With NAC, small vendors rule, expert says

In this Network World Chat transcript, security guru Joel Snyder reveals the truth about NAC, including which vendors to watch.

1 2 3 Page 2
Page 2 of 3

In fact, performance is generally not critical for NAC products unless you're doing in-line enforcement. The Consentry / Nevis / Vernier clan have to keep their numbers up, but folks like Cisco that are doing edge enforcement or hybrid enforcement just have to be sure their policy engines are fast enough, which is way easier. To me, the main issue in deciding on the right NAC solution is figuring out why you're doing NAC in the first place. You do that, then the right product will begin to reveal itself. I've written a little presentation I did as part of NAC Day at Interop where I give 9 "hard questions" on NAC. I know you're asking "give me some purchase criteria" here, but my answer has to be "find the product that meets your needs." Most people are so confused by the NAC buzz-wagon that they have no idea what they want or why they want it. Except that everyone is talking about it, so maybe they should have one. It's like a blog :-)

Dotondo

What are the best practices for Fortune 50?  What vendor should they be picking?

joel_snyder

Well, that's a tough one. You know that there are no Fortune 50s who have done full NAC or if they have, then I haven't heard about it yet. Best Practice comes out of years of experience and hundreds of deployments. I think that some points you need to think about, though, are the following: (a) you MUST have vendor independence. Without that, you're destined to hate your solution (b) you must have a solution that can scale up properly and that takes a LOT of thinking about stuff, and most NAC vendors haven't done that yet (c) you must think through why you want to do NAC. It's not just a question of "Fortune 50 have NAC," anymore than "Fortune 50 have dynamic routing." Yeah, they all do or will in any case, but NAC is more of a technology that supports your business goals and security restrictions than a "must have because everyone in our club does."

nacnac

I believe NAC has a real place in the security spectrum but have trouble building an ROI that gets it prioritized above other projects. Any advice for building a business case for NAC? "Reducing risk" is hard to quantify, which translates to "hard for me to get budget."

joel_snyder

You hit the nail on the head. NAC ROI is way harder than most everything to budget. You can always use the FUD approach (have the purchase requisition ready, and run into the CEO's office next time TJX is on the front page of the WSJ). OK, just kidding. No special advice other than the obvious stuff you've already thought off. This is one of the reasons, by the way, why NAC may not make it in the long run.

Moderator-Keith

PRE-SUBMITTED QUESTION: Do mobile phones need to be included in a NAC scheme? How would I do that?

joel_snyder

It depends: are your mobile phones on your network? If the answer is "yes," then there are a couple of strategies. (If the answer is "no," then howdy from the 21st century, come join us all soon) First of all, you're probably not as worried about end-point security posture, because the access you're going to give to the phone is limited: probably basic groupware functions (email, calendar, etc.) and maybe intranet browsing. Because of that, you want to focus on access control, probably by creating a VLAN just for these phones that strictly limits where they can go, and figure that if you handle access control properly, then end-point posture checking is probably not as important.

SuperStar Bradford surviving with the big boys???

How do you see

joel_snyder

Absolutely. Bradford has a number of the big boys VERY frightened. Plus, they have their niche (edu) which they serve beautifully and everyone in that niche seems to love them. The greatest threat to their survival would be if they were to get bought, especially by CA or Symantec.

taco2

If NAC is "ho-hum" in 5 years, what in security is exciting in 5 years?

joel_snyder

Dude. I'm going to be running a BBQ stand in 5 years. You call me up and tell me.

big_boy

I'm curious about your position on 802.1x vs. the proprietary NAC solutions out there ... keeping in mind it's like apples-to-oranges.

joel_snyder

I'm an 802.1X purist. Actually, I like to use the "switch when you can, route when you have to" analogy. I think that 802.1X is definitely the way to go, but obviously there are places where it doesn't work, and that's when I turn to proprietary. So I start with 802.1X as my "starting point" for any design, and then back off if it won't work. I know that my buds at Nevis are going to get mad for me saying that, but that's just the way I think.

