Last month, Network World reported that Cisco lost market share across the board.
Meanwhile earlier this week, network security vendor Enterasys, issued a press release revealing that its NAC sales revenue grew 317% in 2009 compared to the same consecutive quarter in 2008.
This growth rate contradicts many security industry analysts and pundits, who say that NAC will never get off the ground with enterprise users because it’s complicated, expensive and requires too much up-front investment.
Naturally, I felt it was an opportune time to get a "feel" for why the Enterasys NAC solution is doing so well.
Interestingly, Enterasys security expert Dennis Boas believes that end users can and do invest in NAC – if the product is the right fit. So in the below Q & A session, Boas shares his insight on the most prevalent threats to the enterprise network, customer-proven best practices of network access control (NAC), enterprise concerns about the financial and management aspects of NAC, and why the Enterasys NAC solution is in such high demand. Boas also led an educational session at the Gartner Security Summit this week too.
1. As alarmingly described in the video below, a Black Hat attack on Cisco's network admission control (NAC), compromised the Cisco agent installed on the end system. So Dennis, what do you have to say about this video and the Cisco NAC design flaws that the folks at Black Hat so alarmingly described?
| Dennis Boas: | Security mechanisms are used to validate the integrity and authenticity of the Enterasys agent for all server/agent communications. Additionally, with Enterasys NAC, the end system agent can be downloaded dynamically from the assessment server – and only after the end system is successfully authenticated. Another option with Enterasys NAC is agent-less assessment based on a network scan, which eliminates agent compromise-type attacks. Also note that Enterasys uses multiple criteria beyond end system health assessment to assign and limit access granted to an end system, including device type, authentication method, authenticated role, location of the end system (switch, port, SSID), and time of day. Customers who have concerns about these type of attacks have strong, secure, and flexible options with Enterasys NAC. |
2. Well, with all the security solutions from anti-virus to next-generation firewalls available – why in the bejesus would an enterprise need a NAC solution in the first place? Pardon my skepticism, but I love to hold vendor's feet to the fire.
| Dennis Boas: | Firewalls and AV are nice and they are part of the solution, but they aren’t a complete solution. Firewalls and DMZs only protect you from external threats. Your AV and your firewalls don’t give you the visibility you need to control your network and be secure. AV and firewalls won’t tell you what and who is connecting to your network, where they are connecting from, and whether their status meets your security policy requirements. NAC fills in these gaps. |
3. Why should I worry about people connecting to the network from inside my firewall?
| Dennis Boas: | The real battle today is at the network access layer. The threat here is from systems connected behind your firewall. Keep in mind that threats from network users don’t always have to be malicious. Users often introduce threats unintentionally, such as an infected jump drive, media card or laptop. Current statistics back this up. Ponemon Institute reported that more than 88% of all cases in their data breach research this year involved insider negligence. Just think about the number and kinds of non-employees – guests, contractors – that connect to an enterprise network every day. Enterprises must address the dual challenge of enabling their guests and contractors to be productive with the network access they need to do their jobs, and at the same time protect the network from threats users can unintentionally introduce. |
The diagram below represents the Enterasys Secure Networks capabilities and their relationship to the Enterasys NAC solution:
4. What can enterprises do with all this overwhelming information about who is connecting inside the firewall?
| Dennis Boas: | You need this information to grant an appropriate level of network access. You want to grant a level of network access based on the type of system connecting. For example, access for an IP phone is different from an employee desktop. You also have to consider the health of that user’s system, each employee’s role in the organization -- what resources he needs access to; the employee’s location – where he’s connecting from (secure, unsecure, wireless), the time – working hours or is it at midnight? For example, even if a person authenticates as the CEO, but is trying to access the network from a wireless connection from the parking lot, do we really want to give him access to the card holder data environment? |
According to Enterasys, assessments, or health-checks, can be separated into two methods:
Agent-less:
Network Based - a network scanner scans the end system remotely (over the network).
