An interesting article and a timely blog post from Mike Rothman caught my eye yesterday...
In the internetnews.com article, it appears that Ofir Arkin is on his soap box at Blackhat spouting about the insecurity of NAC again. I thought his presentation at last year's Blackhat was a little academic, but this year I find myself nodding along as I read his comments. His comments on the NAP/TNC alliance certainly ring true - great idea, but multi vendor approach will inevitably add complexity and implementation problems (that's ok, there is plenty of time for this to evolve). However, what really resonated with me is his suggestion that NAC has to evolve beyond a focus on the endpoint posture check (let's face it, that's not really hard and is of limited value) and become a more real time technology providing an accurate view of what's on the network and what it's doing at any moment in time. I've always felt that the temporal nature of posture checking was a fundamental flaw in the NAC concept, and that has obviously been borne out as most vendors react to ever more educated customer demand, and rush to declare that they have some kind of post-connect threat monitoring capability to address the myriad of issues that couldn't be caught in the pre-connect phase. Unfortunately for all these vendors, they are limited by their architectures and have to resort to taking inputs from other detection devices so that they can send control messages to yet other devices to do any enforcement. The reason, we at Nevis, built our product from the ground up was to overcome the obvious architectural issues:
1) If you want granular visibility and control in real time you have to be in the data path
2) If you're in the data path performance and scalability are critical
Vendors have to be held accountable when it comes to enabling deep packet inspection and control in real time and at LAN speeds, and that means legitimate 10Gbps performance - not vacuous data sheet claims.
On a separate note, I have to commend Mike Rothman on his Daily Incite. Being the straight shooter that he is, he has gone straight to the heart of the matter and recognized that the broad Network World NAC test that was published yesterday has really only tested one feature and "the least interesting part" at that. It would be more meaningful to customers to start testing NAC appliances for performance, scalability and the ability to solve the real world problem. Yes that's harder to do from a test bed standpoint, but that is what customers need to evaluate when making critical decisions to insert devices into critical areas of their networks and data paths. I have to commend Joel Snyder and Mandy Andress for pointing out in the article that even though many of these products claim to be out of band and vendors claim there is no performance requirement becasue of this, they all at some point sit in line during the NAC process, even if it's just for authentication. We're no doubt going to see all the usual crowing and posturing from those that topped the scoring (hell, I'd do it too), but at the end of the day it's a data sheet validation exercise. Let's face it, the review is a snapshot in time in a limited and vanilla test bed. Enterprise networks are way more complex, each with a myriad of unique nuances, and if there is one thing I know for sure from our customers, nothing beats trying it out in your own network. I'd really like to see someone step up and do a review in the form of a real world business problem rather than feature comparisons. Challenge vendors to solve the two critical problems that NAC is supposedly targeted at and measure them on their success in achieving the end goal in a practical, manageable and affordable way:
1) Ensure the services that the network offers continue to stay up in the presence of malware and threats
2) Ensure that users get appropriate access to resources and services and nothing else
I think we'd soon find out that it is either too complex and expensive to get all the moving pieces required by most solutions to work, and that taking anything but an identity based approach to access control incurs too much cost and complexity to be practical. Oh, and I'd also like someone to stand up and be counted and recognize that while 802.1X is certainly a great ideal for network authentication (that's why we support it), it's not as simple as industry experts purport it to be and many who have tried it have given up because of cost, complexity, interoperability and just plain frustration. There has to be some transition path to really make it practical while adding significant value after you get there and that's part of the value prop that Nevis offers it's customers.
//Dom
Comments