With NAC, small vendors rule, expert says

Moderator-Julie
Welcome to Network World Chats. Our guest today is security guru Joel Snyder who is going to reveal "The Truth about NAC." Joel will answer your questions about NAC, security, or anything else on your mind.

joel_snyder
Heya folks! Welcome to NAC-land.

arp
Can the NAC solution be deployed with a wireless access point from one vendor and a RADIUS server from another vendor? Or is it an end-to-end solution? Thanks.

joel_snyder
Definitely you shouldn't be locked into a single vendor. Of course, this is going to depend on the choice of NAC solution, but in our test lab we use Aruba and Airespace (cough cough) Cisco wireless stuff, and have great success with other policy decision point vendors, including Microsoft and Juniper. I don't see a huge requirement to get it all from a single vendor, and, in fact, with the exception of Cisco, I don't think that any NAC vendor really covers both wireless and the PDP (RADIUS) side. So multi-vendor is very much a reality. You're not from Cisco, are you? :-)

Moderator-Julie
PRE-SUBMITTED QUESTION: What's the biggest shortcoming you see with NAC implementations?

joel_snyder
That's hard to say. I think that the lack of standardization of NAC approaches and strategies is really holding us back. We want to have different products for different requirements, but NAC products are so different across the board that it makes it difficult for people to know what will solve their needs. You have to be a product evaluation guru just to understand some of the subtle differences between these products. I think that this will shake out over time, but if you look at Mandy's test a few weeks ago, you'll see that she got really different products with really different designs. This makes it hard to know what's right for you.

amiller219
What is the biggest barrier to implementation in your opinion, e.g. price, complexity, infrastructure changes, etc.?

joel_snyder
Organizational. NAC requires three teams to play ball together: the desktop folks, the security folks, and the network folks. If they can't all agree on what they want to do and why, it's destined to fail. Deal with the politics, and all other problems become trivial.

Grumpynettech
What do you see as good aspects of NAC from a wireless client (.1x), wireless (general user), verses wired access and also for guest and / or vendor? What remediation / inspection should we be able to perform or expect to be able to perform?

joel_snyder
Well, it all depends (I hate it when people say that). I think that NAC for the "local" user (someone in your domain, like your employees) should be doing a lot of self-remediation--not just throwing a pop-up box. For guest users, I don't see NAC as having a lot of remediation capabilities. Are you really expecting people to download random software and install it just to read their e-mail? I guess some do, but generally I think of NAC/guest as being remediation-free and focus on partitioning users and protecting things.

JMS-Maine
Joel, what are your thoughts about in-band versus out-of-band NAC solutions (pro's/con's each way)? Softball, but what the heck...

joel_snyder
I'll have to throw a definition here, and see if you agree: in-band I think of as a box, like maybe a Vernier / Consentry / Nevis or even Cisco CCA (in in-line mode, which is one option), which controls all access. Out-of-band is what I like to call "edge enforcement," more 802.1X-y. Hybrid is more half-way, like Lockd Down or CCA in that mode. Anyway, given those definitions: edge is really where I think we want to go for big enterprise deployments. It scales, it handles the load, and it doesn't depend on a single point to do enforcement. In-band I think of more for the occasional guest access -- drop one of those boxes in between your guests and let it handle that load.  BAM, problem solved, that was easy, etc.  Of course, that doesn't mean that the in-band guys can't handle the load, but you really want to aim for edge enforcement if it fits, and go for in-band if it doesn't. And there are zillions of places where in-band fits better.

RRR
But isn't the scaling excuse just another way of saying that the current NAC technology will just be replaced in a couple of years by in-band appliances?

joel_snyder
Hmmm. It depends on your definition of "in-band appliances." I think that firewall-to-the-port is what will happen in a couple of years, where a “couple” is probably more like a decade. How long will it take for that kind of brainpower and speed to move to the switch port? Hard to say, but certainly that's what I would like to see it happen.

Jeff_Caruso
Should users hold off on implementing any particular NAC until the vendors sort it all out?

joel_snyder
Of course not. You need to buy, buy, buy, so those poor guys can keep up payments on their Boxters. No, seriously, though, you can solve a lot of point problems with current solutions today and look to the future for better solutions with wider scope. I see a lot of people with "pain points" that need solutions -- they should be going for something today. And, a little experience today will help you pick the right solution tomorrow. Should you buy a NAC solution for 50,000 enterprise users on a Windows domain in 30 buildings? Well, I'd do a test rollout for a while first if I were you.

taco2
Joel, what do you see as the challenges with Cisco's NAC Appliance?

joel_snyder
Honestly, I can't answer that one very well because I haven't had it in my lab. Mandy dissected it (here too) and Cisco got all pissed off in her test on NWW, but honestly I don't have a strong opinion about it. It's been a long time since I had it in my lab, and I don't like to offer opinions until I've got the boxes under my belt.

ServerGuy42
Hi Joel - I'm studying for my CCNA and also want to move into wireless and NAC. What steps should I take to get more knowledge about this topic?

joel_snyder
Well, 802.1X is something you really need to understand. I would make sure I really "got that" to know NAC and the pros/cons of that approach (and there are both!). I'd also config up 802.1X on a switch and do some testing to be sure you know what's easy and what's hard -- there's a WHOLE PILE OF FUD about that.