Illuminations

My initial reaction to Forrester’s recent “NAC is dead” report was a lot like the rants in the many NACcy security blogs I’ve read over the past few weeks (you know the ones, I don’t have to name names). Yes, Whiteley and Lambert seem to undercut their own case for all security “intelligence” concentrating on the desktop when they generalize based on testimonials like the one about how hard desktop firewall policy is to manage. And yes, they seem to overlook how numbing it can be for innocent and honest users who have to wait for their PCs to respond while all these security clients do their thing. But now that I’ve had a chance to reflect, I think they are really on to something.

The “elephant in the room” is policy. Enforcement, which we all seem to agree must be in the network and off the endpoint, is relatively easy by comparison, even in the presence of flooded packets, asymmetric routing, and all those other nuisances that make it challenging and fun. Treating today’s NAC as a “compliance verifier” kind of sweeps under the carpet the biggest problem with its primarily pre-connect role, that of making sure that the things doing the heavy lifting are all “compliant.” Compliant with what? What exactly do we want it to check for? And as a post-connect access control function, which I think flat out should not be trusted to endpoints, “what exactly do you want to allow Joe User to do, again?”

Look at the NAC messaging out there, it all assumes everybody knows what their “policy” is (as though it’s been sitting around gathering dust in their organizations for years), frustrated that they could only use it to make nice hallway posters. And now their NAC gadgets will finally let them enforce it.

But just in case you didn’t know what your policy is, NAC products will come to the rescue and happily give you nice GUI widgets, so that you can select exactly what you want to check for on endpoints. And some (including Nevis) even give you policy as a subscription service today. But is this all there is to it?

Forrester is saying, rather explicitly, that PERM (which I don’t think will ever roll off the tongue like “NAC” does) is all about policy, and “policy-based software technologies.” They may be sticking their necks out implying it will all end up on the endpoint, but I believe they are right on when they say that it’s critical for policy to be simplified, centralized, and integrated with other corporate investments, such as IAM, rather than existing on separate “islands.” LAN security in general, and NAC in particular, should be all about coordinated enforcement in the network, not introducing more isolated policy.

Joseph Tardo, Ph.D.

Technorati Tags: Joseph Tardo NAC Forrester Robert Whiteley Natalie Lambert PERM

Welcome to the Nevis Networks CTO blog. Our mission as Chief Technical Officers of the company is to connect with some of the leading minds in the industry, including those of our customers, recognized industry experts and our peers from academia, to try and anticipate what factors will be affecting network security deployments into the foreseeable future. This forum will serve as a venue for sharing our insights and commentary on industry trends, as well as to stimulate exchange on cutting edge ideas in the realm of LAN security.

The Office of the CTO is currently manned by a strong group of technical individuals which will eventually include both of our co-founders and our senior architects. For now, I’m taking the lead in putting our thoughts forward here, but we expect all of our technical leadership to guest author periodically on their specific areas of interest and expertise.

We hope you find the exchanges illuminating (hence the name) and insightful. We promise to keep our thoughts hype-free, based in technical reality, and somewhat casual. We hope it’s always thought-provoking, and we encourage you to share your input as well. We look forward to kicking it off with a more substantive commentary later in the week.

Joseph Tardo, Ph.D.