Applet Based - a java applet is used to launch assessment functions on the end system (web browser based).
Agent-based:
Thin Agent - a temporary agent (can be loaded and unloaded on the end system using various vendor-specific techniques).
Fat Agent - a persistent suite of assessment software with firewall and host intrusion detection established on the end system.
During an assessment, end systems are checked for compliance and/or vulnerabilities. This also includes testing the end system embedded firewall and other applications for vulnerabilities.
5. I've read about enterprises damaging their corporate image with bad press that discloses they've lost customer information. So given the existence of such bad press, how does NAC work as a security tool -- for example, how does it prevent a user, authenticated as the CEO, from accessing over wireless from the parking lot?
| Dennis Boas: | A major retailer recently had a well publicized data breach caused by a hacker accessing the network over wireless from the parking lot. A properly deployed NAC would have prevented this by executing the access policy that says users coming in over wireless from the parking lot do not get access to sensitive data. By the way, the PCI standard says users coming in over wireless should not be allowed to access the card holder data environment. |
According to Enterasys, policy-based networking and NAC enable a dynamic firewall capability right at the switch port in the network. Policies define what is allowed and not allowed on the network, what priority a device, user, or application can have on the network, and how much bandwidth each are allowed to use. With policies you have the capability of distinguishing between different systems and services, and there is no need for separation with VLANs. In addition to the authorization, traffic can be classified through many characteristics and can be treated individually:
Typical policy examples:
 |
DHCP at the user port is not allowed. |
|
Applications like Skype or P2P can be limited. |
|
SIP traffic is labeled with the correct quality of service information. |
|
Single flows can be pushed to other VLANs without the client noticing. |
|
Legacy protocols like IPX or unusual traffic are detected directly at the switch port. |
|
HTTP access to a quarantine/remediation server is always allowed, and any further access only after successful assessment. |
6. What are the best practices for protecting a network against insider threats?
| Dennis Boas: | A secure network means that only the right users have access to the right information, from the right place at the right time. Best practices include several critical components: authentication and authorization; endpoint security assessment, or baselining; enforcement, continuous monitoring and management. First, you must detect connecting end systems. It’s important to keep in mind that this may be a user on a laptop or mobile device or any other connected device such as an IP phone or printer. Then, for each connecting device there is a continuous process: the user and device is authenticated, the health of the device is assessed, the user/end-system is granted access, denied access or quarantined based on the system’s health and enterprises’ policies, and the user/end-system is monitored for continuing compliance with the security policy. The policy enforcement mechanism is embedded in the network or in-line appliance. |
According to Enterasys, its NAC includes a combination of in-band and out-of-band NAC technology integrated into a single cohesive solution. This flexible solution allows NAC traffic enforcement to take place directly at the access edge for intelligent infrastructure devices, and near the access edge at the distribution/aggregation layer for areas of the network with less capable or unmanaged switches:
7. O.K. the process sounds kind of logical, but the average enterprise network comes with a lot of moving parts, usually from different vendors, and you've got to admit most administrators aren't about to take on any additional risk with their network's availability. So given this stark reality, how in the heck is an enterprise going to overcome the barriers to a purchase and implementation of a NAC?
| Dennis Boas: | With NAC, or any other deployment, there are a number of critical network infrastructure components that must seamlessly integrate and work together. Enterprises with successful NAC deployments deal with the challenges in two ways: First select a complete NAC solution that is open, based on networking standards such as 802.1X, RFC 3580, RFC 3576, and second deploy in phases. An open NAC solution that is based on widely used networking standards will work in any network regardless of the technology or vendor. The best NAC product offers a complete solution but with functionality that can be efficiently deployed in phases to mitigate risk. |
The following figure illustrates how the Enterasys NAC Gateway and the other Enterasys NAC components provide network access control for a network with third-party switches that support RFC 3580:
