I remember the events of August, 2003 very clearly. The Pentagon had called on me that July to defend my prognostications on re-active vs proactive security measures. At the showdown (chronicled here by Ellen Messmer ) I remember thumping the podium and berating the vendors that were aligned against me for doing nothing to stop the impending onslaught of attacks against a recently revealed Microsoft RPC DCOM vulnerability. Sure enough, on August 11, 2003, a worm was released that wreaked havoc on the Internet and corporate networks alike.
But this outbreak was different than Code Red, Nimda, and SQL Slammer, all of which breached the corporate firewall. Blaster spread mainly over port 445 which by then was blocked by a lot of firewalls. But corporate networks became infected anyway. The culprit was infected laptops brought in by employees and contractors. (Thanks to the Securosis blog for pointing out that today is the anniversary of Blaster also, that Microsoft’s just released patches address a very similar vulnerability that could lead to a similar outbreak.)
How did the security industry respond to the threat from infected laptops? Cisco led the way by announcing a grandiose scheme labeled Network Admission Control. In a terrific example of design by press release they roped the major anti-virus players into announcing that their products would comply with Cisco NAC.
It has taken three years but there is finally a debate over NAC and its various interpretations. A couple of items coming out of the Black Hat conference last week question NAC on technical grounds. I, of course, have been whining about NAC for some time. My latest in a column over at CIOupdate.
Well that column incited a response from NAC vendor StillSecure which in turn sucked in a couple of wordsmiths (Chris Hoff of RationalSecutity blog fame , and Mike Rothman of SecurityIncite) and now we have the makings of a debate. I was feeling like the lone voice shouting into the wind until Mark Bouchard chimed in. The debate became real last night thanks to Martin McKeay of the Network Security Blog and Podcast. He corralled four of us into a joint Skype call and we took off the gloves for about 45 minutes. Martin is still cleaning up the audio file. As soon as it is available we will each be posting it in our separate forums.