Moderator-Keith

PRE-SUBMITTED QUESTION: Can NAC do anything to help protect sensitive information from leaving the premises?

joel_snyder

Conceptually, yes, but practically, no. You really need specific technology to handle that; we've got a good market already called "leak protection" that's handling this. Again, NAC can be helpful in some ways by providing authentication information to the leak protection device, but these guys have their act together and I don't think that you want to start tying NAC to leak protection at this stage of the game. Wait until the next inning, OK?

Seabee2000

Do you believe scanning of clients before network access is too time-consuming or is it worth it? I can only assume you thinks its a good idea if all parties are for it, Network, Security, etc.

joel_snyder

If it's done right, it shouldn't take too long. For example, let's say you've got a good patch discipline program in place, like a Patchlink or BigFix. Those guys know the instant you connect whether you're good or bad. So it's not like you're waiting for 45 minutes for a sector-by-sector scan of the hard drive. I totally agree that anything over maybe 15 to 30 seconds is a show-stopper, at least for the ADD Internet generation nowadays.

AAsDC IPS and true clientless NAC? i.e. if I theoretically had a gateway IPS that could interface with an auth directory and could monitor all protocols, doesn't that achieve the same goal as NAC without all the mess?

Joel, where do you draw the line between extremely thorough application-layer

joel_snyder

Well, yes and no. I can't agree that it's "without all the mess." There's a lot of mess behind every IPS deployment I've ever seen. However, I think that the architecture you propose is basically what I think of as the end-game, except it's not an IPS; it's a combo IPS/firewall at the port level where the user connects. So we're on the same page, except that you're missing the posture assessment part. Can't do that without a client, and if you want it (maybe you're collecting stats for your compliance audit), you have to get it somehow.

Gleb Bradford question, what do you think of similar sized players like ForeScout and Lockdown being in the top 5 solutions in the NWW test?

Following up on the

joel_snyder

You're referring to the scorecard when you say "top 5," and I hate scorecards. However, I think that there is a lot of innovation going on in the NAC space and I don't have any problem with good products coming from small companies. They spur the big guys on to do better, and may have great ideas that are worth stealing ... or acquiring :-)

Moderator-Keith

PRE-SUBMITTED QUESTION: How are NAC hardware and other security appliances working together?

joel_snyder

This is one of the most interesting parts of NAC, the idea that you can get all your security awareness devices like IDS/IPS and SIM and NAC talking to each other. The NAC stuff can tell everyone who the user at a particular IP really is, which is incredibly valuable information that's also incredibly difficult to gather. And the IPS/IDS/SIM/firewall can give NAC information about how the user is actually behaving, which can be used to modify access. I hear a lot of talk, especially from the startups, about doing this kind of stuff, which is great. That's going to put pressure on the big guys to incorporate those ideas, either by development or acquisition. For example, it's no big secret that Juniper's in the market for a SEM/SIM vendor. Why? Not for the revenue, at least not to start. It's because they see NAC and security as needing that kind of integration to build the big picture. Or at least that's my guess.

rain

Speaking of 802.1X, are there vendors who can offer out-of-band NAC without going through the .1X route?

joel_snyder

Lots. I call those the "hybrid" guys. There are huge drawbacks, but still some people like that approach better. The big guys in that game are probably Lockdown; they have a huge press presence. But even Cisco does that -- think CCA! It's not that unusual of an approach and solves some problems that linger around 802.1X deployments today.

