Silly SNACs
Tim Greene has a newsletter story on Symantec's "Peer to Peer NAC." No, this is not using NAC for the purposes of governing Peer to Peer application usage, but rather leveraging the idea of Peer to Peer communication for the purposes of enforcing NAC policy. Setting aside, just for the moment, whether the chickens can guard their own henhouse, this is just a silly idea. It's a silly idea from an enforcement perspective because NAC policy enforcement (especially for managed assets capable of running a persistent agent, which is the only kind of asset Symanatec can govern in any event) will be done at the point of access (WAP, Wireless Controller, VPN Termination, Ethernet switch, etc.). It's silly from a policy definition perspective since, again, it has no notion of unmanaged (or unmanageable) assets. So it's purely a short term stop-gap, useful only until standards evolve that allow for ubiquitous enforcement at the point of access. Yet, it's only a stop gap for general purpose computing assets that are tightly managed by the organization. Pretty much by definition, these are the assets that pose the least risk to your organization. Why would you start there? Why implement a short term stop-gap product for assets that pose the least risk?
Silly. Fusilli, Jerry.
Grant - though I am not a big fan of this technology, I think the point is that the peer devices only detect and test devices by querying the agent. It is still the traditional point of access that will be the "enforcement" point. I think this might be similar to what infoexpress does with DNAC, except leveraging communication among symantec agents.
Posted by: alan shimel | June 04, 2008 at 08:45 PM
Hi Alan
The disconnect is likely over my reference to SNAC, but it was alliterative so I couldn't pass it up. Per Tim's article:
"Symantec NAC enforcement is located in its endpoint software, so each endpoint contains knowledge of its own configuration-compliance status."
How this approach melds with, say, the Symantec Enforcer appliances (that at least have the ability to enforcement at the point of access) is not clear from the article. What does seem clear, though, is that in the "peer-to-peer" approach that is the subject of the article, the endpoints are enforcers. Which, of course, is what I'm picking on.
Anyhow, thanks for the comment.
Posted by: Grant Hartline | June 05, 2008 at 07:05 AM
My response...
http://securityuncorked.squarespace.com/security-uncorked/2008/6/30/symantecs-network-based-nac.html
-jj
Posted by: JJ (Jennifer Jabbusch) | June 30, 2008 at 09:06 AM