Alright I will take the bait. I am a sucker for a good troll. :-) Alan Shimel, chief blogger for NAC provider StillSecure, came away from RSA pretty upbeat about the prospects for NAC. His likening me to the Grinch refers to my frequent cries of protest that NAC is worthless. I guess he is afraid that I will ruin the Christmas morning pay off that the NAC vendors hope for.
First the background: NAC of course was a concept invented by Cisco's marketing department in 2003 to counter a problem caused by RPC Decom based worms such as MSBlaster. Even organizations with great firewalls and desktop security were getting damaged by infected laptops brought into work. The concept was simple: have the network inspect those laptops to see if they were properly configured with software updates and virus signature updates before letting them on the network. That is Network Admission Control, and as Shimel points out it is rather hard to accomplish. Most of the NAC players changed their approach and marketing so that "Admission Control" morphed to "Access Control". Don't get me wrong, I have been a huge proponent of user access control ever since being exposed to Enterasys Networks' concept of identity based networking. You have to restrict an end user's access to applications, data, and portions of the network to protect yourself against the insider threat.
Like Shimel at RSA I met with a bunch of so-called NAC vendors. There was at least one there that was downright depressed. You could tell they where the next LockDown. I won't mention which vendor because I would hate to be accused of hurrying their demise. I then met with the firm that my buddies at Gartner use as an example of NAC getting traction. (Sorry Alan, it was not StillSecure.) After spending a year in the UTM space which is already pushing $500 million/year by one measurement, it was like putting on magnifying spectacles to evaluate their business: 40 employees, a few tens of $millions in revenue and a whole lot of excitement about the education market.
NAC was created to solve the problem of users bringing infected laptops on to the network. And that is why there is no large market for NAC. For every type of organization, other than higher-ed, technologies are already being deployed that solve the problem. To wit: patch control, desktop protection, and internal network segmentation.
I am sorry Alan, NAC is not a viable business model for a vendor and for the enterprise it is added complexity and cost that reduces network access while doing nothing for enhanced security. Not a security solution? How can I say that? Easy:
1. NAC does nothing to stop the malicious user with a clean computer from having their way with your network.
2. A zero-day infection will infect properly configured machines with up-todate signatures.
3. NAC violates Stiennon's first and only rule of network security "Thou shall not trust an end point to report its own state." Just as IP address and MAC addresses are spoofed regularly by hackers, machine state can be spoofed.
NAC is a great enforcement tool when you have a body of users that descend on your network every semester with out of date machines from multiple vendors, with multiple OS's and you can deny them access until they are up to snuff. That is the only place that model works. And even at Universities I believe they will eventually figure out that it would be a lot simpler to manage network security effectively than to worry about desktop configuration all the time.
Put it this way: Can you secure your network without NAC? Yes. Does NAC in anyway reduce your overall costs? No. Does NAC tie you down to one vendor's eco-system? Yes, if you go down the Cisco, Juniper, or Microsoft route. Does NAC make you more secure? No.
Then why would you invest in NAC?
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
The Leader in Network Knowledge
Impedance mismatch
As Stennion correctly points out, the NAC approach is nearly valueless for improving internal network security (defined as keeping the bad guys out, letting the good guys in, and exposing all the access decisions to the corporate governance structure).
Under the best of circumstances, traditional NAC has some value at the network edge, where identity-based access decisions can be made.
Even here, there is a serious impedance mismatch. First, it's far too coarse-grained an approach to meet the needs of larger organizations that often need to control access to resources down to the level of individual database columns. Second, and more importantly, the wrong people are doing the work.
Traditional NAC has to be managed by the same people who deal with the switching and routing infrastructure. But in reality, access-control decisions are reflections of business policy, not network policy. You end up with long chains of cumbersome workflow and, of course, widespread circumvention of the controls.
What's really needed is a full-stack, network-resident solution that combines access to authenticators and, crucially, authorizers with end-to-end encrypted channels between end-points. This must be deployed pervasively in an enterprise network and not just at the network edge. There is some value in a hybrid approach that exposes resource (server) endpoints to such a combined solution as well.
But trying to do it all in the layer-2 infrastructure just won't meet the larger business needs.
