Over the years, I’ve witnessed some very strange network operations. Maybe it just comes with the territory, or maybe it’s just knowing so many hard-working IT managers who have some great stories to tell.

One of the early tales was of a Novell file server that went offline frequently in Norfolk, Va. I flew there with a couple of experts from Network General, back when they owned the Sniffer. We instrumented all sorts of things and captured traces galore. To find out what happened, you’ll have to read the column I wrote for Baseline Magazine here.

We all have stories about our worst network-management nightmares. I’m going to share a few choice ones to show you that, sometimes, you should expect the unexpected. Very fitting, given that today is Halloween. You can read the story in Baseline Magazine here.

Business travelers will soon need to carry the name of their corporate lawyer in addition to their passport when returning home to the US, and may also need to bring with them a different business laptop as well. This is because the U.S. Customs can search and potentially confiscate your laptop without any prior cause, according to policies that have been posted online since a Ninth U.S. Circuit court ruling in April.

Alice Stitelman, a New Haven, Conn.-based consultant and author who writes about email usage and legal matters, says this is just one example of “what you don’t know about legal computer issues [that] can hurt you. Many business users mistakenly believe that their data is private — whether it is on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize.”

There are other examples of new regulations and policies that will have profound impact on business technology policy in the coming years. As legal battles over content filtering, net neutrality, tracking Web history and laptop searches ensue; corporate IT managers will need to rethink their strategies on how they implement cloud computing, e-discovery and records retention policies, and how they safeguard business data carried by traveling executives using various mobile devices. Let’s examine the wider implications of each of these key legal and policy issues in more detail and what they mean for the IT manager.

 Confiscated laptops

The Department of Homeland Security has reaffirmed its policy that lets it search, copy or even impound your employees’ laptops when they return to the U.S. This is completely at the security screeners’ discretion, and applies to anyone entering the country, citizens and non-citizens alike. Security consultant Jeff Bardin, writing on the CSO Online blog, calls it a “virtual strip search” and cautions somewhat facetiously, “I’d best not forget to take the microdot off the woolly boogers that collect in my pockets.”

But all kidding aside, this policy is very much reality and isn’t just for the tin-hit paranoids. “It definitely has been happening more and more recently, and we have gotten lots of complaints,” says Danny O’Brien, the International Outreach Coordinator for the Electronic Frontier Foundation in San Francisco. “A CEO I know was detained and his computer’s hard drive was copied and returned,” says David Burg, a Washington, DC-based principal at Pricewaterhouse Coopers in the advisory and forensics practice. As a result, his client’s company has changed its practice and now “employees aren’t allowed to travel outside their home countries with their standard issue laptops,” he said. Instead, they are issued bare-bones laptops that have very little corporate data and use Virtual Private Networks (VPNs) to communicate securely back to their offices.

Other countries are also randomly inspecting laptops: “Canada has been looking for child pornography on laptops entering their country,” says John Pescatore, a Gartner security analyst based in Washington, DC and a former security engineer for the U.S. Secret Service. “It is hard for anyone to argue against that.” And as more countries claim the right to copy or confiscate laptops, or worse to install monitoring software, soon this idea of having a “travel laptop” will become more common practice so that sensitive corporate data is left behind. “And given that the majority of corporate PCs are laptops now, your data is now more vulnerable,” says O’Brien. “You might want to consider limiting the data on your laptop to what you are willing to share with the government,” says Kevin Clark, the network operations manager of Clearpointe, a managed services provider in Little Rock, Ark.

“I would never travel with any data that I cared about anyway,” says John Kindervag, a senior analyst for Forrester Research in Dallas. “I would put it on my iPod or encrypt it.” Certainly “you should have been encrypting the hard drives of your laptops, these are just more reasons to do so,” says Pescatore. But using encryption is no guarantee that the government won’t obtain your employee’s data, according to legal authorities, especially if a security screener demands your password to decrypt your files. “We would say that you have some strong protections against giving out your password, and believe that falls under self-incrimination,” says O’Brien and points to this blog post by Jennifer Granick of the EFF. Other lawyers argue that it could fall under unreasonable searches, but overall case law is still evolving.

“A lot of this is just security theater,” says Kindervag, meaning just for show. He was detained – although not at an airport – and “I stood my ground and refused to give up my data, and eventually the screener backed down.” Clearly, one prudent course of action is to have ready access to legal counsel when returning to the U.S.

