We were at the Network Computing NAC Battleground Forum this week in NY. When I say we, I mean pretty much any vendor who has the term NAC anywhere in their marketing collateral, plus nearly a hundred customer side folks. Here are a few highlights and observations of the event:
1) It's little wonder that people are confused about NAC. Too many times during the day I found myself with a furrowed brow trying delineate between reality and fiction. I think the day that Cisco changed "Admission" to "Access" in the NAC acronym was a dark day for the industry. That single act flung the floodgates of marketing spin and disinformation open. We now have far too many companies with no meaningful post-connect capability or depth of security, shouting from the rooftops about how secure they will make your network because they can drop you in a VLAN. People, people, people, let the madness stop. Using a VLAN for security is the equivalent of caging a tiger with drinking straws. But it's worse. Because of the time and complexity involved in sticking straws together, and the complexity of the tiger's needs (he needs to eat, he needs to swim, he needs to see the vet, he needs to sleep, he needs to sit in a tree, etc), you have to build an enormous enclosure and put him in with all the prey animals, zoo keepers, visitors, etc. Where is this analogy going?!?! Anyway, the main point here is that if someone has multiple, or changing, policy needs, do you create an individual VLAN and keep on doing that for 10,000's of users? I think not! Complexity is the mother of opportunity for the malicious attacker, so the only way to solve this problem is to simplify, simplify, simplify. Use a technology that uses persistent identity, application intelligence and ties into existing identity based policy stores.
2) Comedy comment of the day - "Maybe SOX compliance should be extended to Marketing". Funny for two reasons; firstly it's a great concept and speaks to my first point; secondly because the guy who delivered it was among the worst offenders of the day in spinning his solution. Here is a company that spoke on the Out of Band panel and then spent all their time impressing upon everyone that they had integrated IPS capability (I'm sorry, but by it's very definition isn't an IPS an in-line device?).
3) Bizarre moment of the day - A panelist (who shall remain nameless) on our in-line solutions panel having a brain fart and calling time on a competitor's (no free advertising here) presentation while she was in mid-sentence (that's why we have moderators isn't it?). Not a classy or necessary move, according to about 15 people I spoke with afterwards.
4) Disappointing moment of the day - 7 panelists on the OOB panel frying the audience's collective brain, by taking 10 minutes each to say "me too". Result: half the audience didn't return after lunch for more lively and concise discussions on in-line and framework based solutions, and more critically, to hear narratives and lessons learned from people who have deployed NAC.
5) Stand out moment of the day - Jeremy Hobbs, CIO at Upper Canada District School Board, describing how he initially deployed a Nevis solution for 40,000+ users for security, but has also found significant and tangible ROI to be in the new business initiatives and working practices it has enabled.
Overall a useful event that gave customers the chance to get educated and get questions answered all in a single day.
//Dom Wilde
Alan, it doesn't surprise me that post connect was easier for you guys since you don't do it, you do quarantine and tie into someone else who does the detection and enforcement.
I guess we have very different perceptions of what post connect is. You advocate the IPS to block and NAC to quarantine approach. As I said in previous comments, at this point the horse has already bolted since your $70 - 120k IPS sits so high in the network that it does nothing to protect end users or anything else down stream. This is why my strong belief is that all this ultimately ends up in the secure switch. You have to get posture checking, threat detection, quarantine, access control and visibility down as close to the user as possible. Ultimately, the only way to do that cost effectively is put all that functionality in every wiring closet switch port.
Posted by: Dominic Wilde | June 26, 2007 at 08:04 AM
Dom - I think Cisco still calls it admission, especially when talking about the framework, versus the appliance. I could be wrong but double check.
Building pre-connect that does it right is not as easy as you lay out here. In fact post-connect attack detection was much easier for us to bolt on the pre-connect stuff.
Using IPS to block and then NAC to quarantine (call the IPS post-connect if you like) provides the real-time protection you want. Out-of-band post-connect will introduce some latency, but a well engineered NAC solution should offer both.
Posted by: alan shimel | June 26, 2007 at 06:03 AM
Alan,
Let me qualify my points to be clear:
1) Gartner changing "admission" to "access" was not as significant as when Cisco did it. My point here is that when Cisco changed their messaging and marketing, that's when the marketing chaos started. Cisco have far more influence tahn Gartner after all :-)
2)I never considered that for a second :-) Why sign up for a day of education and get half educated?
3)I don't believe I said that pre-connect is not valuable. My point is that it's a good start but not enough. I can show you a raft of common malware that would not be affected in the slightest by the presence of the best pre-connect NAC solution. And let's face it, building pre-connect technology is easy, providing a holistic solution that actually really secures the network is hard and requires integrated pre- and post-connect.
4)If you use separate IDS with a NAC appliance that sets ACLs on a switch, today's sophisticated malware will walk right through it. As I said at the event, if you take Slammer (very old technology) as the example (30,000 packets/sec), by the time your IDS sees it, tells the NAC box which in turn tells the switch, the horse has already bolted and set free all the other horses in the stable.
Posted by: Dominic Wilde | June 25, 2007 at 09:20 AM
Dom- couple of things:
1. Cisco did not change NAC from network admission control to network access control. They still use admission. It was Gartner who changed it! Lets get the basic history straight.
2. I agree, the OOB panel with 7 me-too's was brain numbing. Frankly, going 6th on that panel I did not want to even speak about my product, no way people were going to remember it. I would have preferred to have more questions from the audience. But did you ever think people left because they were only interested in the OOB stuff ;-)
3. Dom, again I am not sure if you are trying to rewrite history in yours or Nevis's image, but post-connect capability clearly came after pre-connect checks in the NAC world. Check both Gartner and Current Analysis reports from the past few years and you will see that pre-connect checks are the preferred method of NAC for customers. Not to say that they don't want both, they do, but pre-connect comes first.
4. Post-connect does not need inline IPS (I think I know who you mean by this comment, they take all syslog data I believe). You could use IDS or flow data or any detection technique to alert a NAC appliance to quarantine a defending device.
Anyway, it was good meeting you at the show and keep blogging!
Posted by: alan shimel | June 23, 2007 at 01:49 PM