Readers have the last say on network access control
Dear Vorticians,
Over the past weeks, as I've explored different angles of the network access control market, I've received quite a bit of correspondence that I just haven't had the space to accommodate. (You know how we writers can just ramble on and on.) I want to wrap up my exploration of NAC by sharing some of these notes and I hope you'll respond to these reader thoughts and inquiries if you have the time and knowledge.
Vortician CJ Meyers, an IT executive in Florida, got on my good side by not only thanking me for the network access coverage but assuming I am a busy kind of guy - a risky assumption. He wrote: "Thank you for this blog! I am very interested in this subject and am happy that I found this blog to do some research before committing to a solution. I heard about the blog from the May 8th print edition of Network World. I already learned a great deal by reading those articles, and now with the blog, I've got some more great material to parse.
"Currently my organization is seeking a NAC solution and we were leaning towards the Cisco CleanAccess solution. However, we've recently become aware of a vendor called Mirage Networks that provides similar NAC functionality, but completely out-of-band and adds endpoint security without a client agent. I have a Webex with the vendor next week, but am interested in any insight or additional literature, comparisons, reviews, etc. that you may have come across in your research. I searched the blog and didn't get any hits. I know you must be terribly busy, but I appreciate in advance any help you can provide!"
Well, Vortician Meyers, I'll ask our other readers to share their thoughts, and I'll point you to this article on the Network World Web site in which we cited the Mirage Networks' product as one of seven tools that customers ought to look at for their evolving data centers. The Mirage NAC solution not only scans end systems for vulnerability before letting them on the network, but also monitors their ongoing activity for unusual behavior. Take a read and thanks for writing.
Vortician Jeff Prince, who is chairman and CTO of ConSentry Networks, another entrant in this market, wrote to share some insights into the internal workings of Cisco's NAC and its partner program. "John, the Cisco NAC architecture has been unnecessarily proprietary, which has been the typical course for Cisco lately. Last time we talked, I mentioned that one of the reasons Cisco became a great company was the fact that they continued to develop enabling ASIC technology. Well, another is the fact that early on they embraced and pushed for open standards, and then built very competitive products based on those standards. Developing standards and testing for multi-vendor interoperability is the primary reason the show Interop was created. So why is Cisco now pushing for all-Cisco components? (By the way, in the spirit of 'interop,' we are providing the NAC functions for the InteropNet NOC. Cisco is not participating.)
"While it may seem attractive to Cisco to put proprietary software on every endpoint in the network, since it binds customers to buying Cisco switches, in the end deploying it is neither simple nor open. There is a very important difference between Microsoft NAP and Cisco NAC - Microsoft NAP is truly open for networking vendors, but Cisco NAC is not.
"How do I know Cisco NAC isn't as open as Cisco claims? Let me share just one vendor's experience - mine. ConSentry recently announced a new product, the LANShield Switch, which is our first secure switch. It embeds the functions of NAC, along with visibility and user and threat control, into a wire-speed LAN switch. Within days of our announcing this product, Cisco informed us that we are no longer welcome in the Cisco NAC partner program, which ConSentry joined last year. I honestly don't blame them for taking this action. And I'm flattered that Cisco views us as competition. But it does give an indication as to just how 'open' Cisco NAC is.
"You'll continue to hear Cisco claim that its NAC program is open, but in reality they are pushing a proprietary architecture while other vendors like us are pushing for simplicity and choice. And while it's better for us if Cisco continues down the proprietary path, I'm hoping they will actually embrace openness (simply joining the Trusted Computing Group would be a start), because I believe it will greatly simplify the implementation of NAC for customers.
"I suspect that this situation will sort itself out. Microsoft and TCG will offer open platforms for interoperating with endpoint software, we and other switch vendors will offer support for agent-less downloads, as well as support for NAP and TCG, and we can put this whole concept of Cisco owning the desktop behind us. Simplification is key - having a networking vendor try to directly control endpoints is far from simple. Keep up the good work with Vortex!"
Thanks Jeff.
In one of my entries, I cited some comments from Fred Felman during his time at Check Point. I was pleased to get this missive from Vortician Felman. "Hey John! Just thought it'd be good to let you know that I'm no longer at Zone/Check Point. I left the company in February '05, after nearly six years of pioneering compliance technologies. I'm now doing independent consulting for startups. (SFW Partners in San Francisco.)
"A lot has changed and much has remained the same since my tenure at Zone. It is still pretty hard to get NAC/NAP realized within large organizations; however there are some developments that are (advancing) the idea of NAC and NAP.
"First, Symantec recently bought personal firewall and compliance vendor Sygate specifically for their compliance technology. And, second, little-known start-up FireEye has developed a hardware-based traffic anomaly model that nails NAC/NAP without agents and the other well-known hassles of implementing NAC.
"Here's some interesting NAC/NAP background. Some of the compliance models pioneered by Zone and Cisco were the basis of Microsoft's and Cisco's NAP and NAC, respectively. In fact, Zone Labs Cooperative Enforcement was first introduced into Cisco 3000 VPN gear in the form of an integrated firewall and policy engine that checked compliance before users were permitted to use remote access through the Cisco 3000 box. (I'm not sure if it is still true, but the Zone Firewall was included in Cisco Client VPN software as recently as when I made the quote cited in your piece.)
"It is pretty cool that this early work evolved into generalization of the idea and integration into the existing 802.1X standard in order to deliver more ubiquitous compliance. That was the brainchild of Cisco's Bob Gleichauf."
Thanks Fred. And, finally, I pass along this brief but - I'm hopeful - useful note from Vortician Gary Smith, who lists himself as SOA network architect with SOA Networks. "
"John, thought you might be interested in my blog: www.soanetworkarchitect.com"
Thanks and bye for now.
Back to Vortex Blog
Comments
1.FireEye is not really hardware-based they just run the software on the dual-opteron 1 U servers. Their real strength is that they can mimic action taken by the traffic on virtual machines running within their box. This is quite revolutionary , but on the downside there is nobody who is following this approach and it will be sort of big learning curve for the market.
2. An open source app that would be really competing with Mirage networks would be www.packetfence.org. The do most of the stuff mirage does. Mirage application while based on Java, postgreSQL and proprietary threat detection engine, packetfence relies on PERL,mysql and snort.
3. Consentry approach is nothing revolutionary they just realized that they needed a 48 port box to answer the Nevisnetworks product line which was much bigger.
4. Another newentry to security space would be www.musecurity.com
Posted by: Meher Kolli on May 23, 2006 04:53 PM
Post a comment
