It was kind of like reading a review on The best Italian restaurants in America only to find out that the winner was chosen because they also served Indian and Thai food. Hmmm?
Being that I authored the book on Cisco NAC Appliance (NACA) I take a personal interest in analyzing any bake off results dealing with NAC products. I am sure my comments will be controversial (oh well) and this response is my personal response not that of my employer. Thus, here is my personal analysis of Network World’s NAC test results.
If you haven’t seen the test yet go here: http://www.networkworld.com/reviews/2007/073007-test-nac-main.html.
Bottom line is that this test ranked NAC “god box features” way above real world customer NAC requirements. It seems that the test was really about finding the NAC vendors who stuffed the most widgets into a single box and call it NAC. Rather than finding the NAC vendors that excel at performing the commonly accepted NAC functions, authentication, posture assessment, quarantine, remediation, and reporting.
First let’s start with their overall vendor ranking results. They ranked Symantec on top and Cisco NACA almost at the bottom. This result just doesn’t add up with the other industry data, reviews or customer surveys out there. For example, NACA won the 2007 product GOLD award at searchnetworking.com (see here http://searchnetworking.techtarget.com/productsOfTheYearWinner/0,296407,sid7_gci1244774_tax306254_ayr2007,00.html ) Symantec wasn’t even a finalist. And if you look at customer satisfaction surveys or poll data Cisco’s solution consistently ranks above the others ( see here http://www.networkcomputing.com/galleries/showImage.jhtml?galleryID=17&imageID=4&articleID=199201086 and here http://www.networkcomputing.com/showArticle.jhtml?articleID=199204304&pgno=7 .)
And finally, Cisco’s NAC Appliance holds a commanding 47% market share in the cluttered NAC space. So I ask you, are that many customers making horrid buying decisions? The NW NAC test results ask us to believe that they are. However, when we look at customer satisfaction rating for NAC Appliance we just don’t see this, in fact we see the opposite. In general, customers are happy with the Cisco NAC solution.
Second, let’s analyze the scoring criteria the NW test relied on. The test weighted authentication less than endpoint security posture. But wait, the endpoint posture checking process depends on the authentication process to tell it what checks it should perform. In fact, almost every NAC process relies on data gathered during the initial authentication process. Without a rock solid authentication foundation on which to build, all other NAC features will suffer. Additionally, a majority of customers consider the ability to enforce user authentication at the network layer to be the most compelling reason to implement a NAC solution.
The NW NAC test criteria didn’t focus on real world customer requirements for NAC solutions. Top of mind issues that drive the need for NAC, like controlling guest access, non-corporate owned PCs, contractors, and rogue devices (like APs), weren’t addressed in any meaningful way. Additionally, the effectiveness of dealing with non-user devices, like IP Phones, was given only passing consideration in the test.
Third, let’s analyze the test bed topology itself. The only deployment method used in the test was inline deployment. Again, real world considerations were not taken into account here. The easiest path, not the most likely path, was taken. Most customers do not want to deploy NAC inline in a LAN environment due to performance and high-availability concerns among others. If given the choice almost all customers would choose an out-of-band solution for wired ports. The NW NAC test doesn’t mention OOB results because they were not tested, in fact they call out-of-band a controversial option. Huh?? If OOB options would have been tested I guarantee you that all of the 802.1x solutions would have performed less than admirably. Deploying 802.1x for wired is riddled with issues on all sides, the client supplicant, the switches need to support it, guest access support, non-dot1x enabled client support, certificates, OS support, the list goes on and on. Can it be done, yes, but it is a huge undertaking with many caveats, the omission of this info from the test docs is telling. Cisco NAC Appliance should have gotten points just for its ability to deploy OOB without the need for 802.1x!
Using OOB can reduce the cost of deployments by requiring fewer servers.
Fourth, where was the focus on remediation at the host? I felt that very little weight or focus was put on the NAC solutions ability to remediate the issues a posture assessment found. This is a critical piece in the real world. A poor remediation solution results in increased, not fewer, help desk calls. Just simply stating that a vendor can provide a link, launch a program, etc is not enough information. More should be said regarding how that information is presented to the user and how it integrates with 3rd party apps like AV, AS, and WSUS.
My final point is that the review failed to focus on, or score, the deployment options available, their functionality, and their ease of use. Most customers ask for and make buying decisions on a NAC solutions deployment flexibility, functionality, and ease of use.
Here are a couple of the things that the NW test team reported incorrectly in their results write-up of Cisco NAC Appliance:
Cisco doesn’t even have a dissolvable agent yet. It’s just hearsay and feature on our future roadmap. Could it be that Cisco’s NAC was never really tested fully? Could it be that Cisco’s configuration and marketing material were heavily relied on for their results? Who knows.
I realize that this is the NAC test reviewer’s first article on NAC and one of her first product review articles in general, but still the review lacks the real world criteria and testing results that NW readers and NAC customers really need. NAC is not supposed to be, nor was ever intended to be, a do everything “god box” single vendor solution. Basing a NAC product review with that as the overriding theme makes the results fatally flawed in my opinion. What do you say?
