NAC

Incite Redux: Day 4 - Weaving security into the network fabric

Submitted by Mike Rothman on Mon, 2008-07-07 12:32.

Good Morning:
Kids say the darnedest things. At least mine do. At the beach, we usually trek down to the Boardwalk in the late afternoon for a few carnival rides, some desert and basically to further tire the kids out before bed time. Though I'm not sure how it happened, the Boss let my son out of the house in his Flash costume. Yes, the kid was walking along the boardwalk as the Flash.

And I'll also admit it was very cute. Lots of folks were commenting on his costume, including one jackass who confused him with Shazam! Come on now. Who doesn't know the difference between the Flash and Captain Marvel? Thankfully my older daughter goes up to the guy and says, "That's not Shazam, it's the Flash!" Wallflowers my kids are not.

So the boy actually seemed a little embarrassed by all the attention. He's a bit shy and he didn't like all those folks he didn't know talking to him (yes, it's hard to out run your genetics). I tried to make him feel a bit better by saying that all those folks are talking to him because he's cute in his costume.

He looks up at and the Boss and says, 'I'm not cute." Huh? What do you mean you aren't cute, boy? Crap, do I need to set him up with the therapist right away? Is this a four alarm self-esteem issue? Nope, he then follows that up with: "I'm not cute, I'm handsome!" 

Yes boy, you are handsome. And bold and innocent and all the stuff that we old folks need to remind ourselves to be in the morass that is our daily lives.

Now go have some fun today. I'm certainly going to.

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Read the original Days of Incite post on this topic.

6-month grade: C+

The challenge of making prognostications is that things happen in my mind fairly quickly, and in the real world - a hell of a lot slower. So the idea that we will be getting to this mythical "Secure Network Fabric" is certainly still in the works - though it will be a multi-year evolution to get there. So let's look at the data points that validate this theme.

Get your hair weave!!!First is Cisco's TrustSec, which is basically another marketecture from the kings of marketecture - really focusing on how to evolve the current switch infrastructure to something more secure. Yes, it will take a long time and hopefully not involve a wholesale rip and replace of all your current gear (like the C-NAC Framework of old), although your Cisco rep would certainly like it. Basically, it's just a fancy way of saying what has been obvious for a long time. Network security will be in your network, not in a set of overlay boxes meant to protect your status quo switching fabric.

Juniper is also getting into the enterprise switch game and their differentiator? Ah, uh, well, it's basically their operating system and their NAC stuff. And scarily enough, that may be enough for the few that don't want to buy from Cisco and aren't comfortable that the other switch vendors will be around long enough to support their stuff down the road. So the Secure Network Fabric is happening, though at a snail's pace.

It's also been interesting to see how far and how fast the NAC business has fallen out of favor. Evidently all it took was a couple of high profile flame-outs and the rest of the business largely just shutting up and getting back to the business of actually solving some customer problems and selling some gear. 

And an amazing thing is happening, the business is growing. Although modestly, though I'm not sure how modestly since I don't do numbers, and I don't believe what folks like Infonetics say. So I'll just use the term modestly - which is a lot better than not modestly. This is a disappointment to the investors and hype-meisters that have been looking for huge growth (meaning IPOs and high value acquisitions) out of this space, but in reality any kind of market growth is not a bad thing nowadays.

Customers still have problems with visitors and outsourcers and other folks that now are supposed to be on their networks, but without the ability to manage those devices. These problems sometimes bubble to the top of the priority list, especially if an auditor has said to fix it for compliance purposes. My biggest issue with the space was whether a customer could wait to deploy NAC? And the answer has been largely yes, but enough folks feel the pain to keep the business moving forward. 

Who is doing well in this space? Everyone says they are doing great, just like Lockdown. Ultimately, it doesn't matter. My procurement philosophy has to do with solving your problems, not with picking who is doing well. So figure out what problems you are trying to solve and then figure out if NAC is the right solution for you. But the key here is to focus on the longer term and how you want to get there. The reality is, you will be rolling out a secure network over the next 5-7 years. Do you want to evolve slowly or quickly? Do you have an option? Is an overlay the best answer or do you want to start incrementally updating your fabric in crucial areas?