If your execs’ laptops are impounded, you have several critical issues to address. First, do you have the executives’ data backed up so you can get him up and running quickly on a new computer? Second, is sensitive data protected from prying eyes — whether bored screeners or investigating authorities? This is where having the cleaned “travel laptop” begins to become compelling. Finally, does this change your corporate policies on other mobile devices besides laptops, such as smartphones and PDAs that often have all sorts of personal and customer confidential information on them?

 Net neutrality

But confiscating a laptop isn’t the only evolving computing legal worry. The topic of Net neutrality is also one that has unintended consequence for IT managers. This concept means that all Internet traffic should be treated the same, and not prioritized (in terms of service or price) by the carriers. The carriers have justified metering, blocking, and other traffic-control actions as necessary because a few people who continually access large video files or play bandwidth-intensive games all the time get in the way of everyone’s else’s access to the Internet.

The Federal Trade Commission, however, ruled that Comcast can’t entirely block peer file sharing traffic, at least not without prior notification of its customers. Its concerns were based on the potential impact on the overall access marketplace, and possible monopolist behaviors on the part of the carriers.

But the ruling has major implications for distributed corporate workforces and a greater reliance on cloud computing and Web-based services and applications. “Many global companies that have grown by acquisition have not integrated or optimized their technical environment, and the complexity and control of this is especially compounded when any of it is outsourced and administered in various countries around the world,” says Burg.

As more businesses make use of Internet-based services and store more of their data in the cloud, the assumption is that this data is universally accessible no matter where a user is located, and no matter what provider is used to get online. But not all providers in all countries’ cloud-based resources are equally available everywhere, as the OpenNet Initiative project found out in 2006, with countries such as China and Saudi Arabia filtering or blocking particular Web sites, ports, and applications.

Peer file-sharing services

Certainly, some corporations block or inhibit peer traffic, at least during work hours. But last month, FCC Commissioner Robert McDowell asked AT&T Wireless to provide the information on its peer-to-peer policy during a recent FCC hearing tied to broadband issues. While AT&T currently doesn’t block peer-to-peer traffic across its wireless network, there is concern that it and other major carriers may do so in the future. And then there is Comcast announcing last month that they will restrict their residential users to a monthly overall bandwidth limit of 250 GB.

lthough illegal music and video swapping is usually the context you hear by those who justify carriers blocking. metering or monitoring peer-to-peer traffic, the implications extend to other traffic that may be blocked and how corporations manage their Internet connections, and if they need to switch to a different Internet provider that doesn’t block their traffic. “Comcast in trying to block BitTorrent inadvertently was also blocking some Lotus Notes traffic,” says O’Brien. And at least one Canadian ISP has had a peer traffic block that also was affecting business-related traffic, too.

The EFF has developed a test tool called Switzerland that can be used to determine what ports a provider is blocking.  “Anyone who signs up a new provider should consider adding a clause to their contracts about service level agreements that should hold the provider to any transparency about what network management and blocks that they are doing,” says O’Brien.

Privacy and Web history

Earlier this summer, senior members of the House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have “tailored, or facilitated the tailoring of, Internet advertising based on consumers Internet search, surfing, or other use.” This brings up issues surrounding what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.

Certainly many companies use endpoint scanning technology, Web security gateways and other tools to view what is stored on their employee’s PCs when they are on the corporate network. But remote offices and traveling users may not be required to access the Internet through these devices. Gartner’s Pescatore asks: “Are you checking up on what your employees are doing with their laptops, even when they are outside of the corporate network? You need to know what your employees are doing when they are online. If I have an employee looking at kiddie porn sites with his corporate laptop, that is something that I should know before I get a call from some law enforcement agency.”

 But these scans also have implications for potential data leaks of customer information. Who has access to the results of the scans, and what would happen if this were shared outside the corporate inadvertently, such as an employee mailing this data to their personal email account? And data leaks can also occur with users of social networks, who may inadvertently upload business contacts to their accounts.

There are other implications, such as for users of smartphones with integrated global positioning software. “Given that Google Maps can triangulate your location at any given point in time, imagine if I, as a forensic investigator, can use that data to track your movements as part of an investigation or in connection with discovery related to a legal proceeding,” says Burg.

One possibility is to insist on a service level agreement from your Internet providers that cover privacy issues. ”I want SLAs from my Internet providers that guarantee me that my e-mail isn’t going to be compromised. These agreements aren’t about uptime but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don’t think a lot of people are doing this right now,” says David O’Berry, Director of Information Technology Systems and Services for the South Carolina Department of Probation, Parole and Pardon services. He currently blocks access to peer file sharing sites and others that could compromise his network security.

