Subscribe in a reader
NAC Attack Part 4: Varying opinions on NAC
Submitted by Mike Rothman on Tue, 2006-05-16 10:59.
::
Getting back to the NAC series, let's examine a few of the diverging opinions out there about whether NAC is worth a crap or not. First, I'm not surprised by the number of different opinions, every burgeoning, over-hyped technology has this issue. To be clear on where I stand, I said a while back that 2007 will be the year of the secure switch, as NAC (or more specifically, endpoint admission and granular access control) increasingly becomes integrated into the network fabric.
Quite a few I trust (including me) think that NAC is the future of network security. There is clearly a need to control the "insider threat," but that is a pretty nebulous term. Are you talking about mobile employees that need to be checked for device hygiene? Are you talking about protecting the conference room and other internal network jacks from prying, unauthorized eyes? Are you talking about ensuring that content doesn't leak to outside parties? Are you talking about ensuring the wrong folks don't get to sensitive, private data and applications?
The challenge with how NAC is defined today is that the answer is yes, yes, yes and yes. We've all seen this movie before. Vendors, somewhat desparate to be included in the new new thing, paint their technology to solve whatever problem is hot. Which adds to the expectations of what a technology purports to do. Whether it actually does anything or not isn't the issue. It's marketing, right? Who lets the truth get in the way of marketing?
Additionally challenging is the fact that there are a lot of ways to skin the cat. There are inline solutions that look a lot like big firewalls (they have policy engines that control the flow of traffic through networks), you have out of band solutions that enforce policy by either reconfiguring VLANs on the existing switches or messing with the DNS or DHCP services on the client. Finally, you have the SSL VPN vendors positioning that their products already do everything that NAC promises (actually taking both approaches).
But if anything, I am open to other opinions and a number of folks I'm coming to trust don't think there is much weight in NAC. Personally, I think we are dealing with semantics. I don't think anyone can really argue with the need to deal with the insider threat. The question is just how we get there and what technology is best positioned to solve the problem.
I mentioned in the Daily Incite (you read TDI, right?) yesterday about a blog posting from Mike Fratto (link) where he questions the business case for NAC. My pal (well I think he's my pal anyway because we had an email exchange and he didn't call me an idiot) Thomas Ptacek of Matasano follows that up with a good post (link) trying to deflate the hype around traditional NAC, or at least Cisco 's definition of NAC.
The Matasano view is interesting and personally I agree with most of what they are saying. First, that they find the endpoint admission aspect of NAC not interesting. That is a manufactured vendor-driven issue, though if a malware cesspool connects to your network and infects all sorts of things - you'll change your tune on this quickly. They also believe that enterprises understand what is at risk (I agree) and compliance is not really a big driver for NAC (I agree with that too). They also say that it doesn't address the real source of data leakage, which again I agree with.
That's why there are separate infrastructure and information disciplines in the pragmatic security architecture. You cannot just assume that content is safe with EXPLICITLY PROTECTING IT. But you also should not take the risk that your content security plan is foolproof.
Did everyone forget about defense in depth? First you try to make sure the wrong people don't get to the content. Then you secure the content as well, just in case they do. Or even worse, the right people (insiders) turn out to be the wrong people.
I really think the only place Thomas and I disagree is how you get there. I think endpoint admission can be positioned as enough of a threat that people will pay for it. Actually, people are paying for it today - but it's still an early market with hundreds, not thousands of customers.
Whether endpoint admission solves a real problem or not is IRRELEVANT. It gives customers an entry to really solve the problem. Of course until everything is protected by NAC, you are exposed (that's why my Phase 2 of NAC requires full coverage) and boiling the ocean does take time. You don't get there overnight (which will be the topic of my next NetworkWorld column).
You'll also have a lot of competing technology fighting to be considered the NAC enforcer. Even the Matasano guys will have a product (which they haven't announced and they haven't told me about it yet - but here is their nebulous take). For a bunch of consultants, they get marketing - which I'm not sure I've ever seen before. Call the status quo crap. Put all sorts of flies in the ointment. And then roll out something that is exactly what you are calling crap - but maybe using a different technique or trying to carve out a different category. So it's different, but the same. Brilliant.
One last thought on how we get there is that we may see a PC-like evolution to NAC as well. What I mean is that NAC functions are built into switches, which over time get deployed throughout a network. Then the technology is just there, so people turn it on. Like DVD burners or USB ports. Once the technology became ubiquitous, folks started figuring out how to use it. This path is a 5-7year path (if not longer), but it's definitely possible.
But ultimately what is my point? We are going to see a lot of definitions of NAC and vendors pissing on each other over the next 18 months as customers start to buy stuff and upgrade their campuses. It will get confusing for customers, who won't know who they should trust. Which is awesome... for me. Customer confusion is good for my business.
