Bouchard says Scratch AND Sniff
Note from Mike: I'd like to introduce the Security Incite community to Mark Bouchard, a former META colleague, good friend and tremendous analyst. He runs his own analyst shop now, called Missing Link Security Services and is one of my go-to guys when I need to bounce some ideas around. Mark kindly offered some perspectives on the recent NAC "discussion" among myself, Shimel, Hoff, and Stiennon and even more graciously is allowing me to publish them to the community. Of course, these perspectives are Mark's and not my own - as you'll soon come to see.
Scratch AND Sniff (aka, SNAC and SNF)
by Mark Bouchard, Missing Link Security Services
This is by no means a point-by-point analysis of the Stiennon/Hoff/Shimel/Rothman NAC debate. Truth be told, I didn't even review all the threads before compiling this. But for what it's worth, here's my two cents on the topic.
The practice of infosec has always entailed using both belt and suspenders. The principle of defense in depth guides us in this matter, driving the use of multiple, overlapping countermeasures. Appropriately, both approaches discussed (i.e., SNF and SNAC) have value, and both approaches will ultimately be used, at least in some manner.
Perhaps a better question though is which has greater value. In this regard, I’ll have to weigh in on the side of Mr. Stiennon. That said, my version of SNF is actually pervasively deployed IPS (which eventually will come in network switch form factor) that is enhanced with passively and actively gathered contextual information about (a) the environment it is trying to defend, and (b) the entities (i.e., devices, users) that it is trying to protect the environment against (albeit to a lesser extent, I suspect). This contextual information is the key to making IPS much more accurate in terms of false positive and negatives, and in turn enables a greater degree of automated response (e.g., blocking access, quarantining).
This seems like a much better investment than NAC, at least as I understand it. Some of the advantages that I see are these:
- There is no need to maintain 10’s, 100’s or even 1000’s of granular access rules to achieve a robust level of defense. Tellingly, this is an anathema to any organization that has already made significant investments in Identity Management. What I routinely hear from many large organizations is: “why do I want to re-create this wheel at the entry point of my network when I’ve already spent hundreds of thousands of dollars trying to do it with provisioning systems at the servers and apps themselves”.
- There is less likelihood of adversely impacting the business by quarantining legitimate (low risk) users/traffic for potentially useless reasons (e.g., DAT file is > 1 day old).
- There is far less reliance on components that are outside of the organization’s control. External clients and their software will always eventually be broken/hacked. That is one of the long-standing criticisms of most DRM techniques. Consequently, everything originating from (or about) an external client is not really trustworthy. Presuming otherwise is a dangerous trap. This is in contrast to the network traffic that shows up at our network entry points. It is what it is, and is always presumed guilty until proven innocent. To be perfectly clear, I’m not saying that the network defense system shouldn’t account for information pertaining to the client. I’m just saying that how it is obtained and the weight that is put on it deserves more attention – and that NAC doesn’t seem like a good way to get this information.
- And the clincher in my mind: security posture checks done via NAC would need to be significantly more comprehensive before we would have reasonable assurance that the clients are in fact not compromised, and therefore not a threat to the organization’s environment. Just checking for AV, FW, and a few patches is laughable. Let’s also not forget the challenge of building/maintaining agents and/or scanning techniques for every type of client out there – undisputedly an impossible task. However, barring such breadth and depth of checking, it will still be necessary to erect network-based defenses to help prevent attacks. So … if you’re going to have to do that anyway, then why not make SNF (or whatever you want to call it) the focal point of your defenses, especially since its under your control. Let’s face it, NAC is really just a refinement of the traditional firewall-based approach to security – and we all know how well that worked!
And this list is not even close to being exhaustive.
Will the SNF-like approach be easy; of course not. But then nothing in security ever is. But it does seem to me that the SNF-like approach will be far more effective. Consequently I'm beginning to think that NAC is on a slippery slope to becoming one of the greatest disappointments of the decade – at least the pre-admission stuff (i.e., posture checking), and potentially at least part of the so-called post-admission capability (i.e., granular access control). It will probably survive to some extent, but much more likely as a feature as opposed to THE foundation of a network security strategy.
Finally, I could probably come up with a colorful analogy here (e.g., about how it makes more sense to better protect one’s own borders before trying to extend the battle to other, external geographies), but that would just give you something else to pick apart as opposed to focusing on the main issue :-)
I'd like to order SNF today, please. Lots and lots of it. Now.
What's that? I can't? Why? Because it doesn't exist? Oh, but NAC is available today and can help mitigate some of the risk I face without having to forklift my network and still apply defense in depth? Then I can wait until SNF arrives and combine the two?
But what about that supposedly quantifiable "value" you say SNF adds that NAC doesn't. How do you measure that? Do you have change for a Fantasy-Island-issued $20, I have a cab to catch to funky town.
Lemme get this straight -- you didn't read all of the threads and yet you can somehow intelligently "weigh in on the Side of Mr. Stiennon?" I agree with some of your points you make (as I did with Richard and Alan,) but that seems a little goofy.