Moderator-Keith

PRE-SUBMITTED QUESTION: How are NAC schemes and other identity management schemes merging?

joel_snyder

There are some wild-eyed crazies that have the vision that once you authenticate, you're done for the day: those credentials get carried into the local system, the network, and up to every application in the enterprise. Never tell anyone who you are again, and everyone knows who you are and what you should have access to. I'd love that and so would every end user. Will it happen? Hard to say. People haven't been successful with SSO in the past, but the growing monoculture in the enterprise plus Microsoft's interest in NAC suggest that we're going to have more parts that fit together than we ever have before. To me, the biggest problem is that it's way too cross-functional and the organizational barriers are almost as significant as the technical ones. But if you want to be buzzword compliant, make sure your NAC has SOAP/SAML hooks, or at least they're floating around on the PowerPoint somewhere.

Wiz

There is a lot of talk about blocking vulnerable end points, but it has been my experience that it is more important to block threats and find some remediation capabilities for the identified vulnerabilities. What is the best approach to blocking threats while still addressing the vulnerable systems?

joel_snyder

Hard one to answer when you use the word "best." I think that one important part of a good NAC deployment is the ability to turn the IPS up to 11 and block these things. The reality of most "bad behavior" is that it shows up pretty easily.

Moderator-Keith

Nigel Tufnel: We've got Armadillos in our trousers. It's really quite frightening.

joel_snyder

Spinal Tap. Keith is the man!

RRR

What are your thoughts on NAC in the branch?

joel_snyder

That's hard. No one has come up with a great solution, because things like VLAN separation are very hard. I think that you're going to end up backhauling the traffic and using a stateful firewall before you emit it to the core network; that's the only affordable way to do it today as far as I know. Obviously, you can go with a Forescout-y kind of thing in the branch, but the price is not quite right. I'd say Cisco ISR is one place to look for innovation there.

Moderator-Keith

PRE-SUBMITTED QUESTION: What about authentication and mobile phones?

joel_snyder

Mobile phones aren't so good, and more importantly mobile phone subscribers aren't so good with authentication. If you make someone punch in a password to their phone every time they want to hit the network, you're going to end up pushing that traffic to the public network, which will end up increasing costs and opening up other security holes. In the future, you'll be able to do some sort of SIM-based authentication -- there's an EAP method for that -- but for now, you should probably focus on MAC-based authentication to give the user the best experience, and handle access control behind the scenes.

corao IPS deployment that is still deploying in IDS mode as the false positives and issues for blocking are turned off - now they are asking me to try the NAC features, should I ?

I have an

joel_snyder

No, you need to get the IDS fixed first. If you are still seeing FPs in your IPS, you've got some serious issues where the vendor needs to get their act together with you before you move on. Baby steps, my man, baby steps.

Moderator-Keith

PRE-SUBMITTED QUESTION: What do most security managers do wrong in managing NAC devices?

joel_snyder

Well, you have to realize that we're pretty early in the world of NAC. Folks have been doing NAC-ish things for a long time--look at SSL VPN vendors who have been NACing for 5 years almost, or vendors like Bradford who were solving specific problems before we started calling it NAC. I see long-term maintenance of the network/security/desktop separation as the biggest potential problem. NAC brings all these teams together, and all three are responsible for making sure that the NAC project is successful. But if they don't continue, as a team, to keep things updated, then it can all fall apart or – worse -- not do what you wanted. The biggest issue is the fast-moving nature of desktop threat mitigation, where the desktop guy (or girl) has to keep making sure that changes they have in their threat mitigation strategy get adequately pushed into the NAC policy. That smells like a moldy cheese in a lot of the deployments I'm seeing that's going to explode sometime in the future.

todd%20k

Why not simply embed this technology into access devices? (the switches and apps and VPN head-ends) Do you think those vendors are heading in this direction ?

joel_snyder

Why not? Dude, you're preaching to the choir. That's where it belongs. I think that we're on the same page. Whether the vendors are on the bus with us, I don't know. But we can share this bottle of Kool-Aid I brought on board in the meantime.

Moderator-Keith

PRE-SUBMITTED QUESTION: Cisco and Microsoft promised interoperability between their NAC schemes. They published some documentation describing how it is possible. How important is interoperability anyway?

joel_snyder

1 2 3 Page 2
Page 2 of 3