CTO Chronicles

How much do you think I can bench press?

As a long time Snoopy fan, I was happy to see a beagle win the big prize this year.  And of course, it's impossible for me to watch any conformation show without thinking of Best in Show, a fine piece of cinema and one of the 10 funniest movies ever.

I bring it up here because the oft-seen blog fights and PR battles between and among NAC vendors is eerily reminiscent to me of the infighting among the owners and handlers of Winky, Beatrice, Hubert, Miss Agnes and Rhapsody in White.  For example, few things raise rankles faster and begin more quickly an argument over whose NAC product has a better tail than the old "Pre vs Post" battle.  Now, two things are immediately clear.  First, anyone who disagrees with our approach is clearly adle-minded.  Second, anyone who buys "some other" NAC product is clearly wasting their time and money and will end up back at the pet store.  Having said that, I think reasonable people can disagree.

Truly, it does seem clear that there are governance problems to solve, regardless of the label attached.  If, for example, I have a governance rule of no "network services" (ITunes Shares, Web Servers, FTP Servers, etc) on workstations, how is that governance policy less relevant an hour into a laptop's network session than it is when the laptop connects to the network?  Likewise, if my policy is that machines accessing corporate financial applications are not allowed to run peer-to-peer applications, a behavioral check on whether the machine establishes a peer-to-peer connection seems to make sense.  In whatever functional bucket, it's a governance problem to solve.  By whatever name, it's a sweet smelling pooch with a nice bushy tail.

Indeed, at least one of the NAC standards (TNC) anticipates the idea of changing/revoking access rights during the course of a network session.  As we continue down the path of a "Unified NAC Standard," it's difficult to imagine that standard without some notion of post-admission checking.  Perhaps that will settle the argument and those of us who are still around can compete on things like service, management ease, price and the cleanliness of our teeth.  Until then, just think of it as a governance problem to solve.  You can solve it our way, or some other way.  You can solve it as part of a Network Access Control Project, or as part of a Controlling Network Access Project.  What seems clear is that you'll have to solve it.