There are lots of questions to ask and that is the most important part of considering a NAC solution. In terms of grading this Incite at the 6 month mark, it's good in some areas and not so much in others. Overall, a mediocre showing, which is about a C+.

Photo credit: leigh.

2008 DOI: Day 4 - Weaving security into the network fabric

Submitted by Mike Rothman on Fri, 2008-02-15 09:43.
2007 Incite: Trust No One
The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

2008 Incite: Weaving security into the network fabric
Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.


Network SecurityWhen you think about it, there really shouldn’t even be a network security industry. Who is going to connect to the Internet bareback nowadays? Only Rip Van Winkle. Even back in the late 90’s you have to look hard to find folks that didn’t use firewalls. But a firewall alone does not a network security strategy make.

So we had things like IDS and then eventually IPS that made inroads. We had application oriented attacks, so we needed spam gateways, web filters, and web firewalls. Now we have application firewalls because the existing network security devices can’t really handle some of these new fangled attacks. It’s that same innovation, integration, and consolidation cycle I mentioned yesterday.

At the same time the perimeter defenses were integrating, we had a general acknowledgment that letting infected devices connect to our networks was a bad thing. It just took a few SQL*Slammers to show how dangerous it was when a mass proliferating anything breached your perimeter. So the network access control business was born. It was actually called Network Admission Control initially, and Cisco coined the term. Of course, the ABC (anyone but Cisco) crowd couldn’t let that happen, so they all banded together and figured Network Access Control (NAC) was a better term.

NAC was the second coming. NAC was everywhere. NAC could cure cancer. That’s if you believed the hype. I, of course, did not and was projecting a disappointing 2007 for NAC. I was right, but that was obvious. No technology could live up to that hype. And it didn’t.

So where do we go from here? Basically I think a lot of forgot the first word in network security, and that is NETWORK. I’m seeing a lot of operational security resources migrate back to the ops teams (and the pendulum swings back) – so a lot of the buying decisions for network oriented stuff is going to increasingly end up with the network folks.

Guess who networking folks like to buy product from? Right, networking vendors. Thus, it’s just a matter of time before Big Networking squeezes the network security specialists out. So anyone selling an exclusively overlay network security solution is going to have a problem. Over time, those capabilities are built into the switch. So if you don’t have a switch and you do NAC, I’m hard pressed to see how that works out a couple years from now.

To be clear, this is not an absolute and it’s going to take years to get there. But to think that end users want layers of overlay security on top of their devices is silly. Also figuring that your favorite big networking vendor isn’t going to get their majority of network security market share is being naïve.

That means the shakeout will continue. And this year it’ll be more than just Vernier becoming Autonomic and heading for higher ground (again). The good news is that there are a lot of big networking firms that don’t really understand security. Most are struggling, but they still have a lot of dumb money. That means Barnum can come in and sell them a bill of goods. It also means that it’s a race, and the one without a seat when the music stops is in a world of hurt.

But don’t believe me. Believe a couple of guys that are actually smart. Thomas and Nate debate NAC towards the end of their annual predictions. And they are right.

Lastly, I want to drive my stiletto deep into the heart of NAC standards. Windows Server 2008 is pretty much here, so now that means NAP will become pervasive, right? Wrong. Cisco has its own thing, and everyone else has TCG/TNC.

But the cold, hard truth is that customers don’t care about standards. If the functionality were important enough, they would deploy the technology without a standard. If it’s not, they tell the sales reps that “standards are important” and they are going to wait for the standards to shake out. That way the sales rep’s ego isn’t impacted and they’ll stop calling. But in reality, the customer is saying, “What you do isn’t important enough to me,” so I’ll wait until it is.

