With NAC, small vendors rule, expert says

In this Network World Chat transcript, security guru Joel Snyder reveals the truth about NAC, including which vendors to watch.

1 2 3 Page 3
Page 3 of 3

This is so critical that you can't possibly understate how important it is. Look, no one wants vendor lock-in, even if Cisco is the vendor. You know it's going to be a pain later in life. And, no one wants to keep adding more and more software to these poor laptops that are already overburdened with eight different security products all stepping on each other's toes. What we want is for a simple clean easy client to be built into Windows, and we want it to work with every product we buy. Microsoft should own this market; no one in the network security business wants to write software for Windows when Microsoft is saying "we can do that." Or if they do, they're idiots. In any case, interoperability for NAC is Microsoft's bus to drive, and they have been making all the right motions.

Moderator-Keith

PRE-SUBMITTED QUESTION: OK, but what are your thoughts on what they've done?

joel_snyder

I'm going to reserve judgment (not that it's my place to judge, of course). By the way, this isn't just Cisco; it's also TCG/TNC that's just as critical for interoperability. I've had some great conversations with some brilliant folks like Ryan Hurst (he's the unmitigatedrisk.com guy and a part-time BBQ chef) at Microsoft and it's obvious that the mindset is there and the brainpower is there. Whether what comes out of the sausage grinder is what we need--I have to wait until I get it in the lab to find out. It's just a tiny bit early to tell, but when Longhorn (Windows 2008) comes out, we'll have a better view of the whole picture. The same's true for TCG/TNC -- Steve Hanna, another NAC guru, is leading that parade pretty well, but it's up to the vendors to release products that match up to the marketing slides.

gmui TNC based implementation that works at the 802.1x level?

Are there any solutions out there that don't rely on proprietary implementations --i.e. a fully

joel_snyder

It depends on your definition of proprietary. At Interop iLabs (see http://www.opus1.com/nac) we did a lot of non-proprietary stuff and a chunk of it was in 802.1X-land. Obviously, right now, proprietary is covering a lot of the marketplace, but there are lots of open things going on. If you consider TNC proprietary, or some of the MS NAP play-along with TNC to be proprietary, then the market narrows considerably. Open source-wise, we're not very far. Chris H. and Mike M. can't do it all on their own.

Tony

Can I learn NAC by self study or do I need a course. Which are the good self study and practice books and what all equipment I will need to practice?

joel_snyder

Bwah... Well, this is so new that you're going to have to go off on your own. I'd start with an 802.1X switch and a couple of servers (maybe VMware with Unix & Windows), but honestly you're going to have to see your own way here. SANS, I'm sure, will have a course on it pretty soon but that can be catch-as-catch-can until they get their act together.

rain

NAC enforcement: is there any consensus - is the endpoint itself the best place to enforce security policies or is the network infrastructure the best place to do that?

joel_snyder

Well, the consensus among guys typing in this chat is "infrastructure." But obviously there are differing opinions.

Moderator-Keith

We're going to wrap up in about 5 minutes -- please submit any final questions to Joel as soon as possible...

amiller219

Have you heard of peer-based approaches to NAC - where end points on the network are used as enforcers to ensure that devices coming in are in compliance? If so, is it a viable option?

joel_snyder

I haven't heard much about it, but I'm skeptical. I am a control freak, which means that I want the network to do the hard work and I want it to be done in devices that I own and control. Letting the end points bash on each other seems like a fun idea in a sort of poke-a-sharp-stick-in-your-own-eye kind of way.

RRR

What about NAC climbing into UTMs ? Do you see it happening before we start branching out NAC solutions?

joel_snyder

Is the ISR a UTM? I see lots of good stuff going into UTMs, and hopefully that will push out some of the stupid stuff. But, yeah, NAC should be in UTMs in order to serve the branch. Why do you want another box? (Unless, of course, you're a box salesman)

gmui

Is there any discussion of the OpenSEA Alliance working on a NAC approach once they complete the 802.1X client?

joel_snyder

Don't know. Let's get Chris H. on the line and ask him. Chris, you out there anywhere?

corao IPS/IDS, vulnerability scanner, etc. but none are standards based - and the NAC product I am looking at can solve what I need - my endpoints, Cisco switch and SMS, why is standardization important at all?

Dumb question on standards - I have firewall,

joel_snyder

NAC is not a single product solution. You actually probably do have a standards-based firewall, if you think about it. But in terms of interoperability: NAC requires interoperability, and firewalls and IDS don't. That's why standards are required. NAC means a LOT of pieces coming together, and this is tough.

joel_snyder

OK, folks, my fingers are falling off.

Moderator-Julie

Thank you for attending today's chat. Please mark your calendars for September 19, Enterprise messaging demystified with Michael Osterman; and October 1: The road to infinite capacity with Amazon.com CTO, Werner Vogels

Moderator-Keithwww.networkworld.com/chat. Thanks for joining us today!

A complete transcript of today's chat, and all of our chats, will be available at

joel_snyder

Talk to you all later. Remember, "safety first."

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3