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
Reality based reviews
Your commentary on the review is very welcome to this reader. Published reviews of products that do not accurately reflect the reality of customer requirements always concern me.
While reviews are useful as a tool, there is often no forum for rebuttal. It is very refreshing to read a resonse from someone with obvious expertise. I applaud your efforts.
Thanks.
Cisco sells 40-65% just
Cisco sells 40-65% just because they are deployed at 60% + Enterprises.
The test was well conducted and documented. Yes, Sygate (Symantec) does indeed have a good product.
Interesting, albeit common viewpoint
Of course I hear this excuse all the time from small vendors trying to make a go of it. trying to spin a large market share into something negative is counter-intuitive. Yet, people try. Let's break this comment down to what the reader might really mean. This could be a good thing, customers who buy Cisco like the company and its products so continue to choose Cisco for other products. Or it could be a bad thing, the reader might think that Cisco customers are followers with no judgement and automatically pick Cisco for all products just because of the brand recognition. Now that is a leap! Or it could be what I think is the reality, customer's buy based on initiative and budgets are allocated accordingly. All IT budgets are not related. Customer's evaluate multiple vendors for each initiative they have and choose the one that fits best in their environment.
Buck up and move on
Jamey, while I agree that the NAC review left some things to be desired, I have to disagree with many of your conclusions. I have responded fully to your points on my blog here
not taking the bait
But it is good to see that you agree with my conclusion that this test was horrid. The fact that you had to result to personal attacks to get your point across puts you in the amateur/wannabe category however. Do your kids read your blog attacks? is this how you do marketing for your NAC product? Buck up and spend some marketing dollars, oh you don't have any dollars? Then go dupe some customers to buy it already.
talk about personal
Jamey, my kids don't read my blog and I hope they don't grow up to be IT folks ;-) That being said, we spend our money on marketing, I use my blog to espouse my views. It was not a personal attack on you, I am just saying you came across as very whiny. I think you fail to recognize that the market view of what NAC is and does has moved beyond what it was when you bought Perfigo years ago. It took us a while to recognize as well, but being a smaller company we are just more nimble. I guess not nimble enough to please the reviewer here but so it goes. I think the network world people were clear enough about what they were testing, it sounds like perhaps you were not involved in that though.
Sorry you have such thin skin and you took this so hard, but if you get a chance check out our product and you will see we have done fairly well in most NAC reviews and don't need me to resort to personal attacks. I just call them as I see them.
NW Reader's Deserve Better Product Evaluations
In my blog I not only pointed out why I feel the Network World NAC review is misleading I also recommended a number of corrective actions that I hope Network Computing will consider when NC conducts its upcoming NAC product evaluations. So I will not repeat those thoughts here.
I do want to add two ideas. #1: Reviewers should aggressively seek vendor input in the design of product tests as vendors have the most experience with real-world use cases. Those frames-of-reference are valuable to readers. #2: reviewers should encourage vendors to publicly discuss a reviewer's test objectives, set-ups, results and "findings" because vendor comments and rigorous debate would expose readers to more practical information about NAC issues and trade-offs. Plus, vendors would have an opportunity to express their views about product evaluations without seemingly "whining" about some form of mistreatment.
Reviewers should create a legitimate forum for this type of idea exchange as it serves everyone’s interests – especially the reader’s. Yes, this forum could facilitate vendor shouting matches but do not underestimate your readers. They can judge facts and behavior.
I call BS on marketshare
I've been in the field many years and for some of them in the security space. You comment about your marketshare is wrong. You may have "47%", but customers are not buying your solution - it is being given away by Cisco salespeople to help close deals. This is such a well-known common Cisco sales tactic - give away a technology as part of a larger deal - especially in an emerging discipline or with an inadequate product. It's been done for years and I doubt that will change anytime soon.
So I'd ask you how many of those "47% marketshare" customers are actually using it, let alone successfully and fully deployed?
I double down on your predictable response
Their is always one. Uh, market share analysis is based on product bookings and revenue in the specific space that is being analyzed like NAC. If a company gave products away they cannot show up in market share numbers. A Company(a public company anyway) cannot report a marketshare number that is based on free gear. Is this the excuse you use to explain to your boss why you continually loose to Cisco? Not sure how to respond to so qualified an individual as yourself, mr. "experienced field rep" but I'll try. Again, this is a common response I hear from competitors on why they loose against cisco, "cisco just gives everything away." Hmmm. Have you read our finacial results from last year, our margin for example. Cisco doesn't give things away, in fact they usually charge a premium. Our security sales team are goaled only on selling security products, not any other products. This sales force would be up in arms if deals were going down with free security gear in them. BTW, what benefit does cisco get from giving away gear to customers? Don't confuse bundling security in with other gear, with cisco giving stuff away.
I see your double down and raise you
Jamey
your comments leave me wondering how many Cisco NAC sales you have been involved in. If you want me to, I can name at least a half dozen accounts were the Cisco NAC appliance was discounted down to near nothing in a Cisco only shop and wrapped up with a switch buy or to keep another vendor out. We partner and OEM with several switch vendors and I am seeing this first hand every single day.