Another solution is to segregate Internet users from those who have access to customer data. “We have taken the stance that if an employee doesn’t need the Internet to do his or her job, that computer won’t have access of any kind. Those with Web access don’t store medical data,” says Tony Maro, Chief Information Officer for HCR Imaging, Inc. in White Sulphur Springs, WVa.

Clearly, the legal landscape is shifting with respect to individual computing. But corporate IT managers need to consider these and other regulations and adjust their computing policies to ensure that they can deliver IT services yet remain compliant in the future.

Endpoint security is arguably the hot information security topic in 2006. Small wonder. No matter how diligently you defend your perimeter, roaming laptops are bound to introduce worms, viruses and spyware into your network.

The mobility of commodity laptops equipped with wireless adapters has set your workforces free to work productively at home and on the road, as well as at the office. Consultants and vendors plug in to your networks for an hour or a day. How do you protect yourself against what they may have picked up?

The two behemoths of network infrastructure and OS software, Cisco Systems and Microsoft, each have initiatives to ensure that endpoints devices comply with security policy before they are admitted to the corporate network. Not surprisingly, Cisco’s Network Access Control (NAC) depends on Cisco switching infrastructure, and Microsoft‘s Network Access Protection (NAP) works through Windows OSes. In addition to these pervasive yet proprietary approaches, Trusted Computing Group is developing the ) standards-based Trusted Network Connect (TNC).

Which, if any, of these do you chose to secure your endpoints and keep your local networks from being hammered from compromised machines that have become roaming malware collectors?

Solution Needed–Now

Faced with a security problem that needs immediate attention, you should be looking for a solution that allows you to define granular policy, detect every device that connects to your network, assess its level of compliance, enforce access policy and remediate noncompliant machines (see “Measuring Up,” p. xx).

This is a tall order for any security system, and getting onboard with endpoint security isn’t going to simple. The Big Three architectures–NAC, NAP and TNC–are incomplete, costly to implement, and complex to understand.

The three approaches are coming at the issues of endpoint security from different places, so it isn’t surprising that they aren’t mutually exclusive.

• Cisco’s NAC focuses network infrastructure and policy definition and management , and, of course, assumes that you will have plenty of Cisco routers, use Cisco’s security solutions and want to keep within the Cisco family as you move towards locking down your endpoints.
• Microsoft’s NAP takes more of the health assessment approach and remediation, assuming that you start with Microsoft servers and desktops, and keeping them running and secure is your primary focus.
• Trusted Computing Group’s TNC takes the broad-brush architectural approach, but first assuming that every desktop will contain a specialized piece of hardware inside that will verify the endpoint hasn’t been compromised and building on that hardware to monitor and enforce any endpoint policies.

Let’s look at these efforts and see what they claim to cover and where they come up short.

CISCO’S NAC

NAC is ahead of the game because of the confluence of both architecture and products that support it. NAC is designed to secure network access through trusted modules that are implemented in its router and switch code, as well as for both Windows and Linux clients. There are lots of vendors supporting NAC, and with good reason: You’ll need several of them to put together a complete solution that can handle all five of the endpoint security requirements. You’ll probably need to run at least two agents on your endpoints to handle more complex policies, and for SSL VPN compliance checking, for example.

NAC employs client software, Cisco Trusted Agent (CTA), which gathers device information and uses 802.1X mechanisms to pass the information to the Cisco’s RADIUS server, Secure Access Control Server (ACS). ACS communicates with third-party policy servers (AV, patch, etc.) to determine compliance and enforce network access via the switching infrastructure.

Some analysts feel that NAC takes too many pieces to deploy, and it may be difficult to implement because of managing all the various IOS updates to get all the pieces to work together and maintain it as infrastructure changes are made.

The problem with NAC is that it is its own island of security, with support for Cisco’s RADIUS servers as its sole authentication mechanism, and Cisco switches, with up-to-date firmware.

Moreover, NAC doesn’t necessarily work with Cisco legacy infrastructure, unless it can be brought up to current firmware levels.

“Part of NAC problem is that you have to upgrade your IOS versions,” says Lloyd Hession, the VP and CSO for BT Radianz, a major IT supplier to the financial services sector.“I have 40,000 routers across my network, and that isn’t an easy proposition.” Instead, Hession chose Consentry so he could eliminate MAC-layer filtering and access controls across his network. Consentry sells an inline security appliance assesses and enforces endpoint security policy compliance.

