Access is Access is Access

One of the most interesting parts of my job is getting in front of folks and waxing poetically about the topic du jour. Most of the audience politely nods throughout the session, but I'm not sure if that's because they forgot to take their insulin that morning, had someone spike their coffee or whether they really actually agree with me. But more often than not, there is one in the crowd that wants to show everyone how smart they are.

Some speakers get pretty annoyed with these hecklers, but I kind of like it. First, they challenge my thinking and make me defend my position. There is no better way to figure out if you know what you are talking about than having to prove it to someone who disagrees. But sometimes these folks ask questions that make me connect a few dots that I either gloss over or didn't connect in the first place.

At the Interop session I did last week, I had one of these folks in the audience. He was actually on the cordial side, but by the end of the Q&A it was basically a conversation between me and him. The rest of the crowd was along for the ride. After I went through my NAC spiel, describing the three aspects of NAC (endpoint admission, access control, post-connect behavioral analysis) and how to bring it into a network, he asked how NAC and SSL VPN is going to come together, if at all.

This is something I had commented on before, but it had slipped my mind. I answered his question pretty simply. Access is Access is Access. Over time, we are not going to distinguish between what a SSL VPN box provides and what you'll get from NAC. For now, there is an artificial distinction because SSL VPN lives on the perimeter and most NAC solutions go on the internal network.

But as the external perimeters collapse and you deploy additional "perimeters" around key applications and resources, the distinction will fade. We are starting to see increasing noise around interoperability between SSL VPN and NAC. Juniper has put it's Neoteris gear on the PPT slide talking about its Infranet strategy. You also see Cisco's multi-purpose ASA box playing a role in their NAC architecture. And you see some business development deals happening, like between AEP and Lockdown (here).

You also have vendors formerly in the SSL VPN space looking to position themselves as NAC players. Off the top of my head, Caymas and Aventail come to mind. I'm sure there are more. And we'll inevitably see the NAC vendors look to play increasingly on the perimeter of the network. It's a logical extension of what they do and there is also a pretty significant SSL VPN budget to target.

One man's opinion is that the NAC vendors are far better positioned to swoop in on the SSL VPN market than vice-versa. Why? Because boxes that were originally architected to protect an access connection will have a hard time scaling to LAN speeds. It's like building a scooter and then having a product manager come up and say the machine needs to compete in Formula 1. Unless the box was designed to scale to gigabit speeds (and just happened to be positioned as a remote access product) this requires a brain transplant. Brain transplants are hard.

Ultimately from a customer's standpoint, it's about the policy. They want to be able to manage a consistent access policy across their entire network. Sure this sounds like utopia, but as you continue to have more mobile employees, increasing outsourcing, tighter business collaboration, what choice do you have? You can continue to manage different access environments, but there's no leverage in that.

Access is access is access. Remember that.