Look, nobody in the debate said that NAC is the "foundation of a network security strategy." It's another potentially important piece of the puzzle that will, most likely, become an ultimate feature in the big game. So what, that's got nothing to do with the value it can add today to solve specific problems that SDN/SNF can't because it doesn't yet exist.
The point in my blog entry is that neither of them is the answer alone, not that one is overall better than the other because in many aspects they are solving different problems.
Richard suggested to not invest in NAC (at all.) You didn't see Alan suggest that SNF is a bad idea.
I suppose you think IDS is dead too, eh?
;)
You know, I almost added a disclaimer that I did/do not subscribe to the “IDS is dead” position. But for some reason I thought that debate had already been put to rest. My bad.
Are you dissing D.I.D? I’m not sure I understand. Isn’t that what your company is selling: DID in a single box? Anyway…
I think it’s naïve to say that NAC is available today. Sure, you can do some things with NAC today. But how practical is to do something truly effective – unless you happen to be an all Windows shop with a completely uniform user/app/network environment? There are really only bits and pieces available at this point; and it’s far from easy to implement and manage. Similar situation for SNF-like solution, IMO -- though admittedly SNF is probably a half-step behind in terms of overall availability/execution.
I did read all of the threads. I’m just saying that in composing my comments, I didn’t re-read them all and offer a point-by-point response. In fact, I prefer to operate that way because it helps remove some of the personal jabbing – which is simply distracting (though possibly entertaining) to those seeking value from our rantings.“Quantifiable”? I don’t recall using that word. I agree with Mr Rothman: “quantifiable” and “security” are like oil and water. That said, it is the right – as well as the obligation – of analysts (I mean that generically, to include all parties in this debate) to reach conclusions, including the determination that one soln seems qualitatively more promising/effective than another. Furthermore, reaching such a conclusion is not the same thing as saying alternatives do not have value or deserve attention… so I guess I diverge from Richard’s anti-NAC position in this regard.
I did not mean to suggest that any one in particular was proposing S/NAC as a foundation for network strategy. That was simply meant as a dig against the subset of vendors that are in fact marketing that position.
The only other thing I can say is let’s re-visit this topic again in two years. My money is on S/NAC falling considerably short of today’s level of hype/expectations. Will an SNF-like soln fair better? Perhaps I'm in fantasyland, but I believe it will. If it doesn't, then the industry as a whole will have failed miserably in our quest to solve our customer's security problems.
MarkMark, I just got done bickering with Rothman/Stiennon/Shimel and the rest of the Partridge family online for an hour, so you've caught me in a weak moment. That and I'm missing CSI, so I'll keep it brief:
We would have had this debate, I'm sure, about patching 2 years ago, too. The magical network hasn't done a damn thing to fix that -- and now patching is more of a feature than a stand-alone market...but you know what? That's irrelevant to a customer who's pain is taken care of. NAC should be evaluated today as an investment that will -- like every other security offering -- morph into the greater body of securitas over time. If you can live with the pain and risk now, good on ya. If you're waiting for the network to fix it all for you, I'll see you in two years.Hoff
Mark Bouchard is now my favorite analyst. Thanks for weighing in Mark. And thanks to Mike Rothman for publishing Mark's views even though they do not line up exactly with his!
And Chris, don't go slamming the idea of secure networks (SNF) just because no vendor can put it all together today. There *are* places where it is being done though. Look at service providers that offer "secure pipes" for examples. They use firewalls, IPS, and yes NetFlow, and lots of ACLs to keep bad stuff off of their networks. ISPs have it easy though, they do not have to transport Microsoft proprietary protocols. Inside the corporate network it gets harder to do.
And where do I go to buy a six pack of NAC???? Cisco is the only one selling that KoolAid and it is 99% gas. And even if you believe that a vendor has the ultimate NAC solution ask yourself these questions.
1. Can someone get on my network with a healthy PC and steal information from me?
2. Can a healthy, fully approved by NAC, laptop still bring my network down?
3. Just what security issue was I addressing with NAC? The next MsBlaster?
4. How does NAC protect me against cyber criminals?
5. Just how many layers of defense do you vendors want me to buy anyway?
6. With a fixed budget for security do I spend it fighting 2003's battle against unpatched laptops or prepare for the onslaught of targeted attacks from cyber criminals and malicious users?
Richard:
Firstly, I'm not *slamming* SNF. I'm *slamming* the fact that you're being short-sighted and proposing that people not invest in something that works TODAY and instead wait for the intersection of the hype/reality curve for SNF which is not here today and won't be for some time. Your ISP example is NOT SNF, it's a bunch of cobbled together solutions that barely (if at all) interoperate and certainly don't scale with huge amounts of device sprawl; that's not the embedded SNF network example at all, it's bubble gum and bailing wire.
That example of the ISP is Crossbeam's core customer today -- I *know* what they're buying and it ain't called SNF. Right now, these folks are in the throes of trying to consolidate all of those devices you mention above: firewalls, IDS, IPS, AV, URL, etc...if they could buy it "in the network" today, they would.
