GCN Insider: Packet identification; More reason to telework; Exchange quickie

Packet identification

Late last month, in the shadow of the Pentagon (the Doubletree Crystal City, to be specific), a San Francisco-based security start-up trotted out a couple of prominent former feds to warm up the breakfast crowd'an easy task, considering the AC was on the blink. Former cybersecurity czar Howard Schmidt and former White House CIO Carlos Solari gave sober assessments of the state of IT security.

Schmidt: 'People don't believe bad things can happen to them until they do.'

Solari: 'We never thought we were winning' the fight to secure the White House infrastructure.

The breakfast's sponsor, Applied Identity, not surprisingly, thinks it has a solution. And if the technology works as described, the company could be onto something.

Applied Identity's Identiforce appliance sits behind a network firewall and creates what the company calls user-based LANs that control what resources an authenticated user can access. According to Dean Weber, Applied Identity's chief security architect, the system accomplishes this at the packet level by tagging each user-generated packet with an ID through a client agent. 'We're tagging packets in the payload, not the header and footer,' Weber said. Such a tag is about 32K.

The appliance works with existing directory and policy services to control access. If a packet hits Identiforce with the wrong ID, it's simply dropped. 'Although there have been requests for a reply' so users know they've been denied access, Weber said. In the way it operates, the technology also effectively cloaks network resources so bad guys can't scan ports or perform other reconnaissance. The only thing outsiders are supposed to see until they are authenticated on the network is the Identiforce appliance. Once authenticated, folks see only what they're allowed to see.

More reason to telework

Call this GCN editor dim, but he'd never really considered the argument for teleworking that Juniper Federal Systems' VP Tom Kreidler recently laid on him. Sure, letting agency employees work from home could improve productivity, reduce some costs and make a dent in rush-hour traffic. But those warm, fuzzy reasons haven't seemed to sway agencies much, thus the federal mandate to promote teleworking ... or else.

Kreidler, who took over Juniper's federal business this year after a long stay at Sun Microsystems, made the argument that so many security breaches are inside jobs that it behooves agencies to keep as many people away, physically, from the network as possible. Which is to say, out of the building. We'll buy that.

So Juniper is out promoting its line of NetScreen SSL virtual private network appliances for controlling remote access to agency networks. (The company said it's slowly shedding the NetScreen name, which it inherited after acquiring the company of that moniker.) The same editor suggested Juniper might be overselling SSL when IPSec is still almost synonymous with VPN'the company also has a long history of IPSec in its firewall families.

Enter Juniper's new Network Connect technology, which the company recently introduced in its SSL VPN line. With Network Connect, when a user accesses a remote server, the system establishes what Juniper calls an 'IPSec-like,' network-level tunnel. If the network doesn't support IPSec, it falls back to SSL. No VPN client is required. Access is through a browser with the aid of a lightweight agent. Don Wheeler, Juniper's solutions marketing manager, said the dual-mode transport technology offers the best connection in each situation, 'with no IPSec headaches.'

Exchange quickie

Still haven't migrated your Exchange 5.5 servers to Exchange 2003? Microsoft is still planning to pull the plug on 5.5 support at the end of the year [see 'You've Got No Mail,' GCN, May 2].

Dell Inc. last month said it would start selling preconfigured server, storage and software packages to help ease the Exchange transition. The bundles include Dell PowerEdge servers and EMC Corp. storage arrays. Dell said agencies with as few as 100 e-mail users could benefit. To learn more, start at www.dell.com/exchange.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above