8. What kinds of phased approaches to NAC installations have you seen enterprises successfully use?
| Dennis Boas: | We’ve seen enterprises identify phases of their NAC deployments to address specific business problems. These enterprises successfully gain the increased protection of NAC as well as recognize immediate business value. For example, we see some customers start with simple detection and location and then later add other functionality, such as assessment and automated remediation. We’ll see an initial NAC deployment for detecting when end systems connect and tracking end systems across the network. This level of deployment addresses many auditing and compliance requirements. Other customers want to focus initially on guest access. |
According to Enterasys, a well architected solution should integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralized management to deliver all of the required functions for pre and post-connect secure network access:
|
Detect - Detection and identification of new devices connecting to the network. |
|
Authenticate - Authentication of users and/or devices. |
|
Assess - Assessment of end systems regarding their compliance and/or vulnerabilities. |
|
Authorize - Authorization to use the network based on the results of the authentication and the assessment. |
|
Monitor - Monitoring users and devices once they are connected to the network. |
|
Contain - Quarantine problem end systems and/or users to prevent them from negatively impacting the overall network environment. |
|
Remediate - Remediation of problems with the end system and/or user. |
9. I hear a lot today about guest access control. How does it work? And what about enterprises that have 50 or more guests per day? For example, I’m thinking specifically about training institutions that have hundreds of students per day for class. How labor intensive is it to enroll and manage guest users?
| Dennis Boas: | We see demand for guest access control in this exact scenario – training and conferences. Also, companies and governmental agencies who hire contractors, and in higher education, where new students and teaching staff are constantly wandering in and out of the campus network. Across every vertical, our customers like that we include the functionality for managing guest access control in Enterasys NAC for no additional charge. That’s something that other vendors will charge a premium for. We think it should be part of the NAC package – and it should be easy to use. Enterprises can proactively manage whether a guest, device, or trusted user can connect to the network and what they are authorized to do once connected – all based on fine-grained policy criteria such as device type, device health, user identity, role, time of day, and location. Enterasys NAC enables administration to be delegated. For example, using a simple web portal, business staff can sponsor guests and validate their guest registration. |
10. Industry analysts have questioned NAC’s complexity and expense for mainstream enterprise adoption. Yet according to you, Enterasys NAC has seen current sales revenues increase by three times over sales from the last year. What is driving this growth?
| Dennis Boas: | First, we really listen to our customers. We take into account their fears, needs and requirements as we build and enhance our NAC solution. We hear that this approach contrasts dramatically from other networking vendors. Second, I’d say that our longevity in the network security business gives us an advantage. Many of our new NAC users are long-time Enterasys infrastructure customers who decide to give this technology a try, and then go for the whole solution. Once they have it, they don’t want to go back to the old days of network vulnerability. With customers who’ve never used our products before, including customers who come to us from competing networking vendors, they really like the value and total cost of ownership. Interoperability is a big selling point for them. Our NAC architecture was among the first to provide a number of now generally expected features, such as role-based control for granting network access, and guest access control that is unified across wired and wireless networks. Quite simply, we built a solution that accurately reflects our customers’ needs, instead of building a product and telling them, "This is the way it’s done." |
According to Enterasys, the architecture enables network usage policies for users and devices to be established centrally and enforced throughout the network environment. These policies for network communication enable an IT organization to ensure the overall integrity of data communications and to restrict and isolate communications from un-trusted and dangerous end systems and users. Policies can be applied to communication from any type of end system connecting to the network:
11. How do you define a complete NAC solution?
| Dennis Boas: | A complete NAC solution must deliver comprehensive functionality, end-to-end, for both out-of-band and in-line deployment options, agent-based or agent-less endpoint baselining, and integration with other network security products such as intrusion prevention, network behavioral analysis and security information and event management (SIEM) for post connect behavioral analysis and audit. The Enterasys NAC architecture integrates with any vendor’s network equipment that also supports industry standards. Enterasys NAC is centrally managed for ease of configuration and management. |
