2008 DOI: Day 4 - Weaving security into the network fabric

2007 Incite: Trust No One
The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

2008 Incite: Weaving security into the network fabric
Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

When you think about it, there really shouldn’t even be a network security industry. Who is going to connect to the Internet bareback nowadays? Only Rip Van Winkle. Even back in the late 90’s you have to look hard to find folks that didn’t use firewalls. But a firewall alone does not a network security strategy make.

So we had things like IDS and then eventually IPS that made inroads. We had application oriented attacks, so we needed spam gateways, web filters, and web firewalls. Now we have application firewalls because the existing network security devices can’t really handle some of these new fangled attacks. It’s that same innovation, integration, and consolidation cycle I mentioned yesterday.

At the same time the perimeter defenses were integrating, we had a general acknowledgment that letting infected devices connect to our networks was a bad thing. It just took a few SQL*Slammers to show how dangerous it was when a mass proliferating anything breached your perimeter. So the network access control business was born. It was actually called Network Admission Control initially, and Cisco coined the term. Of course, the ABC (anyone but Cisco) crowd couldn’t let that happen, so they all banded together and figured Network Access Control (NAC) was a better term.

NAC was the second coming. NAC was everywhere. NAC could cure cancer. That’s if you believed the hype. I, of course, did not and was projecting a disappointing 2007 for NAC. I was right, but that was obvious. No technology could live up to that hype. And it didn’t.

So where do we go from here? Basically I think a lot of forgot the first word in network security, and that is NETWORK. I’m seeing a lot of operational security resources migrate back to the ops teams (and the pendulum swings back) – so a lot of the buying decisions for network oriented stuff is going to increasingly end up with the network folks.

Guess who networking folks like to buy product from? Right, networking vendors. Thus, it’s just a matter of time before Big Networking squeezes the network security specialists out. So anyone selling an exclusively overlay network security solution is going to have a problem. Over time, those capabilities are built into the switch. So if you don’t have a switch and you do NAC, I’m hard pressed to see how that works out a couple years from now.

To be clear, this is not an absolute and it’s going to take years to get there. But to think that end users want layers of overlay security on top of their devices is silly. Also figuring that your favorite big networking vendor isn’t going to get their majority of network security market share is being naïve.

That means the shakeout will continue. And this year it’ll be more than just Vernier becoming Autonomic and heading for higher ground (again). The good news is that there are a lot of big networking firms that don’t really understand security. Most are struggling, but they still have a lot of dumb money. That means Barnum can come in and sell them a bill of goods. It also means that it’s a race, and the one without a seat when the music stops is in a world of hurt.

But don’t believe me. Believe a couple of guys that are actually smart. Thomas and Nate debate NAC towards the end of their annual predictions. And they are right.

Lastly, I want to drive my stiletto deep into the heart of NAC standards. Windows Server 2008 is pretty much here, so now that means NAP will become pervasive, right? Wrong. Cisco has its own thing, and everyone else has TCG/TNC.

But the cold, hard truth is that customers don’t care about standards. If the functionality were important enough, they would deploy the technology without a standard. If it’s not, they tell the sales reps that “standards are important” and they are going to wait for the standards to shake out. That way the sales rep’s ego isn’t impacted and they’ll stop calling. But in reality, the customer is saying, “What you do isn’t important enough to me,” so I’ll wait until it is.

And that seems to be the story of NAC.