However, its architecture is short on remediation–it falls short on managing patch levels of the endpoints themselves. Moreover, there’s not much flexibility in what happens after a device is assessed: It either passes and is allowed on the network, or it isn’t and it gets routed off to some VLAN with limited access.

“Getting a client out of quarantine is really the trick, and that is what we do,” says Rich Lacey, the Altiris product manager who handles their NAC-compliant products, which provide remediation solution through desktop management and replication.

Cisco has the support of McAfee, Trend Micro and Symantec antivirus products along with a smattering of other hardware and software vendors. (For a complete list, see http://www.cisco.com/go/nac.)

Hession didn’t find installing agents on all his endpoints to be particular appealing. “The problem with agents is that you end up having to install multiple ones to support all the things you want to do, such as antivirus and access controls. Cisco’s NAC forced me to go in one direction with their agent that I didn’t want to go towards”.

“We currently support agents,” says Russell Rice, director of product management for Cisco’s Security Technology Group. “We will also do agentless solutions and do active scans of and assessments of other non-Windows devices.”

NAC is widening its support beyond agents, and vendors such as Qualys with their QualysGuard for NAC are providing services that support agentless monitoring of network devices such as printers and other embedded devices that can’t employ agents.

Microsoft NAP

NAP is yet to be implemented in any product, although the effort has a long list of more than 60 supporters, many of whom are also hedging their bets and are supporters of NAC as well (see www.microsoft.com/technet/itsolutions/network/nap/napoverview.mspx).

NAP brings a security policy management and enforcement perspective into Windows Server that has been somewhat lacking since the early days of Active Directory.

“NAP will provide the ability to enforce policies through a variety of mechanisms, using IPSec for host authentication, 802.1X, or thru a VPN or DHCP,” says Mike Schutz, the group product manager at Microsoft’s Windows Server Division, who is leading the charge for NAP.

Like NAC, NAP employs client software, Quarantine agent (QA, which passes information to Microsoft’s Network Policy Server, which, like Cisco’s ACS, checks with third-party servers for policy compliance. AP promises a variety of enforcement options, including DHCP, IPSec VPN, 802.1X.

Significantly, NAP will initially only support Longhorn Server and Vista, both still in beta, as well as XP SP2, which will require a NAP update on each device. This will present problems for shops using older versions, and require commitments to the new OSes and testing and managing XP upgrades. Further, authentication and enforcement servers, i.e., DHCP and RADIUS, will require Longhorn, requiring further upgrades and making NAP even more proprietary.

Of course, once there is shipping product we’ll see how pluralist NAP really is, but at least now Microsoft is talking as open a talk as they can.

“We don’t think NAC and NAP as being an either/or situation,” says Schutz. “We announced that we would be working together on interoperable solutions, so customers can choose what will best meet their needs.” However, neither Microsoft nor Cisco are currently working with the TNC solution, and have no immediate plans to do so.

The Fulton County, Ga., government is already wading into NAP, with early versions of Microsoft servers and Vista desktops and laptops.

“Everything is still in beta,” says Keith Dickie of the county’s IT department, who is managing the NAP rollout. “But several of our IT staff are using it on their production machines without any problems, including incorporating Symantec’s Norton Anti-Virus with Microsoft’s SMS and Windows servers.”

The county is using IPSec authentication, and their NAP deployment checks for a series of health requirements, including making sure that the version of Norton’s AV client is current before giving out an IP address to their network for remote users.

Trusted Computing Group TNC

TNC is composed of dozens of industry heavies (one wag calls them “everyone but Cisco”) supporting a bunch of open standards. The good news is that the standards more or less map to the five requirements for network access control security mentioned earlier– policy creation, detection, assessment, enforcement and remediation,. The bad news is that not all standards have been defined, and woefully few products support much of this universe of alphabet soup that is required to actually implement a solution.

The key ingredients with TNC (www.trustedcomputinggroup.org/groups/network/) are support for RADIUS and 802.1X authentication servers and protocols, along with a trusted hardware chip and software in the endpoints.

“This isn’t a forklift upgrade,” says Steve Hanna, the cochair of TNC and a product manager at Juniper Networks. This differs notably from Cisco’s approach, which uses the Cisco ACS authentication servers.

A PKI chip, called the Trusted Platform Module (TPM), extends authentication features that help to secure the laptop against unauthorized users–such as thieves or someone who simply finds a lost laptop—in a hardware implementation that thwarts the potential compromises to software.