12. How is Enterasys NAC managed?
| Dennis Boas: | NAC management needs to be simple, or the NAC solution itself will be useless. What good is all of this technology if your administrators struggle to monitor it every day? We work with companies who have a very small IT operations staff- sometimes a handful of people. They can’t allocate people to spend hours taking special classes, or trying to troubleshoot their solution - they just want to plug it in and know that it’s going to work. Our NMS NAC Manager software provides secure policy-based NAC management. From one centralized location, IT staff can configure and control the NAC solution, simplifying deployment and ongoing administration. Enterasys NAC offers advanced capabilities such as the IP-to-ID Mapping capability that binds together the username, IP Address and MAC address and physical port of each endpoint. NMS NAC Manager reports this important information for audit or forensics analysis. One of Enterasys’ large university customers is gaining huge benefits using NMS NAC Manager with NMS Policy Manager. When combined with Policy Manager, NAC enables "one click" enforcement of role-based policies. NAC with Policy Manager enables organizations to address deployment worries with Policy Manager’s Active/Passive domain mode. This allows policies to be set up in a passive mode that does not enforce the policy, but does report on how the policy would work. This is a great for testing policies prior to enforcing them on the network. |
13. How does NAC help administrators with compliance reporting?
| Dennis Boas: | We find customers often implement NAC to address compliance requirements, especially in highly regulated environments like healthcare, financial services and government. NAC can quickly view the state of the network environment and provide IT administrators the information they need: who and what is attaching to the network; where and at what time the devices are connecting; whether the devices are safe and secure, and whether the users of the devices pose any threat to the network environment. We believe that the network is more secure with the most fine-grained control over who gets on, when and from where. Enterasys NAC maintains a comprehensive set of critical data that can be leveraged to quickly determine network usage and the treats and vulnerabilities posed by end systems of any type. Another important aspect of Enterasys NAC is the ability to look at historical data on any end system. The Enterasys NAC solution can report on not only where an end system is connected currently, but also where it has been connected in the past, as well as who was using the end system and whether or not it was in compliance at the time. |
14. This all sounds great, but what are we really talking about in terms of investment? What equipment must be purchased, installed and maintained?
| Dennis Boas: | The "total forklift" deployment approach, understandably, strikes fear in the heart of the administrator for a number of reasons, including first and foremost, cost. The network operations customers we deal with also have to answer to their CFO on maximizing current infrastructure, so a NAC deployment that requires ripping out existing gear usually won’t get the green light – and that’s true whether the economy is good or in flux. Enterasys NAC leverages the equipment and expertise that already exist in the enterprise’s infrastructure. We do not require a total network upgrade in order for it to work. Customers avoid the extra expense associated from vendors who try to lock them in to their products. Enterasys NAC works with multiple assessment servers, authentication servers and security software agents to match the needs of different organizations. Enterasys NAC leverages existing identity sources enabling users to be centrally managed in an enterprises identity management system. |
15. What is the future for NAC as a technology, and for Enterasys NAC?
| Dennis Boas: | When you have a solution that knows who or what is trying to connect to the network, from where and when, plus management applications that can apply policy and take actions – there are a lot of problems that can be addressed. Those original barriers to NAC entry are being removed, and our revenue growth bears that out. People who see limited futures for NAC are demonstrating a lack of imagination. Enterasys, now part of Siemens Enterprise Communications Group, a Gores Group company, sees tremendous opportunity. For example, we are moving to completely abstract policy across multiple third party device vendors to further reduce operational and implementation costs. We’re developing solutions for NAC integrated with voice over IP (VoIP) servers. Think about it. Enterasys NAC can know the exact locations of every phone – the port, the switch the Mac address. With this information NAC can automatically add the location information to the VoIP server, eliminating all the tedious manual effort this requires today. Moves, adds and changes all done automatically! With this information supplied to Enterasys NAC Manager – specific templates can be downloaded. For example, help desk phones can automatically have their own set of speed dials. Enterasys is doing this with our customers today. |
Why do you think the Enterasys NAC solution is doing so well?
