In this Network World Chat, security guru Joel Snyder reveals the truth about Network Access Control technology. Smaller vendors rule and TCG/TNC, which now includes Microsoft's NAP, is the camp to watch, even without Cisco.
Moderator-Julie
Welcome to Network World Chats. Our guest today is security guru Joel Snyder who is going to reveal "The Truth about NAC." Joel will answer your questions about NAC, security, or anything else on your mind.
joel_snyder
Heya folks! Welcome to NAC-land.
arp
Can the NAC solution be deployed with a wireless access point from one vendor and a RADIUS server from another vendor? Or is it an end-to-end solution? Thanks.
joel_snyder
Definitely you shouldn't be locked into a single vendor. Of course, this is going to depend on the choice of NAC solution, but in our test lab we use Aruba and Airespace (cough cough) Cisco wireless stuff, and have great success with other policy decision point vendors, including Microsoft and Juniper. I don't see a huge requirement to get it all from a single vendor, and, in fact, with the exception of Cisco, I don't think that any NAC vendor really covers both wireless and the PDP (RADIUS) side. So multi-vendor is very much a reality. You're not from Cisco, are you? :-)
Moderator-Julie
PRE-SUBMITTED QUESTION: What's the biggest shortcoming you see with NAC implementations?
joel_snyderif you look at Mandy's test a few weeks ago, you'll see that she got really different products with really different designs. This makes it hard to know what's right for you.
That's hard to say. I think that the lack of standardization of NAC approaches and strategies is really holding us back. We want to have different products for different requirements, but NAC products are so different across the board that it makes it difficult for people to know what will solve their needs. You have to be a product evaluation guru just to understand some of the subtle differences between these products. I think that this will shake out over time, but
amiller219
What is the biggest barrier to implementation in your opinion, e.g. price, complexity, infrastructure changes, etc.?
joel_snyder
Organizational. NAC requires three teams to play ball together: the desktop folks, the security folks, and the network folks. If they can't all agree on what they want to do and why, it's destined to fail. Deal with the politics, and all other problems become trivial.
Grumpynettech
What do you see as good aspects of NAC from a wireless client (.1x), wireless (general user), verses wired access and also for guest and / or vendor? What remediation / inspection should we be able to perform or expect to be able to perform?
joel_snyder
Well, it all depends (I hate it when people say that). I think that NAC for the "local" user (someone in your domain, like your employees) should be doing a lot of self-remediation--not just throwing a pop-up box. For guest users, I don't see NAC as having a lot of remediation capabilities. Are you really expecting people to download random software and install it just to read their e-mail? I guess some do, but generally I think of NAC/guest as being remediation-free and focus on partitioning users and protecting things.
JMS-Maine
Joel, what are your thoughts about in-band versus out-of-band NAC solutions (pro's/con's each way)? Softball, but what the heck...
joel_snyder
I'll have to throw a definition here, and see if you agree: in-band I think of as a box, like maybe a Vernier / Consentry / Nevis or even Cisco CCA (in in-line mode, which is one option), which controls all access. Out-of-band is what I like to call "edge enforcement," more 802.1X-y. Hybrid is more half-way, like Lockd Down or CCA in that mode. Anyway, given those definitions: edge is really where I think we want to go for big enterprise deployments. It scales, it handles the load, and it doesn't depend on a single point to do enforcement. In-band I think of more for the occasional guest access -- drop one of those boxes in between your guests and let it handle that load. BAM, problem solved, that was easy, etc. Of course, that doesn't mean that the in-band guys can't handle the load, but you really want to aim for edge enforcement if it fits, and go for in-band if it doesn't. And there are zillions of places where in-band fits better.
RRR
But isn't the scaling excuse just another way of saying that the current NAC technology will just be replaced in a couple of years by in-band appliances?
joel_snyder
Hmmm. It depends on your definition of "in-band appliances." I think that firewall-to-the-port is what will happen in a couple of years, where a “couple” is probably more like a decade. How long will it take for that kind of brainpower and speed to move to the switch port? Hard to say, but certainly that's what I would like to see it happen.
Jeff_Caruso
Should users hold off on implementing any particular NAC until the vendors sort it all out?
joel_snyder
Of course not. You need to buy, buy, buy, so those poor guys can keep up payments on their Boxters. No, seriously, though, you can solve a lot of point problems with current solutions today and look to the future for better solutions with wider scope. I see a lot of people with "pain points" that need solutions -- they should be going for something today. And, a little experience today will help you pick the right solution tomorrow. Should you buy a NAC solution for 50,000 enterprise users on a Windows domain in 30 buildings? Well, I'd do a test rollout for a while first if I were you.
taco2
Joel, what do you see as the challenges with Cisco's NAC Appliance?
joel_snyderMandy dissected it (here too) and Cisco got all pissed off in her test on NWW, but honestly I don't have a strong opinion about it. It's been a long time since I had it in my lab, and I don't like to offer opinions until I've got the boxes under my belt.
Honestly, I can't answer that one very well because I haven't had it in my lab.
ServerGuy42
Hi Joel - I'm studying for my CCNA and also want to move into wireless and NAC. What steps should I take to get more knowledge about this topic?
joel_snyder
Well, 802.1X is something you really need to understand. I would make sure I really "got that" to know NAC and the pros/cons of that approach (and there are both!). I'd also config up 802.1X on a switch and do some testing to be sure you know what's easy and what's hard -- there's a WHOLE PILE OF FUD about that.
