Tim Wilson over at Dark Reading is reporting on a recent Applied Research West survey on NAC (it sounds like it was sponsored by Symantec, but I'm not sure):
300 security professionals interviewed
70% have already deployed NAC or plan it in the next 12 months
86% had no problem deploying
21% had difficulty integrating with security hardware and software
18% said NAC used too many resources
16% complained of lack of industry standards (Well this flies in the face of all the so called industry experts who keep telling us that no-one will adopt until standards are defined. We all want standards but they take time)
54% want an all in one product from a single vendor (not possible with an out of band vendor I'm afraid, there are too many moving parts)
61% say vendors should adopt standards (I wholeheartedly agree, which is why we continue our efforts with IETF, TCG and Microsoft.)
27% use NAC for guest access
80% use it to prevent unauthorized users accessing the network
66% use it to protect critical business assets and prevent data loss
(this is totally inline (no pun intended) with what we see from our customers)
30% say they have no plans to adopt NAC in next 12 months
35% of those say it's too costly
27% of those say it's not interoperable with their existing infrastructure
20% of those say it's too disruptive
(hmmm, they should take a look at our solution, it addresses all those points)
63 % prefer NAC enforement to take place in the network rather than at the endpoint
(the logical enforcement point since the endpoint can and usually is the place where exploits occur)
We have done our own survey, which was a little more focused, and the results will pubish over the next week or so. Look out for that, it's interesting for trends, but I'd be interested to hear from IT professionals if they think it's in-line (there's that pun again) with their thinking
Overall it sounds like the industry and customers are starting to settle on some fundamental architectural building blocks:
- The primary requirement for NAC is to police unauthorized access and protect critical assets
- Don't rely on enforcement on the endpoint, the network is the place to do it
- Provide a turnkey solution that's easy to drop in
- Build ubiquitous security into the network
- Minimize the resources required to manage NAC
- Plan for interoperability and standards
- Make NAC more affordable
Now I can honestly say, hand on heart (that's a big deal for a marketing guy because we don't have hearts, but if it helps I started life as an engineer), that we have satisfied each and everyone of those requirements. I'm very proud of what we have done to mature NAC beyond it's infancy to a holistic LAN Security solution that can stand up to both technical and fiscal scrutiny. We don't have all the answers (yet), but our architecture and approach will stand the test of time.
//Dom
UPDATE: Tim Greene at NWW has also picked up this story
Castan,
Thanks for the feedback, and let me address your comments:
1) The lack of performance for in-line security solutions has and always will be a concern for Enterprises. However, Nevis was founded with the vision of solving the compromise between deep security inspetion and multi-Gbps LAN performance. Our proprietary ASIC delivers on that vision (more than 10Gbps sustained full security throughput) and has been demonstarted and deployed in many highly demanding Enterprise environments running mission critical and latency sensitive apps.
As for the E.P. being a "cut of line", I assume you are referring to it being a single point of failure? Again, we designed our products to account for these issues and provide full active/active and active/passive HA along with fail-thru.
2) Endpoint to Endpoint contamination is certainly a concern as you've pointed out, and any solution that sits higher in the network won't be able to fully control and contain that, particularly out of band solutions. The right answer to this is the Nevis Secure Switch. A 48 Gigabit port wiring closet access switch that fundamentally integrates all of the different security elements (NAC, per port/user application intelligent firewall and full IPS) on every port at full switching speeds and latencies. We also have an appliance that sits higher in the network, but because it's in-line it can meaningfully detect and selectively block malware attempting to reach higher in the network. OOB NAC solutions claim that they can prevent endpoint to endpoint contamination by controlling downstream switch ports, but that approach while useful for some things is overly complex and flawed. First you have to hope they support your switches and firmware, then you have to configure everything (I should also mention you have to reconfigure them everytime you make a network change), but worst of all they fail on their claims to control pollution between endpoints. The simple reason for this is that by the time they detect an infection and attempt to block the port by contacting the switch, the malware has long gone, and worst of all, it is headed deeper into your network where your critical infrastructure and data assets lie. An in-line solution can prevent this happening.
Cheers, Dom
Posted by: Dominic Wilde | October 17, 2007 at 10:29 AM
Congratulations for your analysis.
You wrote "Don't rely on enforcement on the endpoint, the network is the place to do it". I have two comments.
1)You recommend the in-band mode. But, there is a lack of performance. The Enforcement point is now a "cut of line".
2)There is also a security issue. Each station in front of the E.P. can now pollute the other stations of the VLAN.
Posted by: Castan | October 17, 2007 at 08:05 AM