CTO Chronicles

How much do you think I can bench press?

As a long time Snoopy fan, I was happy to see a beagle win the big prize this year.  And of course, it's impossible for me to watch any conformation show without thinking of Best in Show, a fine piece of cinema and one of the 10 funniest movies ever.

I bring it up here because the oft-seen blog fights and PR battles between and among NAC vendors is eerily reminiscent to me of the infighting among the owners and handlers of Winky, Beatrice, Hubert, Miss Agnes and Rhapsody in White.  For example, few things raise rankles faster and begin more quickly an argument over whose NAC product has a better tail than the old "Pre vs Post" battle.  Now, two things are immediately clear.  First, anyone who disagrees with our approach is clearly adle-minded.  Second, anyone who buys "some other" NAC product is clearly wasting their time and money and will end up back at the pet store.  Having said that, I think reasonable people can disagree.

Truly, it does seem clear that there are governance problems to solve, regardless of the label attached.  If, for example, I have a governance rule of no "network services" (ITunes Shares, Web Servers, FTP Servers, etc) on workstations, how is that governance policy less relevant an hour into a laptop's network session than it is when the laptop connects to the network?  Likewise, if my policy is that machines accessing corporate financial applications are not allowed to run peer-to-peer applications, a behavioral check on whether the machine establishes a peer-to-peer connection seems to make sense.  In whatever functional bucket, it's a governance problem to solve.  By whatever name, it's a sweet smelling pooch with a nice bushy tail.

Indeed, at least one of the NAC standards (TNC) anticipates the idea of changing/revoking access rights during the course of a network session.  As we continue down the path of a "Unified NAC Standard," it's difficult to imagine that standard without some notion of post-admission checking.  Perhaps that will settle the argument and those of us who are still around can compete on things like service, management ease, price and the cleanliness of our teeth.  Until then, just think of it as a governance problem to solve.  You can solve it our way, or some other way.  You can solve it as part of a Network Access Control Project, or as part of a Controlling Network Access Project.  What seems clear is that you'll have to solve it.

In exchange for a permanent reprieve from Starbucks Duty, I promised my CEO that I would start a blog when MS released 2008 Server. Needless to say, I was pretty sure I'd be dead (or at least fired) by then. Well lo and behold, Microsoft managed to hit the (OK, this) date, so here I am. Does the release of MS 2008 Server portend the wide scale adoption of NAC? I certainly hope so, though I frankly can't help but remember that RFC 3580 compliant RADIUS servers have been out for a little while now. Not that the MS NAP initiative is without merit; after all, one can find something to like in any 106 page Visio diagram. Seriously, doesn't it seem like they could simplify it just a little bit? Cisco, for example, went from their own, err, large diagram to embedding "Simple" right there in the acronym.

So what really happens? The industry, much like political punditry, has no shortage of experts who are happy to tell you. Though no one has a crystal ball, and predicting correctly can be a challenge. Compare, for example, NAC predictions for 2007 to the pre Super Tuesday Zogby poll that had Obama leading in California by 13 points. Still, in the interest of not having to remember whether "non-fat" comes before "no whip," I just asked my own Magic 8 Ball whether 2008 will be the year of NAC.

The answer:  "Absolutely."  In the end, though, I think the answer will depend on the industry itself.  We need more strategery and less crappery.  At least part of me thinks that means we need fewer arguments over who builds a better mousetrap, and more open discussion on why organizations might not want mice to begin with.  Yet  what we heard consistently at OASIS (which was awesome, BTW, so thanks to all the customers, partners, analysts and press that attended) was that organizations get the basic value pitch for NAC; they need it in a package that is reasonable to deploy, comes at a reasonable cost and provides reasonable investment protection.  The pure play vendors have a much better story on the first two, if only because it's been more of a focus; the large vendors, by contrast, have little on the first two but get to default on the third.

And therein lies the rub, and brings us full circle to MS NAP and the release of 2008 Server.  I believe that the path for the pure play vendors to provide assurances of investment protection lies in the implementation of NAC standards, or at least one of them.  MS NAP, NEA and TNC all have common elements to them.  The challenge before us is to articulate a path through the standards soup, and provide both a vision and a product that is implementable today and relevant tomorrow.  Easy enough, right?

Absolutely.