And that seems to be the story of NAC.

Report Card: 2007 Incite #4 - Trust No One

Submitted by Mike Rothman on Mon, 2007-12-24 08:01.

40% of the way there. Let's keep pressing forward.

Incite #4 - Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.


Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: B

Yes, customers continue to struggle with the idea of protecting against the insider threat. They all know it’s a problem, yet with the sheer number of things that need to be done – many organizations are stuck in analysis/paralysis mode. Do they do DLP first? What about NAC? What about just contracting the perimeter and installing a whole mess more firewalls closer to the data that needs to be protected?

We’ll talk about DLP later (Incite 6), so let’s focus on NAC now. Suffice it to say, everyone is acknowledging that the technology disappointed relative to expectations in 2007. How could it not? But what will 2008 have in store? Probably not a lot different. Can you hear the wails of the VCs with hundreds of millions invested in the space? The early adopters will continue looking at how to overhaul their campus networks and do it in a more secure fashion.

Everyone else will wait until they clean up the other projects, which are ahead of NAC on the priority list. Little things like IPS and the like. Yes, there are still folks in the mass market focused on IPS and not some of these other shiny functions that we spend most of our time dreaming about. NAC standards efforts will continue to lag, although the new, open source OpenSEA 802.1X supplicant effort will pick up steam – basically because there aren’t any other options.

But to me, the last clause is what is most important about this Incite and the reason this was only graded as a B. The security monitoring philosophy is not spreading as quickly as it should. So many security folks are still married to the idea of blocking everything and have not grasped the folly of trying to outsmart the bad guys. In one man’s opinion, focusing on REACTING FASTER and doing that through a strong monitoring capabilities is a lot better (and more sustainable). Maybe some more folks will start to get that in 2008. One can hope, no?

Check out the other posts in the Report Card series.

Caymas, RIP

Submitted by Mike Rothman on Fri, 2007-04-27 15:03.

When there is smoke, there is usually fire. A few weeks ago a few enterprising beat reporters questioned whether Caymas Systems was still a viable entity. Their web site was down and phone systems didn't work, but it was all chalked up to a bungled office consolidation.

Well, not so much.

Today in the mail I got a "NOTICE OF ASSIGNMENT FOR THE BENEFIT OF CREDITORS AND DEADLINE FOR SUBMITTING CLAIMS" from Caymas (assignment for the benefit of creditors), LLC - which is the assignee of Caymas' assets.

Sounds like a lot of legal mumbo-jumbo to me, and I'm no lawyer but in effect - Caymas Systems is dead. Their creditors will need to deal with this newly formed LLC to get any of their money - which in these cases is pretty unlikely.

The good news for me is that Caymas doesn't owe me any money.

The bad news for their customers is that they have some pretty pricey doorstops and paperweights now. The best case is that someone acquires the technology assets and supports the product for some length of time. Moving the liabilities to another corporate entity facilitates that. The worst case is that the company goes away and customers are left holding the bag.

We all talk about the "great contraction" and try to figure out if/when some of the 800 security companies just go away. But these kinds of things are sad. Sad for the employees and sad for the customers. It's Darwin at his evolutionary best.

And it's part of the game. I hope all the good folks at Caymas land on their feet, and I'm sure there are a bunch of increasingly desperate NAC vendors circling Caymas' customers with offers of swap-out credits and other incentives. Have fun with that.

 

2007 DOI: Day 4 - Trust No One

Submitted by Mike Rothman on Mon, 2007-02-19 16:27.

NAC, NAC?
Who’s there?
Confused.
Confused who?

You know who, don’t you? NAC is this year’s PKI. Everyone wants to believe it’s the year of NAC. But I suspect most customers will be sorely disappointed in what they achieve to deter the “insider threat” with NAC this year.

Why? Because solving the insider problem is complicated and multi-faceted. It’s about more than just checking the AV and patch levels on devices connecting to the network. It’s also about more than access control and worm mitigation. And that doesn't even scratch the surface on the data/information security issues related to the "insider threat."

