Security guru Joel Snyder from Opus One recently starred as the guest of a live Network World chat where he discussed the state of network access control. Snyder says that those who are anti-NAC simply don't understand the technology. He answered a slew of technical questions from attendees including why ACLs are better than VLANs, the dirty dark corner of NAC (management) and why some anti-NAC experts have got it all wrong.
Security guru Joel Snyder from Opus One recently starred as the guest of a live Network World chat where he discussed the state of network access control. Snyder says that Microsoft is emerging as one of the clear winners of NAC, but that Microsoft's technology is a foundation from which to build, not an end-all. He also says that those who are anti-NAC simply don't understand the technology. He answered a slew of technical questions from attendees including why ACLs are better than VLANs, the dirty dark corner of NAC (management) and the how and why of 802.1X. What follows is a full transcript.
Moderator-Keith: Please welcome security guru Joel Snyder, a senior partner with consulting firm Opus One from Tucson, Ariz., and member of the Network World Lab Alliance. Today's chat will focus on the facts and fictions about NAC, answering questions about what NAC products can and cannot do, including integration with wireless, technology shortcomings, plug-ins and more.
Joel_Snyder: Keith, it's great to be here!
Moderator-Julie: While waiting for Joel to type up answers to the first questions rolling in, here's a pre-submitted question: You just got back from Interop Labs with a lot of NAC testing. What are the most interesting things you learned?
Joel_Snyder: Thanks for asking! I'll put in a pitch for the Interop Labs NAC resource Web site (http://www.opus1.com/nac/). That has a bunch of our white papers (about 13 of them), all of our device configurations, classes on NAC, and basically about 90 MB of stuff that we've gathered and learned about NAC. The really interesting thing we noticed is that things are finally beginning to converge. We ran a nice little graphic (click on the "Click to see" diagram) in NWW last week talking about the family trees, and the key is that people seem to be willing to let Microsoft take a leading role in NAC. So we really focused on that: what comes built-in with XP SP3 and Vista? And then how do you extend things if you don't like what's built-in? We definitely had other policy decision points besides MS NPS---Cisco, Avenda Systems, Juniper, and Radiator, plus FreeRADIUS sort-of. Even on the client side, there are interesting things. For example, you can add more system health agents/verifiers, or you can go for other supplicants, or you can do non-Windows or pre-XPSP3 operating systems, or you can worry about other devices, like cameras and VoIP phones and printers. What we ended up with was about a dozen demonstrations, all showing what you need for a complete NAC solution. And it really focused on "let's start with Microsoft and work out from there." Much more satisfying than trying to have three silos like we've done in the past that don't work together. [Editor's note: Also check out Network World's NAC Buyer's Guide which compares dozens of NAC products.]
Brian: I've been asked to investigate .1x for port-based authentication. I have reservations recommending this for production use because of the mixed clients on our 1,000-node LAN (Macs running 10.4 and 10.5, PCs with Windows 95 to Vista). I think support would turn into a nightmare, plus I don't know of anyone using .1x. What are your thoughts?
Joel_Snyder: I hear you. 802.1X is outstanding technology, but you do have to have client support. Macs 10.4/10.5 are no problem - it's all built-in. For Windows, though, you're going to be restricted to Win 2000 SP3 and later. Of course, the Juniper guys are going to say you should go with Odyssey, which has a unified experience and supports earlier Windows versions and is great stuff and I can vote for that as well. Support nightmare? Hard to say. I'm of the belief that once you work through the initial problems, you end up having lower support calls. It's going to depend on what your environment is. If you're talking an education market, that's one thing. If you're talking an enterprise, I think it's manageable.
By the way, it's 802.1X, not 802.1x. Common mistake but if you use the upper-case version you'll have the l33t privilege of correcting some of your vendors, too.
fyatim: We have seen some consolidation in the NAC space. Can you provide an update on the NAC market and where it's heading?
Joel_Snyder: Towards Microsoft, for sure. The key is that the desktop is EVERYTHING and Microsoft is making the right noises about standards and openness and making things work in the big picture. So we have already seen Microsoft and the Trusted Computing Group (TCG) get together, and I think it's only a matter of time before we also see the other vendors like Cisco at least have a good accommodation of the Microsoft Network Access Protection (NAP) framework.
RalphSam2: I work for a large company. We have about 30K employees in 500 sites across North America. Management wants to see centralized NAC. All product evaluations are going badly. What is good for large site (more than 1,000 people) is not good for small sites (less than 10). What should we do?
Joel_Snyder: Well, boy, that's a softball. Of course, you should hire Opus One to help :-) But really, I think that you need to step back and figure out what it is that you care about MOST in your NAC deployment. Are you doing this for access control? For endpoint security? You have to narrow down what it is you want and then you can put together a solution that will work based on your requirements. I agree that there is no single universal answer, but I think that if designed correctly, you can do it. What we saw at Interop was the ability to move from VLANs (which definitely won't work at small sites) up to Access Control Lists (ACLs), which work and scale beautifully. If you haven't gone down that path, I'd suggest thinking in those terms. A lot of little guys are fixated on VLANs, which just don't scale.
shelly: Can you say more about why you think ACLs are better/more scalable than VLANs for network access control? It seems to me that ACLs can get very large if your network isn't easily summarizable. How do you choose between them?
