I said I need to write about this because this is such a great topic. What I’m talking about here is Enterprise & Campus LAN security. Here’s the situation:

You have a Microsoft Windows based enterprise network with over 2,000 clients and a campus LAN (mostly wired switches supporting 20-50 users per location). You are asked for a good way to secure this network to prevent intrusions or other unauthorized access to the network (I say good way, instead of best way because there is no best way, ever).

So, this is something I’ve come across. There’s so many things you can do on the switch level. We could setup MAC filtering. For me, this is way too time consuming. With over 2,000 clients you’ll have people come and go and bring new computers, its a hassle and it just never does work right. Plus, your network is STILL exposed, especially to MAC spoofing.

VMPS (Policy Server based on MAC) is similar to MAC filtering, I’ve used it and it works however there are vulnerabilities to this day that Cisco will not address since they’re deprecating this technology (I believe).

You could set-up a port-security profile on all the switches. This works pretty well but it DOES require a lot of effort and time. Ports will shut off or not work, port-security will trigger sometimes when there’s no real threat so again, this is too time consuming. Also, when new computers are added you need to activate those ports, it’s hard to manage effectively. I’ve used this and I had to loosen the port-security profile to make it worthwhile.

An even better solution to those would be to use Wired 802.1x. Using 802.1x is pretty good in the environment described above. The way it works is that when a computer is ready to be placed on the network, a technician ensures its compliance and if found compliant, that computer is awarded a certificate (a digital certificate is placed on the hard drive). All switch ports in the campus are configured to check with a RADIUS server to allow connections. When the compliant computer is plugged in a certificate check is performed by the RADIUS server (this will be your Active Directory DC or Certificate Server running RADIUS). The Cisco switch just acts as a proxy, passing the information back and forth. During this time only connections used to authorize the client are performed. Once the server gives the OK to the switch, the port is activated for full communications. Voila! Of course, the downside here is that a technician must install that certificate. There’s ways to install it automatically but then who’s checking to see if the client is updated and compliant? Anyway this method is great, but of course, requires a network engineer and the systems counter-part to work together.

Finally, this brings us to NAP and NAC, Network Access Protection and Network Admission Control, respectively. NAC is the networking component and is utilized on several Cisco devices (the switch, Access Control Server, NAC device). It can be used by itself, without NAP and vice-versa.

NAC works much like Wired 802.1x whereby a client is given very limited access to the network for the purpose of authorization. NAC checks the client against a policy you define. Lets say that you’re deploying NAC & NAP. In this case, Microsoft’s NAP will validate the client and the Cisco switch will act as a proxy. With NAP you define a policy as well and rather than being limited by a GO or NO-GO, you can create categories such as “Quarantine” where your enterprise patch management can get the client up to date, to compliance. Once compliant, a “health certificate” is issued through NAC to the client and the Cisco switch allows full network access. The important in deploying NAC, even though its MOSTLY acting as a proxy is that it transfers all this data securely, using 802.1x or EAPoverUDP. I’m leaving out a lot of details, but that’s the point.

I should mention that NAP is a feature of Windows Server 2008 and Vista and I don’t know if MS has released versions for Windows Server 2003 and XP. However, you can still use NAC instead of NAP almost the same way. Cisco develops a client (Cisco Trust Agent or something like that).

So what’s so great?? With this solution its almost impossible to introduce non-authorized clients to your network. It also makes it hard to introduce authorized clients with out-of-date anti-virus or missing patches. You’re basically one step closer to the automated enterprise network.

Lately, I’ve been reading a lot about all the great new things going on at Microsoft. I’m a TechNet subscriber and I always browse through the newsletter to see whats interesting. They’re flooding the newsletters each month with Windows Server 2008. I better give it a shot. I downloaded it recently but haven’t gotten around to installing it on a virtual PC.

There’s a lot of features that are small, but still, very useful:
MMC – I used the newest version (MMC 3.0) for the contextual sidebar but not a lot of consoles had anything useful, its a good idea though and saves time.

IPv6 – A lot of improvements to IPv6 integration. The military is headed that way so this is pretty important. Network Load Balancing (NLB) and Windows Deployment Services (what? Network-install Windows??) are also good.

What excites me more is IIS 7.0. I’ve heard a lot about it and the improvements to IIS are simple but seem like huge leaps for a web administrator. Fast CGI to run PHP, application pool isolation, and the new task-based IIS Manager are my favorites. I can’t remember HOW many times an ASP-based site (SharePoint and other custom ones) failed because of application pool security/identity settings.

The security is great too, but that’s always boring. I like Network Access Protection; I read a while ago about integrating NAP and Cisco’s NAC (Network Access Control) together. That would be awesome, a unified LAN security system. I need to write about that. There’s a lot of exciting improvements to Active Directory and of course Virtualization. Personally, I don’t trust any Virtualization technology yet. Maybe I need to really get my hands on it, but it just seems to finicky.

Anyway, I’ll have to play and look around with it and record my own first impressions.

I recently sold EWM (iShares MSCI Malaysia Index), BEAS (BEA Systems Inc), and DGG (WisdomTree International Communications).

EWM: As the 1 year chart shows, EWM has kind of stabilized, its not going anywhere. I’ve had it for over a year, its made me some money but I see no reason to keep it.

BEAS: You see this stock jumped when Oracle put in a bid to buy it (which was rejected) in October last year. Oracle re-bid and its jumped, its made me 35% which is something I’ll definitely take. Yes, it could go higher but probably not much higher and there’s also the risk of the bid not going through.

DGG: This stock was a slow performer, I made over 5% but it really wasn’t going anywhere. Honestly, I expected a lot more (maybe 12%) but it hasn’t performed.

Those are my sells. I was considering selling HAL (Halliburton Company) and BP, which have both been roller-coaster like but I realized I’m getting nice dividends from them so I’ll keep them for now. Long-term I don’t see them crashing, so it’s a good vaule.

I’m doing some follow-up research this week on stocks that have been on my watchlist for 30 – 90 days. I actually wrote out commentary for them but decided not to publish them right now. I’ll publish after I’ve bought them :)

I was reading a post on LifeHacker called Take the web offline, in which they discuss Webaroo. I was looking for a program just like this and never found it. While in Afghanistan, we’d constantly lose internet access and if we did have it, it would be slower than dial-up (much slower). Webaroo would have really helped, I sent some of my friends the link to it.

Also cool is andLinux. I forgot where I saw this app but I just got around to installing it. It allows you to run Windows and Linux applications side by side (in Windows). That’s awesome, I haven’t tried it yet but hopefully now I can use amaroK to play my music. I used Linux exclusively for a few years on my computers and there’s still some apps that are linux only that I really like.

Something went wrong initially when I installed andLinux. I rebooted but when I logged in, andLinux wouldn’t start. I ignored it for a while until I tried to start up iTunes. iTunes couldn’t start due to an “audio configuration” problem. Weird. I knew it was andLinux because I hadn’t installed anything else today so I uninstalled andLinux. I rebooted again, re-installed andLinux, and re-installed the “QuickTime only” version of QuickTime and it appears everything is working great together!