BradReese.Com Cisco Refurbished - Services that protect, maintain and optimize Cisco hardware
Contact: Brad Reese | Twitter: http://twitter.com/BradReese
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him Toll Free:
866-864-0506
International callers may wish to call Brad by dialing:
850-364-4115
The Leader in Network Knowledge
The great thing about
The great thing about privately held companies like Enterasys is that they do not have to report audited, GAAP-compliant revenue numbers to the SEC. They can make any claims they like about how well their sales are doing and they never have to reveal the actual quarterly numbers to the public.
What are the Cisco NAC revenue figures?
Because Cisco is a public company and believes in total financial transparency, what are the Cisco NAC revenue figures?
Are they going up or down?
Let's see if Cisco PR will respond to my request.
Sincerely,
Brad Reese
BradReese.Com Cisco Refurbished
Notice that the above
Notice that the above commentor - probably on the Cisco payroll - attacked the validity of the revenue numbers, not the technology.
The bottom line: Cisco NAC = locked in to one vendor. One very expensive vendor.
Forgive me for attacking the
Forgive me for attacking the validity of the sales numbers, I did not know they were off limits since the article was titled "Enterasys NAC sales triple". My mistake.
BTW, how are things going for you over there? Still trying to find a customer for SecureFast?
Sorry to disappoint you. I'm
Sorry to disappoint you. I'm not an employee of any NW vendor. Just someone who's tired of seeing Cisco run roughshod over their customers.
Does this work with Cisco Switches and Wi-Fi controllers?
I noticed that standards are heavily stressed, but does their version of NAC support Cisco, and Microsoft's NAP?
Not a Cisco employee, but it would be interesting to find out if they went from 0 to 317% based on maybe a $3M or $10M year.
In addition to the
In addition to the standards-based NAC support that can be used to support many vendors, including Cisco, we also did specific work with Cisco MAC Authentication Bypass and the Cisco Wireless controllers to provide full NAC support with our out-of-band NAC solution.
We also integrate with Microsoft NAP by adding the capability to use the NAP health result in the NAC decision making process. If the administrator desires more information than the NAP health result, it is optional to also do a NAC assessment in addition to or instead of using the NAP health result. In either case, NAC assessment is used on devices in the infrastructure that do not support NAP.
Certifying accuracy of Enterasys NAC revenue and 3rd party suppo
I can certify the accuracy of the revenue claims. I personally review them on a weekly basis. While Anon is correct that as a private company we do not have to report our revenue numbers, Enterasys does follow all of the same financial regulations, including GAAP and others. It is also worth pointing out that this isn't a one time revenue bump. We have been in the NAC business for about 4 years and we have seen significant growth in each and every year. We decided to announce the most recent information since it was large and even more significant given that others are reporting declines or worse...going out of business.
Regarding Enterasys NAC working with other 3rd party switching vendors, such as CISCO, the answer is yes. If you wish to discuss the details of who and how, please just drop an email to sales@enterasys.com and someone will follow up with you.
Barry Cioe
Vice President
Enterasys Networks
Still haven't given us an answer to the first comment !!!
Is it just me or is Enterasys being evasive about exactly what a 317% rise in revenues actually represents?
Please can you state what your NAC revenue was last year and what it is this year. The first commentator makes a good point, if you only sold $100K of NAC last year, then $317K of revenue for this year is hardly earthshattering, but does let you claim large percentage growth figures.
I'm ticked off with vendors who treat us like idiots and think we can't see through their clever marketing stories.... come on Enterasys, show us the figures !!!!
After all, you guys broke the story, so they must be good...
If it were just $317K we wouldn't care either
I don't like the misleading that goes on in the industry either, but that isn't the case here. Even though we do not publish these #s publicly, we are willing to share under NDA. If you want to know them, contact me at bcioe@enterasys.com, we will put an NDA in place and I'd be glad to share the details with you.
Barry Cioe
Enterasys Networks
Post new comment