I think the purpose of NAC
I think the purpose of NAC has been misinterpreted here, possibly due to over marketing, but anyway here is my view on the subject:
NAC is a tool to aid best practices, not a complete network security solution. Its purpose is to provide a best effort system of keeping the network clean. Obviosuly hosts and endpoints can spoof their status but that is what HIPS are there to prevent.
I do not even see why an intentionally malicious user would even need to spoof anything, they can just make sure that their machine is up to date/complies with the NAC policy and still perform whatever attack they wish.
NAC prevents unintentional introductions of malware to the network and until we start to see malware that auto spoofs NAC responses itself, I think that it does a pretty damn good job.
Whether it's perfect isn't the right question
I was just commenting in a recent blog posting (http://main.blogs.encompassus.org/?p=41) that NAC (among other solutions) has some shortcomings. There's stuff it'll miss. I agree with you there.
However, the key question isn't whether any particular solution solves all your IT security problems while costing you no money and universally working well with every past and future IT product. All security solutions have a non-zero TCO. All of them raise potential compatibility issues with other products. All of them have failure scenarios.
The key question is the difference it makes in having it vs. not having it. You're more secure if it would have blocked an attack that would have been allowed otherwise. You're more secure if it would have detected a breach earlier. You're less secure if it would enable attacks you would have blocked otherwise, but I don't see NAC doing that.
Then, once you've established that a given solution produces a net gain in security, you can pursue TCO questions, flexibility, and all the usual things you want from your IT environment.
I agree in principal
Your comments hold true when evaluating a particular security solution. However, I would argue there are some things you can do that make you more secure while costing you less.
Two come to mind. First, outsourcing. There are scenarios where managed security costs less overall and provides better coverage.
UTM. Imagine a company that has Checkpoint Firewalls, SourceFire IDS, Tippingpoint IPS, Trend AV, and Websense URL filtering. In many cases
they can save piles of money in annual renewals and personel by dumping all those vendors and installing Fortinet (or some other ASIC accelerated hardware platform supported by home grown AV, SPAM, and URL research). And I would
argue that security is improved because of centralized managment, reporting, and training.
I think the main problem
I think the main problem with the blogger's post is the implication that NAC fails as a security solution because he expects it to be a complete security solution. A layered security approach is the best approach for securing networks and their attached resources and data. NAC is a method, but not the only one I'll agree, to prevent an infected machine from causing denial of services or compromising data. Of course there are ways around most NAC solutions but that is not the point; there are ways around any security implementation. The basic axiom of security: the only fully secured machine is one off the network in a locked room turned off with lead shielding.
Should I trust a Microsoft machine has all of its patches up to date as my method of verifying machine posture? Here you propose exactly what you argue against: having the machine itself report its' posture. What if a flaw is discovered and exploited in the update process itself? Besides, most NAC implementations do not just rely on machine reporting (nessus scans, for example).
Bottom line, NAC is extremely useful as one layer in a tiered defense scheme. If you're looking for a complete single network security solution, good luck, and I hope you have a lot of patience. If you have found such a tool/method, please enlighten the world as to what this Holy Grail of information technology security is...
Sorry
I don't buy it. Yes you need multiple layers of security but just adding layers does not make you more secure. I can show you an architecture that is as secure as possible and totally exclude NAC from it.
My "holy grail" solution I call Secure Network Fabric . It does not exist today but you can put it together with a multi-vendor solution.
SNF = NAC
You are aware that there are a number of NAC products, like CounterACT, that do EXACTLY what you describe in your Secure Network Fabric model right? The only difference I can think of is NetFlow vs. other network probes (most firewalls, etc. don't support NetFlow).
The bottom line is that NAC
The bottom line is that NAC was an ingenious Cisco marketing creation to get companies to upgrade their infrastructures sooner.
Sorry Alan, all those third party NAC solutions fall into the "nice to have" budget and I've yet to see one work particularly well. Blog on that.
Stiennon says NAC is dead - I must be in heaven!
Richard, does this mean NAC is dead like IDS? You have so many conclusions that are based on not spending enough time getting to the facts. I think that is a pattern with you. I of course disagree with you and have formally responded here.
No, still born
Of course you disagree with me Alan you are a principal in a NAC company. You should have heard the folks at ISS and Dragon and Intrusion.com squeel when I said IDS is dead.
Sorry man, I love you, your company has cool technology and all of that. But it is just not needed in the enterprise. Time to move on.
I'll hop over to your blog now and read your response.