The Napera team will be at the SMBnation fall conference in downtown Seattle this weekend, talking to folks from around the country. Drop by and say hello!

David Strom, former Editor-in-chief of Network Computing and reviewer at large just posted a great review of the Napera N24 on WebInformant.tv.

Protecting Your Small Business Network with Napera’s Appliance

One of the advantages that Napera enjoys by leveraging Microsoft’s NAP architecture is immediate compatibility with a wide range of Windows antivirus, antispyware and firewall solutions. Microsoft maintains a list of Vista compatible security software and today we published a detailed Napera support document (PDF) listing all of the solutions we’ve tested here (thanks to Tony for his hard work on QA). In general, any Windows XP or Vista compatible security application that supports Windows Security Center (introduced in 2004 with Windows XP SP2) will work great with NAP. We’ve only found a couple of obscure AV applications that don’t support Windows Security Center.

On a similar note, the number of NAP solutions from Microsoft and third parties continues to expand, reinforcing the momentum behind Microsoft’s platform that Margaret blogged about last week. Earlier this month Joe Davies at the Microsoft NAP blog posted details of the various Microsoft SHA’s that are shipping, and today Joe published a new list of seven SHA’s from Microsoft’s NAP partners as well. It’s great to see the progress NAP has made on this front.

Perhaps all this momentum will finally encourage Cisco to really join the NAP party and announce native support for NAP and the TCG/TNC standards?

A post by Nir Zuk at Palo Alto on innovation and another at OnStartups inspired me to follow up on my earlier posting on why much of the recent innovation in networking and security has come from startups. The first idea I wrote about was the ability to engage with customers. The next is the ability to focus on and quickly innovate around the customer problem.

Building great products requires focus. Large companies often spin out incubator units to drive innovation and Xerox PARC and Microsoft Research are great examples of this. Regardless of high concept research units, few large technology companies consistently turn research into innovative products. R&D is often disconnected from customer needs and instead is aimed at some future delivery of breakthrough technology. The reason in my experience is that large companies foster an environment where people become distracted by a myriad of concerns and are unable to focus on the essential customer value of their product. Instead, they often turn out products which try to be all things to all people and end up simply mediocre. Much of the innovation in security in the last decade such as stateful inspection, firewall appliances, network access control and security in the cloud came from companies that were startups at the time and challenged the status quo.

Some large companies eschew R&D and simply outsource their innovation to startups. Cisco is one example that has followed a successful long term strategy of acquiring networking startups as markets mature. Often the companies Cisco acquires have been founded by ex-Cisco engineers, which proves that even when the very same people are involved, the startup culture demands freedom in which to successfully innovate, and an opportunity to focus on the problem at hand without the distractions of trying to satisfy other demands.

At a successful startup, all the wood is behind one arrow. Everyone should be working on solving the customer problem, and success is predicated on achieving that result faster and more creatively than others. The level of focus on the customer and ability to quickly innovate is unmatched. The best startups foster a clear rallying point around a compelling technology, have a direct connection between customers and product management, and build an environment dramatically more efficient at creating new products.

The speed of innovation is critical. At Napera we are running on a three month innovation cycle and we are closing on our third release since we announced our product line. For anyone building a complex networking product,  this is much faster than larger companies that can take a year or more to get out a new release. Talking to a customer about a pain point and then demonstrating the first pass of a solution a few months later is dramatically more effective than trying to solve all of a customers problem with one gigantic release that takes forever, and often misses the point entirely.

It didn’t surprise us when Forrester Research put Microsoft NAP as the frontrunner in the Network Access Control market (The Forrester Wave: Network Access Control, Q3 2008). “Microsoft’s NAP technology is a relative newcomer but has become the de facto standard…,” said Rob Whiteley in his report. While Cisco and others might be able to claim more direct revenue from NAC products as of now, I believe Microsoft has the technology and framework that positions it for success.

As Tim Greene pointed out in his NAC newsletter, “the result is interesting because it’s not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations.”

Tim hit the nail on the head, as NAP works in the real world, not just in a complex architectural diagram that only exists in a 30-page white paper. I think NAP’s success is twofold: One, NAP is built into the operating system on the client and server, making it easier for customers to use and deploy; and, two, NAP is one of those rare examples of Microsoft truly achieving interoperability and playing nice with others.

Here at Napera, we believed early on that Microsoft NAP was a technology to invest in, which is why we license Microsoft’s protocols to create a highly integrated solution around NAP. While there are over a hundred NAP partners, Napera is one of the few partner solutions that integrate directly with NAP versus just interoperating with it. Our product communicates with the NAP Agent service in Windows Vista and XP, allowing our customers in the small and medium enterprise space to leverage their existing investment in Windows. Napera then builds on the NAP platform to provide a single solution that combines health enforcement for both Windows and Macintosh computers with identity enforcement and guest access.

More about our NAP integration and partnership is highlighted on the Microsoft NAP blog this week, as Napera is the first partner to be featured in Joe Davies’ Spotlight on NAP Partners.

Interop NY has been a great show this year. Although always a little quieter than the West Coast event, there were plenty of familiar faces and the combination of Interop with the Web 2.0 conference in the same venue kept the Javits Center busy yesterday.

Mike Fratto hosted an interesting and well attended panel on NAC yesterday, and there was plenty of spirited interaction from the audience. Steve Hanna from Juniper did a great job of explaining the Trusted Computing Group standards around NAC, and along with the audience asked the obvious question of why Cisco hasn’t done more to support TCG’s TNC standard. According to Cisco the jury is still out until the IETF ratify their variant sometime in 2009.