“You just can’t trust software these days, because a PC could have been compromised by a zero day vulnerability or by something a user downloaded via the Internet. The only ways to detect this is through trusted hardware,” says Hanna. A number of laptop vendors including Dell, Fujitsu, HP and Lenovo, already include trusted hardware modules in their product lines.

Once authentication checks are satisfied, the trusted hardware routine passes control to a third-party software agent, which checks the device for policy compliance, working with the TNC architecture that handles network authentication and login access. As an open standard, TNC shouldpotentially employ any enforcement mechanism.

Not surprisingly, TNC-compatible products are already available from Cisco competitor Juniper, which acquired Funk software, makers of RADIUS server products.

 SSL VPN Weak Spot

Missing from all three solutions right now is any SSL VPN support: “Nobody has any product yet available in the [SSL] VPN space, and we can’t support it yet. But we expect to see that coming quite soon,” says TNC’s Hanna.

SSL VPNs have a ways to go Few offer support for more than a couple of antivirus scanners, and don’t go beyond Windows/IE combinations or can scan for a connection prior to any network login. Part of the problem is that most of the VPN vendors added support for endpoint security after they finished their first versions, and it shows. Nortel and Aventail, for example, have two different sets of access controls in its VPN product–one that supports endpoint security, and one that doesn’t. Many SSL VPN vendors are partnering with third-party endpoint security vendors, a growing market that offers alternatives to NAC, NAP and TNC.

Can’t Wait?

While the marketing wars among Cisco, Microsoft and Trusted Computing Group heat up, enterprises are looking for solutions that work now, and, perhaps, support NAC, NAP and TNC as a path to the future.

Several vendors are shipping products that address at least some of the requirements for securing network access..

These products offer a wide range of checking and enforcement options to control both managed and unmanaged devices and give customers a lot of flexibility. Many offer login-, agent- and ActiveX or Java-based scanning to determine endpoint compliance, which you can mix and match according to your needs. And instead of a single enforcement mechanism, these products increasingly offer the choice of DHCP, 802.1X, agent-based, inline appliance and NAC, so your enterprise does have choices to match your environment. (For a representative list of products see “Choices, Choices and More Choices,” p. xx).

Cisco, in fact, has a second approach that is not completely aligned with its own NAC architecture, called Clean Client Access, the result of its acquisition of Perfigo. It does agent-based endpoint assessment, client, policy management, and remediation services.

No Easy Answer

The truth is that no single vendor has a complete solution that will lock down all of your endpoints and keep your resources safe. You’ll need to find a product that will handle different security policies, to protect critical network assets as well as those roaming laptops. And unless you have a completely homogeneous network composed of Windows XP users running IE browsers, you will need support for other operating systems and browsers. Despite all the wonderful claims, no one can come close to delivering a general-purpose endpoint solution that works with both agent and agentless solutions.

If you stick within the XP/IE realm, if all your users have administrator rights to their systems, and if you don’t mind them downloading some form of Java or ActiveX application from their browser, then you can almost make things work with one of the third-party appliance products or by using VPN solutions from companies like Juniper and Aventail.

If Microsoft’s vision with NAP aligns with yours, then get a head start by running the VPN quarantine in Windows ISA Server 2004, because that is what will form the basis of the Longhorn code when it finally is delivered later this year.

And if you have all your Cisco routers up to their current versions, then one of the NAC solutions from Cisco and

its partners might work for you if you can continue to live in an all-Cisco world.

But if these very limited scenarios aren’t your situation, then you have your work cut out for you to implement the best possible endpoint security solution. The best advice, as with all information security initiatives, is to thoroughly understand your enterprise and business requirements. Address questions such as:

Who are your mobile employees, what OSes and security applications are they running, and how do they connect to the network?

Do consultants and vendors regularly access the network?

What is your network infrastructure and what enforcement/remediation mechanisms will it support? Is it homogeneous? Is it relatively new, with up-to-date firmware, or do you have legacy routers and switches that won’t support network-based solutions?

Sorting out NAC, NAP and TNC is going to take some time, and you’ll have to live with your decisions to secure endpoint access to your network. Choose the solution(s) that best meet at least your most critical needs now and align with your enterprise’s plans for the future.

It’s every IT manager’s worst nightmare: the call from the CEO to evacuate the data center because of a hurricane or other emergency. That’s what happened to John Chaffe, IT director of New Orleans-based Tidewater Marine, the morning before Hurricane Katrina hit, and he ended up driving critical servers to shared office space in Houston.

It is ironic posting this story today, especially after the recent hurricane Gustav c. 2008. You can read more over at Baseline magazine.