More Musings on MS and Managed
Interop remained all atwitter about MS NAP, and the press articles continue. Joel Snyder had a webcast on Network World, where MS NAP was the main topic. We've got a whitepaper up on the same topic, and Alan Shimmel continues to post as well. There are nits that I could pick with just about everybody (e.g., most recent Cisco gear is perfectly capable of running per port ACL's), but I want to try to stay as high level as possible. Here are the big-picture things I still see missing from the discussion:
Device Discovery
Whatever governance coverage NAP brings (Greenstein's comments are well taken here), it brings that governance for Vista and XP 3 machines owned and managed by the organization. That leaves an extremely broad swath of devices, both specialized and general computing, outside the NAP umbrella. Snyder mentions using MAC based authentication and external device profilers to help; but for many organizations with highly dynamic networking environments, just getting the list of printer MAC addresses (much less badge readers, PDA's, security cameras, the list goes on) is a daunting task. And having an(other) external tool map and profile devices strikes me as a science experiment run amok. It seems to me that it is critical to have a built-in device discovery and profiling mechanism. It goes without saying that the discovery mechanism must also be impervious to host based firewalls, transparent to the physical connection, and indifferent to address assignment.
Post Admission
Just when I thought post admission security was in, they pulled it back out. What's up with this seriously? Gartner, Forrester, Frost & Sullivan, Tim Greene over at NWW all seem to agree that NAC encompasses (or at least should encompass) policy enforcement throughout the endpoint's network lifecycle. The TCG announced a new specification last week aimed specifically at post-admission security. Yet the bulk of Snyder's talk completely ignores post-admission monitoring and enforcement. Even the perennial and predictable "blah-blah is dead" post from Stiennon assumes that no NAC solution offers post-admission security beyond the occasional re-scan. Not so, folks, just not so. Good post-admission security not only provides flexibility with respect to pre-admission policy, but also provides a means to verify what the endpoint just told you was true. It's not rocket surgery, for heaven's sakes. OK, it sort of is, but we're really good at it.
Adaptive Enforcement
Should enforcement be through VLAN placement or ACL assignment? The truth is that as long as you're in the boat of not being able to change or modify the initial decision it doesn't really matter. Say an endpoint joins the network and needs remediation. So it gets put in the remediation VLAN (or has a remediation-specific ACL applied to its port), and gets automagically remediated. Now what? How does the endpoint get placed into the "you are now a good endpoint" VLAN (or have the "you are now a good endpoint" ACL applied to its port)? The answer is that, absent not-so-great methods like CLI or SNMP, the mechanism doesn't exist.
I'm picking (mainly) on NAP here, but really all software/infrastructure based NAC solutions assumed managed assets and are therefore in the same boat. You have to have some mechanism to discover and profile devices currently on your network; you need the backstop of post-admission security; and you have to be able to change/revoke an endpoint's access as its compliance status changes. We can argue about a whole litany of things (enforcement methods, device management, policy lifecycle, etc); but none of it is really relevant those three basic needs are met.
Comments