Gleb
Hi Joel, The top two solutions from the recent Network World NAC test (Symantec and ForeScout) use two fundamentally different approaches to NAC - client vs. clientless. What are your thoughts on the client vs. clientless debate?
joel_snyder
My thinking is that there are lots of reasons people use NAC, and they may find that client-full versus client-less meets their needs. Honestly, if you're doing NAC for employees, you want a client. If you're doing it for guests, you want clientless. And if you want a solution that solves both, then you need a solution that has both. The SSL VPN guys figured it out; the NAC guys will too (sooner or later).
kevsull NAP and TCG come to mind.
On standards, what is your opinion on these so-called consortiums that propose to be about standards, but on a closer look you can tell they are vendor-led and self-serving.
joel_snyder
Your question reveals a certain bias, but, even with that, I think that standards are totally key. Without a good set of standards, this is a technology that will fail miserably. Think PKI and, to some extent, IPsec VPN for remote access. Too much squabbling among the vendors, and too little "put aside our differences and move forward." I think that TCG/TNC is the one to watch; Microsoft (NAP) has joined in and is on the bus. The only one who is lagging behind TCG/TNC right now is Cisco and that's largely a personality difference as far as I can tell.
nacnac
System scanning - if one of the major problems is ineffectiveness of A/V [anti-virus], OS patching, etc. - why all the hubbub about verifying that those things are in place? I get the mitigating risk argument, but ultimately you're verifying tools are there that don't solve the problem, no?
joel_snyder
Well, it's a question of dropping reducing risk. I agree totally that knowing that A/V is in place says nothing about whether you're infected or not. In fact, most people don't get that and I'm glad that you did. But the answer is that if you have A/V at least the ODDS of you being infected are lower than if you don't. So while compliance to policy is just compliance to policy, the idea is that if you're not a total moron when you wrote the policy, the policy does actually reduce risk. Remember we can never go to zero.
FrostBe
We have a lot of contractors and we're trying to limit their access to certain parts of the server, can NAC do that?
joel_snyder
NAC and contractors is hard. You have this situation where you want to put a lot of software on their systems, and they may not be into that. I think that you CAN find good NAC solutions that will work -- you want to look for products that are more "enforcement-y" than "posture-y." Good candidates are the in-line guys I mentioned before, and of course Juniper, which is all over that.
dougdooley
What's your opinion of Microsoft's willingness to partner in the NAC space? They seem to be friendly with everyone - joint demos with Juniper's UAC, road shows with Cisco's John Chambers? Is this a sign of desperation or doing the right thing by customer or both/neither?
joel_snyder
Doolster! MS is on the right side of the fence. Either that, or they are lying through their teeth, and I believe that they are honest. I have had some great conversations with them and some brilliant folks and I think that they are doing the right thing. Look, honestly, no ONE wants to write PC software, at least not in the network security business. Why should we be doing that when MS is offering to do that for us. Partner, rather than perish.
RRR
What's your vision of NAC products 5 years from now?
joel_snyder
Universal "ho-hum." Just like VPN. We all have it where we need it and it's not so exciting. That's what we want. Universal dullness. We have to go to Funky Town, and then move to Dullsville. That's a good sign.
RRR
Re Gleb's question - what do you think about post-admission as a solution for clientless NAC (also for employees)?
joel_snyder
Post-admission pisses me off. To me post-admission is an admission that your product doesn't do what it needs. NAC is NAC. You want pre-admission, post-admission, and post-graduate. All in one product. ALL are needed for the 5-years-from-now NAC solution.
cd
Isn't the IETF developing standards that are vendor neutral? Where all the vendors contribute?
joel_snyder
IETF is, but it's a bit of a fiasco. I invite you to read the NEA minutes. There are a lot of egos involved. I love the IETF for what it was, but I believe that its effectiveness as a standards development organization has dropped precipitously in recent years. I would love to see IETF do it, and there are a bunch of smart folks there who are participating, but they are being dragged down by the "everyone has a voice, even if they shouldn't talk so much" crowd. My money's on the TCG/TNC, at least this year. I would love to be proven wrong, though.
Moderator-Keith
PRE-SUBMITTED QUESTION: Any open-source NAC projects out there that are interesting?
joel_snyderTim Greene wrote a great article a few months ago about open-source NAC that really covered the market and projects well. It's one of the best unbiased discussions of the available options. The only project that I've heard of that Tim missed in that article was FirePipes.
Lots of action on this front, some of it stretching the imagination a bit. The Open1X people (now the main driver of OpenSEA, Secure Edge Access) are primarily interesting to Linux clients, based on the Xsupplicant work that Chris Hessing has been leading lately. That's incredibly cool, except of course that the penetration of Linux desktops and laptops into the world is basically zip today. But the work that they're doing has huge relevance in the Mac world, where Apple has left the enterprise high-and-dry, and will help in embedded devices, most of which are based on Linux nowadays. Those guys are scary smart and worth watching.
ServerGuy42
What are your thoughts about putting NAC on endpoints like printers, PDAs, etc.?
joel_snyder
You absolutely have to have some way of dealing with these guys; it's the corner case that is a killer in NAC. People don't think about it very much, but any NAC solution (at least for enterprise users) that doesn't adequately deal with "stupid clients" (printers, PDAs, smart phones, cameras with Wi-Fi, etc.) is leaving a huge security hole. Of course, it all depends on why you're doing NAC in the first place -- maybe printers aren't part of the picture if you're focusing on guests, for example.
Moderator-Keith
PRE-SUBMITTED QUESTION: When it comes to NAC, product performance isn't the only reason to choose a vendor. What other factors should I be considering before I buy?
joel_snyder