Joel_Snyder: Good question and thanks! The deal with VLANs that I don't like is that we have already burned them in most networks. We're using them for other things, and making changes to the VLAN infrastructure is hard unless you have a green-field network, which no one does. However, with ACLs, you can push onto the EXISTING VLAN structure and not have to screw with it. This also solves the hand-waving problem of getting people to jump around VLANs as they go into and out of quarantine, which (as a Mac user) I really feel for. Very true that the ACLs can get ugly, but I am thinking that you aren't going for total control at the port level, but broad swaths of control. If you want LOTS of ACLs, then you need to go with specialized hardware: Consentry, Nevis, and I think that HP is talking that talk as well. I'm really bullish on ACLs now that Interop's Labs helped prove that they work. We're talking about anterior cruciate ligaments here, right?
Tom2342: Since the NAP client from Microsoft alone doesn't offer anywhere near the amount of endpoint data that some other vendors' NAC clients offer, why would you want to bother with it at all?
Joel_Snyder: Dude. The NAP client is just a base. You don't just do everything that Microsoft says, right? They provide a great base and you build on top of that to meet your needs. If you're a small site, you stick with them. but if you have Symantec, then you layer their SEP11 on top of that using the NAP SHA/SHV. If you have McAfee, same deal. Sophos, same deal. We tested Avenda and Blue Ridge as well in the labs, all sitting on top of NAP. The reason you START with Microsoft is that they know more about their own O/S than anyone else, so that is going to maximize the ability to interoperate. And then you take your preferred end-point security partner and put it on top using the SHA/SHV model. It is totally clean and totally extensible.
Moderator-Julie Pre-submitted question: TCG/TNC just announced IF-MAP What's that all about and what do you think of it? [Editor's note: TCG's NAC scheme is called Trusted Network Connect (TNC)].
Joel_Snyder: IF-MAP is very cool. We were lucky because TCG gave us advance access under NDA and we were able to get a white paper out on it at the same instant that it was announced. Talk about a scoop! Anyway, IF-MAP is all about having a structured way to store, correlate, and retrieve identity, access control, and security posture information about users and devices on a network. The cool thing about IF-MAP is that it's not just for NAC, although that's a first step. It's a way to finally bring together a whole world of policy and status information that just has been totally proprietary or even un-doable in the past.
I am totally stoked about IF-MAP because I think that this has been one of the main things missing from standards-based NAC and it closes a huge hole. I hope that we get great adoption. The TNC guys seem to have about a half-dozen vendors all already including IF-MAP in their products that they were demoing in their booth at Interop. Aruba, ArcSight, Juniper, Lumeta, nSolutions, Infoblox were all doing the demos.
RandyJ: I am looking to implement NAC next year on our campus. We are a wireless campus with some wired. I have talked to a lot of different vendors. What are the top two companies you would recommend, and why?
Joel_Snyder: Well, it depends, which one is buying you lunch? Honestly, though, I can't answer that very easily without knowing exactly what you're trying to accomplish. The obvious answer is Bradford, because they understand and do education better than anyone else (in my testing, anyway). They are built around education issues, so that's going to be well suited. From there, it's hard to say. I'd look to see what other partners you have good relationships with and see if they can meet your needs. In other words, if you're an Enterasys shop, go talk to them. Foundry, etc.
Leo: Can you comment on the relationship between Microsoft and Cisco on NAC now and project it in the future? Truly cooperative and division of labor? Or collision ahead?
Joel_Snyder: Hard to say. There are a lot of personalities involved. I'd say that right now we've got two titans who are hard-pressed to cooperate trying to figure out a modus vivendi. Even if there is a lot of joy together, it is inevitable that Microsoft and Cisco will have different interests in the long run. I don't see a big collision, because Microsoft's primary interest is in the desktop and Cisco has no intention of competing there. Things like NPS might go by the wayside as Cisco readies new versions of their NAC management solution and completely re-architects ACS and the CCA stuff. What I personally see is that Cisco owns 74% of the switch market and Microsoft owns 95% (or more) of the desktop market and that's not going to change too much in the long run. So I would look to Cisco for leadership in the areas that they are strong: switching, wiring closets, etc., and Microsoft for leadership in the areas that they are absolutely top in: desktop. Having either cross into the other's territory seems like danger.
WillBean11: The title of the chat is 'fact and fiction,' so what are some of the 'fictions' surrounding NAC that we should be aware of?
Joel_Snyder: Oh, good question. What are the top myths about NAC? How about that it's all about end-point security? We have some luminaries on our own staff who seem confused about that. NAC is about ACCESS CONTROL and NETWORKs, and USER FOCUS. That's the biggest confusion. Another one: that a NAC product solves your needs. I haven't seen a network larger than 100 devices where a single vendor solution answered all problems. Let me see if I can think up more as we go along...
Moderator-Julie: I think you are referring to Rich Stiennon in his Stiennon on Security blog. He called it: "Don't even bother investing in Network Admission Control" where he did a big NAC attack. Got any response?
Joel_Snyder: I think that Rich is a pretty bright guy, but a lot of his thinking about NAC is colored by a bit of tunnel-vision about what NAC is good for. He's really focusing on the end-point security stuff, and his comments in that area are pretty solid. But he's very lost when it comes to the big picture, because he's not thinking of NAC except through this very narrow view. If you really step back and understand what NAC is all about, then you see that Rich is focusing on about 1/4 of the solution. I don't think that he's intentionally misleading anyone; he just has a definition of NAC which is really restrictive and not at all in concert with what the rest of the NAC world believes in.
Ricky: What are your suggestions for handling non-Windows machines, or "non-OS" devices altogether - e.g. IP phones, cameras, medical devices, etc.?