It’s about all three and architecturally, that’s going to be a hard problem to solve in 2007. Why? Because rip and replace is not an option. Unless you have a money tree out back.

The good news is that based upon numerous conversations and validating evidence, customers are starting to figure out what they need. Of course, knowing what to buy and actually buying it are totally different. NAC is still a very early market and will remain as such for another 2-3 years.

Can you hear all the VC’s shuddering? After throwing hundreds of millions of capital into a market sector, the last thing these guys want to see is a market still 2-3 years from major revenue acceleration. But it is what it is. You can’t push on a string, though many players in the NAC business will try this year.

Another dynamic that will muddle things is just the sheer number of vendors. If feels like the anti-spam business 2-3 years ago, but with a less defined value proposition. After the initial wave of buying, anti-spam leveled off (late 2005 to mid-2006). There were too many vendors, too much confusion, not enough differentiation. Customers waited for some consolidation and shake-out and it was only with the wave of image spam in Q4 of 2006 that they started buying en masse again.

The problem is the early adopters are only starting to roll their NACs, and the market is oversaturated. I don’t envy anyone trying to sell NAC nowadays. 10 vendors in a deal saying the same exact thing is no fun for anyone.

So what’s a customer to do? Tread carefully. Kick the tires. Figure out your real requirements. And probably repurpose existing devices (like SSL VPN) to do poor man’s NAC for the short term. Unless you have some very specific requirement that forces you to buy something today, don't. And if you do, don't get married to whatever solution you pick. It's TACTICAL. Manage expectations that you will be looking at other stuff in a year or two.

Something like network behavior analysis could also be helpful, at least to pinpoint some weird traffic patterns. In a perfect world, you’d like to actually block the weird stuff. But as a first step, knowing about it is useful.

Another benefit to more aggressive monitoring on the network is that the network doesn’t care who you are or what your job title is. There are no “freebies” for important folks. No ways to skirt the monitoring or enforcement mechanisms. And in an environment where the CEO is perhaps more likely to be dirty as a run of the mill worker – you can’t assume anyone is clean.

Trust no one. It will save your ass.

Report Card: Incite #2 - Get the NAC!

Submitted by Mike Rothman on Tue, 2006-12-26 15:45.

Continuing in our Report Card series. Here is my assessment of Incite #2 on Network Access Control, or more commonly known as NAC.

Incite #2 - Get the NAC!

The increasing number of ingress points into corporate networks (mobile, contractors, VPN) forces users to migrate to a virtual network infrastructure with a secure net and an unsecured net. Network Admission Control (NAC) architectures gain traction in 2006 to facilitate this architectural construct, but do require homogeneity of equipment pushing the pendulum away from best of breed providers.


Grade: B

Original Days of Incite post: here
Incite Redux post: here

This Incite was right on from the standpoint of the business drivers for Network Access Control (NAC). But a strange thing happened on the way to this NAC-centricity and massive market growth. The term NAC came to mean anything and everything. So what you have now is a market showing good growth, but not exponential growth - constrained more by confusion than by anything else.

What does that mean? It means the leading independent NAC vendors are growing their businesses nicely. Growth rates are probably 75% year over year, maybe 100%. But not at 200-300% as you would expect in a market hitting the masses. You see a lot of recent surveys talking about confusion, and confusion is bad for business.

Actually confusion is good for the research business, but not for the product business.

Confusion happens because every vendor is trying to mold the NAC term to describe with they do and how they do it. Then you have a number of center of gravity vendors (like Cisco and Microsoft and those that are not Cisco and Microsoft aligning in the TCG) that are pushing interoperability. It's not clear why anyone gives a rat's ass about interoperability and that confuses matters even more. Then you have the vaporware issue. Given that Microsoft’s offerings are not going to be real until 2008 (when Longhorn ships and Vista is more pervasive), no wonder customers feel no urgency to get these projects going. Cisco's story is still far ahead of its delivery as well.