I'm playing a dangerous game of Devil's advocate here beause I am a huge fan of the concept of SNF as a COMPONENT of good layered defense, but I'm also grounded in the reality of what people can do TODAY and balance that against tomorrow. That's what strategy is. Today, people can by NAC and leverage it's abilities to help make them more secure. Plain and simple.
We ought to have strong, secure protocols which allow for integrated identity management, authorization, authentication and encryption. We don't...not yet at least. But when we do, the "network" becomes less relevant because all it becomes is a transport. When everything's encrypted, the network isn't going to be able to see squat!
>> And where do I go to buy a six pack of NAC???? Cisco is the only one selling that KoolAid and it is 99% gas.
WTF!? You just last night quoted a NW world article and read off 10+ of the 26 NAC vendors that offer solutions today. Again, you're so addicted to hammering Cisco's model of SDN which today IS based on THEIR NAC solution. But the only person describing NAC = Cisco is YOU! You keep thinking that just because the NAC term was invented by Cisco and that all these vendors now offer NAC solutions that they all are subscribing to Cisco's model. They don't.
NAC as defined as "Network Admission Control" is not about blindly trusting the endpoint to report on its status...that may be Cisco's model, but that is not representative of the market. NAC as defined as "Network Access Control" is and has been around for quite some time and when you combine posture validation, authentication, authorization, remediation and policy enforcement, you 've got something that works. TODAY.
Is it the end-all, be-all of security? No. And nobody said it was except you in your attempt to argue the rediculousness of extremes.
You keep advocating de-coupling the network and the host security. Great! You have NAC today which does that (without the need for the "network" to weigh in) and when SNF is ready, it will be another layer.
>> And even if you believe that a vendor has the ultimate NAC solution ask yourself these questions.
This is rediculous! You can't get over the fact that nobody said there was an "ultimate NAC solution" in the first place. You just dissed the entire market/technology/utility without regard for the fact that it's JUST ANOTHER LAYER.
>> 1. Can someone get on my network with a healthy PC and steal information from me?
Yes, and you'll be able to do that with SNF, too! I can do that with a USB stick. Again, where does it say that NAC is supposed to do that?
>> 2. Can a healthy, fully approved by NAC, laptop still bring my network down?
Yes, and someone who can abuse priviledge and credentialed access will be able to do that with SNF, too.
>> 3. Just what security issue was I addressing with NAC? The next MsBlaster?
Is that a question or a statement? I don't know what you're saying/asking.
>> 4. How does NAC protect me against cyber criminals?
I dunno. How can it? How can SNF?
>> 5. Just how many layers of defense do you vendors want me to buy anyway?
As many as are needed to reduce my risk to a manageable and acceptable level. If that's one device, great! If not, find the balance of technologies that will give you leverage over time to conduct business. It's not about "security" it's about "survivability." You're going to get hit. Make sure you've concentrated your efforts on the things that matter most. If NAC solves that problem for you, great. If SNF solves it for you, great. I think you'll need BOTH.
You want to keep arguing/debating analogies?
>> 6. With a fixed budget for security do I spend it fighting 2003's battle against unpatched laptops or prepare for the onslaught of targeted attacks from cyber criminals and malicious users?
I don't live in 2003. SNF won't prepare you for the "...onslaught of targeted attacks from cyber criminals and malicious users" at an application or data level, either. For that we need integrated identity management, context, BA, IPS, NAC, Anti-X...and we need to stop people from doing stupid things. If you have a technology to do that, I'll buy it.
I would spend my money on the things that protect what matters most to me or to mitigate risk that is difficult to quantify but easy to describe. If I have good perimeter defense, internal segmentation, layered security boundaries, then I would consider NAC to lessen the chance that someone is able to get onto the network by establishing a baseline of what I expect someone to "look" like from a policy perspective.
If you think that this problem gets more manageable the deeper you push it down into the infrastructure, I would argue you've never managed thousands of desktops, firewalls, routers, switches and users...with small teams of generalists who have a hard enough time making sure the network stays UP let alone secure. If you push all of this intelligence downward and are banking on automation and intelligence in the fabric to solve the problem, you're going to create a bigger one.
Security is a service layer, not a networking component. They need to interoperate, but their core competencies are different in terms of their stratified functions:
Network/Plumbing = dumb, fast, reliable, available
Services = security, experience, utility
I can't wait to see what your answer is with SNF when I again illustrate the concept of virtualization in the data center. If I have a big honkin' server running 20 VM's, the "network" is now IN THE MACHINE. The "network" may not even seen any of the traffic. How is the "network" going to protect one of those VM's from infecting another if the data never traverses it? If you had NAC (access control/admission control) on each, you'd be able to.
I'm not trying to change your mind. I'm not advocating that NAC is the foundation of anything. I'm saying it has value (that I can quantify, by the way,) it will be an integral piece of a DID architecture and when SNF arrives, they will interoperate.
Chris