More scratching and sniffing

I had no intention of doing another post tonight, but after reading Chris Hoff's latest response in the Scratch AND Sniff saga, I had to both point you to these specific comments (because they are great) and also to highlight the passionate discourse between a bunch of experienced bright guys.

To get a feel for the back and forth, start here with Hoff's first comment (here) and then read the saga.

The bad news is we aren't going to know the answer for a year or two. I'll again come down in the camp that pre-admission control adds value. There are clearly some environments (like many of the very large, very flat networks that Chris refers to frequently) where blocking and tackling is a higher priority. But there are just as many environments where mobility and guest access make admission control more relevant.

No one has said that more security intelligence is not going to make it's way into the network. So ultimately the idea of a "Secure Network Fabric" is correct. But it's still largely a set of PPT slides from a handful of vendors. The bigger issue is how we get there and what information is used to make policy decisions on access to critical information. I still believe that more information is better than less, so getting data from the endpoint is relevant. But that's me.

Finally I'll further complicate things by adding onto the virtualization scenario that Chris mentions in his last comment (here), in that we not only need to factor in that many VM's may run on the same machine - but that we'll be pulling data from many different places - both internal and external to the organization. And vice versa. So you will have web services interfaces exposed to key data stores. Securing these applications is a TOTALLY different ballgame and that's why Chris' observation that integrating a central identity infrastructure for both networks and applications is another critical piece of the puzzle.

But that's a debate for another day. G'night all and enjoy your weekend.