Note from Mike: I'd like to introduce the Security Incite community to Mark Bouchard, a former META colleague, good friend and tremendous analyst. He runs his own analyst shop now, called Missing Link Security Services and is one of my go-to guys when I need to bounce some ideas around. Mark kindly offered some perspectives on the recent NAC "discussion" among myself, Shimel, Hoff, and Stiennon and even more graciously is allowing me to publish them to the community. Of course, these perspectives are Mark's and not my own - as you'll soon come to see.

Scratch AND Sniff (aka, SNAC and SNF)
by Mark Bouchard, Missing Link Security Services

This is by no means a point-by-point analysis of the Stiennon/Hoff/Shimel/Rothman NAC debate. Truth be told, I didn't even review all the threads before compiling this. But for what it's worth, here's my two cents on the topic.

The practice of infosec has always entailed using both belt and suspenders. The principle of defense in depth guides us in this matter, driving the use of multiple, overlapping countermeasures. Appropriately, both approaches discussed (i.e., SNF and SNAC) have value, and both approaches will ultimately be used, at least in some manner.

Perhaps a better question though is which has greater value. In this regard, I’ll have to weigh in on the side of Mr. Stiennon. That said, my version of SNF is actually pervasively deployed IPS (which eventually will come in network switch form factor) that is enhanced with passively and actively gathered contextual information about (a) the environment it is trying to defend, and (b) the entities (i.e., devices, users) that it is trying to protect the environment against (albeit to a lesser extent, I suspect). This contextual information is the key to making IPS much more accurate in terms of false positive and negatives, and in turn enables a greater degree of automated response (e.g., blocking access, quarantining).

This seems like a much better investment than NAC, at least as I understand it. Some of the advantages that I see are these:

1. There is no need to maintain 10’s, 100’s or even 1000’s of granular access rules to achieve a robust level of defense. Tellingly, this is an anathema to any organization that has already made significant investments in Identity Management. What I routinely hear from many large organizations is: “why do I want to re-create this wheel at the entry point of my network when I’ve already spent hundreds of thousands of dollars trying to do it with provisioning systems at the servers and apps themselves”.
   
   
2. There is less likelihood of adversely impacting the business by quarantining legitimate (low risk) users/traffic for potentially useless reasons (e.g., DAT file is > 1 day old).
   
   
3. There is far less reliance on components that are outside of the organization’s control. External clients and their software will always eventually be broken/hacked. That is one of the long-standing criticisms of most DRM techniques. Consequently, everything originating from (or about) an external client is not really trustworthy. Presuming otherwise is a dangerous trap. This is in contrast to the network traffic that shows up at our network entry points. It is what it is, and is always presumed guilty until proven innocent. To be perfectly clear, I’m not saying that the network defense system shouldn’t account for information pertaining to the client. I’m just saying that how it is obtained and the weight that is put on it deserves more attention – and that NAC doesn’t seem like a good way to get this information.
   
   
4. And the clincher in my mind: security posture checks done via NAC would need to be significantly more comprehensive before we would have reasonable assurance that the clients are in fact not compromised, and therefore not a threat to the organization’s environment. Just checking for AV, FW, and a few patches is laughable. Let’s also not forget the challenge of building/maintaining agents and/or scanning techniques for every type of client out there – undisputedly an impossible task. However, barring such breadth and depth of checking, it will still be necessary to erect network-based defenses to help prevent attacks. So … if you’re going to have to do that anyway, then why not make SNF (or whatever you want to call it) the focal point of your defenses, especially since its under your control. Let’s face it, NAC is really just a refinement of the traditional firewall-based approach to security – and we all know how well that worked!

And this list is not even close to being exhaustive.

Will the SNF-like approach be easy; of course not. But then nothing in security ever is. But it does seem to me that the SNF-like approach will be far more effective. Consequently I'm beginning to think that NAC is on a slippery slope to becoming one of the greatest disappointments of the decade – at least the pre-admission stuff (i.e., posture checking), and potentially at least part of the so-called post-admission capability (i.e., granular access control). It will probably survive to some extent, but much more likely as a feature as opposed to THE foundation of a network security strategy.

Finally, I could probably come up with a colorful analogy here (e.g., about how it makes more sense to better protect one’s own borders before trying to extend the battle to other, external geographies), but that would just give you something else to pick apart as opposed to focusing on the main issue :-)