a member of are ISSA, Infragard, IAPP, and IISFA. I also will be at the Wall Street TEchnology Association Hot Technology meeting October 19th in Manhattan, and I am available to speak at conferences, higher ed classes, and other places where a witty, self important, passionate and often clueless identity management guy is needed.

identitystuff @