Quite a few I trust (including me) think that NAC is the future of network security. There is clearly a need to control the "insider threat," but that is a pretty nebulous term. Are you talking about mobile employees that need to be checked for device hygiene? Are you talking about protecting the conference room and other internal network jacks from prying, unauthorized eyes? Are you talking about ensuring that content doesn't leak to outside parties? Are you talking about ensuring the wrong folks don't get to sensitive, private data and applications?
The challenge with how NAC is defined today is that the answer is yes, yes, yes and yes. We've all seen this movie before. Vendors, somewhat desparate to be included in the new new thing, paint their technology to solve whatever problem is hot. Which adds to the expectations of what a technology purports to do. Whether it actually does anything or not isn't the issue. It's marketing, right? Who lets the truth get in the way of marketing?
Additionally challenging is the fact that there are a lot of ways to skin the cat. There are inline solutions that look a lot like big firewalls (they have policy engines that control the flow of traffic through networks), you have out of band solutions that enforce policy by either reconfiguring VLANs on the existing switches or messing with the DNS or DHCP services on the client. Finally, you have the SSL VPN vendors positioning that their products already do everything that NAC promises (actually taking both approaches).
But if anything, I am open to other opinions and a number of folks I'm coming to trust don't think there is much weight in NAC. Personally, I think we are dealing with semantics. I don't think anyone can really argue with the need to deal with the insider threat. The question is just how we get there and what technology is best positioned to solve the problem.
I mentioned in the Daily Incite (you read TDI, right?) yesterday about a blog posting from Mike Fratto (link) where he questions the business case for NAC. My pal (well I think he's my pal anyway because we had an email exchange and he didn't call me an idiot) Thomas Ptacek of Matasano follows that up with a good post (link) trying to deflate the hype around traditional NAC, or at least Cisco 's definition of NAC.
The Matasano view is interesting and personally I agree with most of what they are saying. First, that they find the endpoint admission aspect of NAC not interesting. That is a manufactured vendor-driven issue, though if a malware cesspool connects to your network and infects all sorts of things - you'll change your tune on this quickly. They also believe that enterprises understand what is at risk (I agree) and compliance is not really a big driver for NAC (I agree with that too). They also say that it doesn't address the real source of data leakage, which again I agree with.
That's why there are separate infrastructure and information disciplines in the pragmatic security architecture. You cannot just assume that content is safe with EXPLICITLY PROTECTING IT. But you also should not take the risk that your content security plan is foolproof.
Did everyone forget about defense in depth? First you try to make sure the wrong people don't get to the content. Then you secure the content as well, just in case they do. Or even worse, the right people (insiders) turn out to be the wrong people.
I really think the only place Thomas and I disagree is how you get there. I think endpoint admission can be positioned as enough of a threat that people will pay for it. Actually, people are paying for it today - but it's still an early market with hundreds, not thousands of customers.
Whether endpoint admission solves a real problem or not is IRRELEVANT. It gives customers an entry to really solve the problem. Of course until everything is protected by NAC, you are exposed (that's why my Phase 2 of NAC requires full coverage) and boiling the ocean does take time. You don't get there overnight (which will be the topic of my next NetworkWorld column).
You'll also have a lot of competing technology fighting to be considered the NAC enforcer. Even the Matasano guys will have a product (which they haven't announced and they haven't told me about it yet - but here is their nebulous take). For a bunch of consultants, they get marketing - which I'm not sure I've ever seen before. Call the status quo crap. Put all sorts of flies in the ointment. And then roll out something that is exactly what you are calling crap - but maybe using a different technique or trying to carve out a different category. So it's different, but the same. Brilliant.
One last thought on how we get there is that we may see a PC-like evolution to NAC as well. What I mean is that NAC functions are built into switches, which over time get deployed throughout a network. Then the technology is just there, so people turn it on. Like DVD burners or USB ports. Once the technology became ubiquitous, folks started figuring out how to use it. This path is a 5-7year path (if not longer), but it's definitely possible.
But ultimately what is my point? We are going to see a lot of definitions of NAC and vendors pissing on each other over the next 18 months as customers start to buy stuff and upgrade their campuses. It will get confusing for customers, who won't know who they should trust. Which is awesome... for me. Customer confusion is good for my business.
Recent comments
19 hours 59 min ago
1 day 6 hours ago
3 weeks 4 days ago
3 weeks 6 days ago
3 weeks 6 days ago
3 weeks 6 days ago
4 weeks 1 day ago
4 weeks 1 day ago
4 weeks 2 days ago
4 weeks 6 days ago