I’m speaking on building products with SaaS at 10:15 this morning, a topic I’ve written on before. Come by and say hello!.

I’ll be representing Napera on a panel at Interop New York next week, with Alistair Croll on the topic of Using SaaS to Make Good Products Great. I look forward to seeing you there!

Topic - Using SaaS to Make Good Products Great
Time - Friday Sept 19 @ 10:15am
Moderator - Alistair Croll, Principal Analyst, BitCurrent

Last week we announced our new 1.2 release, which is available now to all customers.

An exciting new feature is integration of robust Wi-Fi authentication into the Napera product line. You can now use your new or existing 802.11 wireless access points with WPA/WPA2 Enterprise encryption, and simply point them at your Napera N24 to handle all authentication. This enables you to securely use any access point for both employees and guests, and to move away from the inferior security and shared passwords of WEP or WPA Personal encryption.

With our 1.2 release, the Napera N24 will use WPA Enterprise to authenticate Wi-Fi users against Active Directory and enable you to create local guest user accounts. The Napera N24 handles all of the RADIUS processing required for WPA Enterprise with the minimum of fuss and without the work that usually goes into such a deployment.  On MyNapera.com, go to the Configuration tab, look for Wi-Fi under Authentication and define a shared secret, then configure the access point for WPA Enterprise and you are off and running with the best possible Wi-Fi security!

For our Macintosh customers, we’ve also added a number of new features to the Napera Health Agent for Mac OS X which bring it closer to the functionality of the Microsoft NAP agent on Windows. The Mac agent now alerts the user to health conditions without them having to open a browser, and we provide remediation for specific Mac health conditions.

You can update to release 1.2 from your dashboard on MyNapera.com by selecting ‘Software Update’. We plan to continue an aggressive software development schedule with new features delivered via MyNapera.com every two to three months.

Imagine if I walked into a bank and told the teller: “Hi, my name is Bill Gates, and I want to withdraw all the money from my account.”

Knowing that the teller would want proof that I am Bill Gates, I would also hand her an affidavit with a picture of my face stating that I am indeed Bill Gates. The catch is: the affidavit was signed by me, “Bill Gates”.  No bank teller would accept my self-signed affidavit saying that I was Bill Gates; in fact, she would require a notarized version or some other proof of identity validated by a known authority.

But in the world of SSL-managed security appliances, self-signed certificates are commonplace and used by thousands of organizations worldwide. Like the Bill Gates impostor in my fictional story, security products that use self-signed certificates are undermining the security afforded by certificate-based SSL.

A little background may be in order to fully understand this analogy and why I make this bold claim. Certificates are used to bind an identity to a cryptographic public key.  The identity part of the certificate contains the name that shows up in the Web browser.  The public key is used for performing cryptographic functions, such as setting up the SSL encryption keys. Normally, a certificate is signed by a well-known trusted third-party called a certificate authority (CA).  A browser that trusts the CA also trusts any certificate signed by that CA.  When a security product uses a self-signed certificate, there is no third-party verification of the identity.  If a browser receives a self-signed certificate, it pops up a warning, and the burden falls to the user to confirm the identity.

Pushing this decision to the user is ultimately what opens up the possibility of a man-in-the-middle (MITM) attack. The security issue is not with self-signed certificates, but with the way users interact with them in the browser.  The warnings about self-signed certificates look just like every other warning that pops-up in the browser.

Every time a user browses to a site with a self-signed certificate, a warning pops-up that says something like: “The security certificate presented by this website was not issued by a trusted certificate authority.” After seeing five or six of these warnings, users tend to click right past them without consideration.  Consequently, a user may accidently allow a MITM attack when connecting to a legitimate site by clicking past the identity warning.

In Firefox 3, the user experience around self-signed certificates is significantly more complex and confusing than in previous versions, which has potentially worsened the user experience but increased the security around the interaction with certificates. Instead of one warning dialog box like in Firefox 2, Firefox 3 forces the user to click through no fewer than four dialog boxes in order to use a site protected with a self-signed certificate.

Many have argued that this is a step backward for Firefox,  but I couldn’t disagree more.  Accepting a self-signed certificate should not be a common action and shouldn’t be rushed through by the user.  The user needs to carefully consider that the certificate being verified is indeed the correct one.

Administrators should minimize the use of self-signed certificates, especially in their security products.  The easiest way to do this is to obtain certificates signed by a trusted CA. Most security products support the ability to import a certificate signed by a CA. With a signed cert, users will be able to browse to the secured pages without being prompted by any certificate warnings.

At Napera we wanted to promote the secure use of SSL while still maintaining ease-of-use.  To accomplish this, each Napera N24 ships with a certificate signed by GlobalSign.    Out of the box, a user can connect to the management interface of a Napera N24 over a secure SSL connection without any certificate warnings.

Bundling a signed certificate is not only more secure but also simplifies the user interface.

It’s been a busy summer here at Napera and I plan to get back into the blogging habit later this month. In the meantime, a couple of weeks ago I had the chance to chat with Mike Vizard of eWeek about managed security services, and the podcast is now up on the eWeek website.

Mike and I spoke during Seattle’s annual Seafair celebration, and if you listen real close to the audio you can hear the Blue Angels roaring over the Napera offices on Mercer Island on their practice flights!