Richard Stiennon has responded to the SNAC and Cocktail post [0], and by proxy to Shimel and Hoff. Many of you don't check my comments and Richard pretty much wrote a book, so I'll post it to the main blog and then provide some of my thoughts. I'm flattered that Richard would state his position here at Security Incite, as opposed to dealing directly with either Senators Shimel or Hoff, but I can see his logic. Fact is, I find both of those guys some of the most un-vendor vendors, but I understand what their jobs are and how they get paid.

Here is Richard's comment (here [0]):

You want to step outside?

Better yet, we'll do it right here. This sort of debate is better served by a couple of independent analysts. I would rather risk your skillful barbs then get into a pissing match with the Chief Strategy Officers of two vendors, one that sells NAC solutions, and one that thinks honk’n monster UTM’s is the answer to everything,

First of all Allen is right that I am still singing the same tune after two years. As far as I know I am the ONLY analyst that thinks the whole idea of end point data being used to grant access is worthless.

Let's take a simple scenario. A large enterprise (5,000+ users) running Symantec AV, Microsoft AntiSpyware, and a spanking new Cisco NAC infrastructure (I know, that does not exist yet but someday...)

It's the day after the Labor Day Holiday in the US. The CEO, CFO, and half a thousand other workers show up for work. They have been on vacation and their DAT files, and Microsoft updates and critical patches have not been installed. They plug in to the network and are barred from connecting. About 250 people follow the instructions from the damn quarantine server. The rest call the help desk which is not answering the phone because EVERYBODY is scrambling to get the CEO online before his conference call with the Board.

Network IT people are not stupid. Their first mandate is "do no harm". The only reason they are looking at NAC solutions is they think it can help them *reduce* help desk calls from infections brought in by bad laptops. NAC requires your laptops, your AV vendor, your network vendor, your NAC vendor and Microsoft to play nice. There are too many opportunities for things to go wrong.

I consider myself a network security guy. Doing security in the network invariably is better than doing it on the desktop. Desktop AV is the biggest pain in the ass to administer. *Any* agent is a pain to administer.

So, yes, I have dreams. My dream is that an infected laptop brought on to the network will do no harm, yet will still be able to talk to the exchange server and be a productive device. Unlike Cisco I cannot turn my fantasies into billboards on highway 101 before demonstrating a single element of their CNAC fantasy. But I can continue to talk to people who have dumped their host NAC solutions for inline blocking and tackling. I can watch and report on network security vendors that are combining with switch vendors or introducing access switches of their own.

Keep in mind that even in the fantasy world of a complete NAC infrastructure there is still no defense against the malicious insider with credentials and perfectly updated laptop. Why would you spend millions to deploy a security solution that did nothing to defend you from malicious users? Huh?

I view NetFlow tools as an underutilized and powerful technology for understanding the corporate network and helping to harden it. You date yourself Mike when you equate NetFlow with DDoS defense. But it is important to point out that NetFlow on a carrier is used for tracking down and blocking DDoS as well as spammers. Why wouldn’t an ISP enforce NAC on its customers? Why wouldn’t they quarantine all zombies until they were remediated? Answer that and you will understand why just as NAC does not work in the cloud it does not work in the Enterprise.

NetFlow is just one of the elements that can make the network secure. You mention a bunch of others. IPS, access controls, VLANs, firewalls, ACLs. I say work with those proven technologies; don’t fall into Cisco’s dream of owning the desktop as well as the network!

So what says me about this rant? First of all, per usual Richard has some some underlying deep thought in his position. Fact is, I still don't buy it. Endpoint security is another tool in the bag. Why wouldn't we use that data to ensure the network is safer? His example of everyone logging into the network at the same time is tired and irrelevant. Anyone that would have a policy in place that would quarantine hundreds of employees after a holiday weekend is an idiot. There is a middle ground, there always is. You want to make sure you are quarantining only the devices that can harm the network, not the one's that just have a DAT file a week old.

So I believe there is value to ADMISSION CONTROL, though there is more value in ACCESS CONTROL over time. Richard and I will just disagree on the admission control stuff. Which is OK, that's what makes the world go around.

I definitely take issue with the idea that you can do EVERYTHING security in the network. I'm a network security guy too, and I understand the limitations that mobility and the "insider threat" provide relative to doing everything in the network. The answer is not one or the other, it's both. And that's just for infrastructure security. When you think about having to secure data and information, unless you have adopted a dumb terminal model - YOU MUST SECURE THE ENDPOINT. If sensitive data is there (and it's there), it must be secured. Is it a pain in the ass? You bet. But certainly less of a pain in the ass than having to disclose a data breach due to stupidity, ignorance or apathy.

I do agree that inline blocking and tackling (LAN security or Secure Switches - whatever you want to call them) will prevail over time. My point in suggesting the cocktail is that I envison a correlation engine factoring in all sorts of information will drive what policies get enforced in the fabric. I know a lot of folks don't like the idea of security in the fabric, but I don't care. That trend is inevitable. The train has left the station and though it'll take a generational upgrade to get there (5-7 years), WE WILL GET THERE.

Finally relative to Netflow, if Richard is saying that it's one of many data sources - then I'm cool with that and it's what I've been saying for a long time. NBAD is still predominately a DDoS mitigation technique, regardless of what crap the vendors are feeding - because the ISPs buy most of the equipment and the ISPs have taken on neither spammers nor zombies. NBAD technology is applicable to both of these problems, but only if customers use it.

So at the end of the day, Richard and I still have some fundamental disagreements as to how this all shakes out. I appreciate him weighing in and suffice it to say we'll both be looking for opportunities to prove we are right. If there is one thing I know, it's that be both hate to be wrong.