But all is not sour in the world of NAC. I don’t want to steal my own thunder and talk about what 2007 has in store for us, but NAC (and secure switches) will continue to play an important part of building out the next iteration of the campus network. This will include host integrity checking, access control within the internal network, and worm mitigation.

So I’m grading myself pretty hard in saying this is a “B.” But the reality is that NAC has stalled a bit and needs a new catalyst to drive it to the masses. Though the need for the technology remains as strong as ever.

Who cares about NAC standards?

Submitted by Mike Rothman on Fri, 2006-09-29 11:42.
::

While I've got NAC on the brain, let me go after the standards discussion a bit. There was quite a bit of consternation regarding Cisco pulling out of the TCG a while back. Well actually pulling Meetinghouse out of the TCG after they were assimilated. In this post from a while back, Alan Shimel wonders how hard could it be to provide interoperability (here)? He's right, it wouldn't be hard. But it's still not going to happen.

Why? They are forgetting the first rule of market domination. The gorilla doesn't need or want standards. If anything, having a standard is a bad thing for a company trying to maintain 80% market share. Standards provide interoperability, which gives users choice. What vendor wants users to have choice? The only choice a gorilla wants the user to make is whether to finance a multi-million dollar purchase or buy it outright. Certainly not about whether to use competing products.

So what does the gorilla do? They change the discussion. They say they're working with the IETF - the only "real" standards body. That means they'll get a standard in 5 years when the market has matured and the gorilla has 80% market share. Perfect. That's not good enough for those folks wanting "interoperability." Fine, so they cut a deal with another gorilla to provide a visage of interoperability knowing full well the other gorilla won't have a product for 12-18 months, so they've got zero risk there. Of course I'm talking about the Cisco and Microsoft NAC/NAP announcement (here and here).

But if you are a customer, do you care? I think not. Everybody cries about vendor lock-in, but I think this is a red herring pro-offered by vendors who are outside looking in. Actually, large enterprises are sensitive to lock-in. They end up locked-in anyway, but they don't like it. So these folks would like standards. Enough to buy another product? Probably not. But that's maybe the largest couple thousand customers out there anyway. Fact is, large enterprise will be laggards in deploying NAC, there is too much upgrading and political maneuvering required

What about everyone else? The unFORTUNEate five MILLION? They don't care. All they want to do is solve the problem. Protect the critical resources and make sure folks on the network should be there. They already have a lot of Cisco gear. So if Cisco says they solve the problem, these customers are likely to believe it. It doesn't matter whether it's bullshit or not. The customer wants to believe, so they will.

Alan closes his post with the insightful statement that we'll see a standard when the market demands one. That is absolutely true. But I'm with the Cisco rep he talked to. It'll be a cold day in hell when customers care enough to force Cisco's hand on this one.

 

Access is Access is Access

Submitted by Mike Rothman on Fri, 2006-09-29 11:03.
::

One of the most interesting parts of my job is getting in front of folks and waxing poetically about the topic du jour. Most of the audience politely nods throughout the session, but I'm not sure if that's because they forgot to take their insulin that morning, had someone spike their coffee or whether they really actually agree with me. But more often than not, there is one in the crowd that wants to show everyone how smart they are.

Some speakers get pretty annoyed with these hecklers, but I kind of like it. First, they challenge my thinking and make me defend my position. There is no better way to figure out if you know what you are talking about than having to prove it to someone who disagrees. But sometimes these folks ask questions that make me connect a few dots that I either gloss over or didn't connect in the first place.

At the Interop session I did last week, I had one of these folks in the audience. He was actually on the cordial side, but by the end of the Q&A it was basically a conversation between me and him. The rest of the crowd was along for the ride. After I went through my NAC spiel, describing the three aspects of NAC (endpoint admission, access control, post-connect behavioral analysis) and how to bring it into a network, he asked how NAC and SSL VPN is going to come together, if at all.

