Monday, August 2, 2010

book Smarts!

I usually use this blog to talk about general security related issues, but on this special occasion, I’d like to tell you all about a new book of mine that just came out.

Even though I’ve been a writer for almost 15 years, this is my first published book, and it’s also good news for many users of UAG, IAG or eGap users, as this is the 1st public book about these products.

For those who never heard of these products, UAG is the latest member of a line of secure remote-access products. It was originally developed by Whale Communications from Israel, which was purchased by Microsoft in 2006. In 2007, the previous version named IAG (Intelligent Application Gateway) was released, and a few months ago, UAG (Unified Access Gateway) was released as part of the Forefront family of security products.

The book itself is not really finished – I still have a few more chapters to write, but the publisher has released the first three chapters as something they call RAW (short for Read As we Write). It’s like a Beta version – readers can get it right now, way before the book is officially out, and also make comments or suggestions to it. This is a great honor for me, of course, as the publisher only releases into RAW books that are very well written, and can stand their ground without significant edits.

Even though the book is about UAG, a lot of it also applies to IAG, and even eGap. It’s written specifically for the UAG beginner, and starts with basic concepts and design. It then goes through advanced configurations and troubleshooting, as well as Direct Access. It does not, however, cover advanced scenarios like ADFS or customizations.

Interested? I hope so…go ahead and look at:

Wednesday, July 7, 2010


An old boss of mine used to say that his best employees are the laziest, because they create automation to do their job, and automation reduces human error. Since human error is one of the leading causes of security breaches, this also means that using automation appropriately could not only serve to free up time, but also reduce your exposure and boost your security.

Granted, developing automation can be a pain. It sometimes takes days of development and testing, but the benefits are fantastic. For example, one of the most common security pain points out there are user accounts. Every time an employee joins the company, you have to create an account, create a random password, fill in all the account details, assign the user to various groups, and finally, convey the appropriate information to the user securely. If an employee leaves, it’s even worse, because you have to close out the account with very precise timing, to make sure the ex-employee doesn’t get locked out prematurely, but also not be able to connect from home after leaving his position. The worst are role-changes, which require you to carefully clean-up the account of unnecessary permissions, to make sure the employee can’t abuse the rights he had in the past.

When you need to do this on a routine basis, within a few days, you would be able to perform such tasks almost blindly. Like driving a car, this is what we refer to as “over-learned activity”. After a while, we tend to feel confident enough to chew a sandwich while doing it, talk on the phone or installing a server (talking about the network here…not installing a server while driving a car), and that’s where the little mistakes creep in. We might send the password to the wrong person; add the user to a group that has too many permissions, or worse. I’ve met an engineer who once, absentmindedly, misspelled the first name of a person named Bart as…well…you can guess. That guy got some chewing, but he might as well have exposed his network to attackers if his absentmindedness led somewhere else.

If you’re lucky, perhaps your company is rich enough to afford identity management software, but the costs of such suites and their adoption is immense. If so, why not write up your own automation? A VBScript, ASP page, PERL script or sometimes even a Batch file can save you tons of tedious work. If you’re thinking to yourself “heck…I ain’t no programmer!” you might be selling yourself short. Some tasks are so simple to achieve in VBScript and Batch that you can achieve this almost instantly. For example, a script to generate a random password in VBScript is so simple. Here’s a clever and tight one by Martijn Haverhoek . Here’s another one, written in JavaScript: . With time and patience, a script can be written to automate almost the entire process of creating and deleting user accounts, as well as other administration tasks.

Even when using automation, mistakes can still happen, but by shortening the processes, it makes them less tedious and encourage performing them with more attention and focus. Another advantage is that it may allow you to delegate some tasks to your subordinates (knowing that there is less things for them to mess-up) or to your colleagues when you go on leave. Even if you are a decision maker and will never get into programming, you can still benefit your organization by hiring or contracting someone to develop some automation for you. Start simply by thinking which processes are performed routinely, and which are the most annoying or tedious. From then on…the sky’s the limit!