This is something I had commented on before, but it had slipped my mind. I answered his question pretty simply. Access is Access is Access. Over time, we are not going to distinguish between what a SSL VPN box provides and what you'll get from NAC. For now, there is an artificial distinction because SSL VPN lives on the perimeter and most NAC solutions go on the internal network.

But as the external perimeters collapse and you deploy additional "perimeters" around key applications and resources, the distinction will fade. We are starting to see increasing noise around interoperability between SSL VPN and NAC. Juniper has put it's Neoteris gear on the PPT slide talking about its Infranet strategy. You also see Cisco's multi-purpose ASA box playing a role in their NAC architecture. And you see some business development deals happening, like between AEP and Lockdown (here).

You also have vendors formerly in the SSL VPN space looking to position themselves as NAC players. Off the top of my head, Caymas and Aventail come to mind. I'm sure there are more. And we'll inevitably see the NAC vendors look to play increasingly on the perimeter of the network. It's a logical extension of what they do and there is also a pretty significant SSL VPN budget to target.

One man's opinion is that the NAC vendors are far better positioned to swoop in on the SSL VPN market than vice-versa. Why? Because boxes that were originally architected to protect an access connection will have a hard time scaling to LAN speeds. It's like building a scooter and then having a product manager come up and say the machine needs to compete in Formula 1. Unless the box was designed to scale to gigabit speeds (and just happened to be positioned as a remote access product) this requires a brain transplant. Brain transplants are hard.

Ultimately from a customer's standpoint, it's about the policy. They want to be able to manage a consistent access policy across their entire network. Sure this sounds like utopia, but as you continue to have more mobile employees, increasing outsourcing, tighter business collaboration, what choice do you have? You can continue to manage different access environments, but there's no leverage in that.

Access is access is access. Remember that.

 

Inciting: Interop pitch on NAC

Submitted by Mike Rothman on Mon, 2006-09-18 09:00.

I'll be at Interop in NYC this week, so for any of you in New York or going to the show - let's meet up. I've got some time on Thursday, so let me know if you want to grab a cup of coffee and talk shop.

I'm speaking on Wednesday at 3:15 PM in a free session (meaning you don't have to pay the full freight to see the pitch) on NAC in a session presented by Nevis Networks. I'll be going into what NAC is, what it does, and how you should be introducing it into your network. Should be a good session.

Here are the specifics:
Demystifying NAC and Deploying the Right Solution - presented by Nevis Networks
NAC has taken the security industry by storm but what problems does it solve? In fact, what is "NAC"? This session will include results from a recent study that identifies the top NAC adoption drivers and will define 5 key criteria that encompass what a complete NAC solution should include. Attend this free session to learn more on how to sift through the confusion in the NAC market and make the right choices for your network.

The link is here: http://www.interop.com/newyork/event-highlights/free-sessions.php#1158724800

Hope to see you in NYC.

 

Inciting: SearchSecurity webcast - A Glimpse into the Future of Security-Enabled Networks

Submitted by Mike Rothman on Wed, 2006-08-16 15:54.

SearchSecurity has produced the second part of their Identity and Access Management school and I did a 45-minute webcast about the evolution of security and how it is increasingly being integrated into the network. Stiennon's SNF anyone? I talk about LAN security (which is a superset of NAC) and a number of security services where you get protected "in the cloud."

Here is the SearchSecurity description:

WEBCAST: A Glimpse Into the Future of Security-Enabled Networks

Through both vendor consolidation and evolution, security
capabilities are increasingly being woven into the network fabric,
but is this a good thing or does it undermine everything that you've
done over the past ten years? Attend this webcast and learn about:

** Three different future state of security scenarios including
network security remaining a best of breed function
** A network security architecture that provides better protection
for your company and secures your information
** How integrating security into you network can reduce costs and
save time
You can access the webcast here: http://searchsecurity.bitpipe.com/detail/RES/1155228297_93.html