CTO Chronicles

If you didn’t tune in for the NAC debate between Joel Snyder and Richard Stiennon you should check it out here.  It was a good exchange but Snyder was clearly speaking from stronger ground.  This was one of Stiennon’s comments in the debate (talking about NAC):

Richard_Stiennon: I agree that it is turning into a religion, which makes me an atheist.

I knew he hated apple pie.  I knew it.  Actually, that was just Richard being Richard, but even when discussing the real issues he seemed to be all over the place. Here’s my take on a couple of other nuggets of wisdom he shared in the NAC debate.

Stiennon's historically wrong: 

Richard_Stiennon: “MSBlaster was essentially a zero day [exploit] for most enterprises. If they had had NAC fully deployed they still would have gotten hit.”

The CERT advisory on blaster was issued on August 11, 2003.  The security bulletin and the patch were available on Microsoft's web site on July 16, 2003.  Roughly 30 days.  Nowhere near zero-day.  Indeed this works against Stiennon's other argument about patch and software distribution management solving this problem long ago.  SMS was ubiquitous three years prior to the Blaster outbreak.

Stiennon's philosophically wrong:

phreno: Richard, some NAC products offer behavioral policy enforcement. I can get identity, endpoint checks, and behavioral policy enforcement that stops botnets, DDoS attacks, etc. that do find a way onto the network. What other technology offers that?

Richard_Stiennon: “Great question. This is where the IPS/AV industry is heading. Allow an infected end point to connect, but do not allow it to harm me. Filter out attacks at the edge. The capability you refer to in some "NAC solutions" is what they call post admission control. That is good but the action should be to drop packets, not end point connections.”

13th chime of the clock.  This statement, in itself, is just wrong-headed.  The notion of blocking bad traffic but leaving an otherwise useful connection was folly 5 years ago.  Much less today with, as Richard alludes to earlier in the debate, threats that blend SPAM, bot, keystroke logging and the like.  And we haven't even scratched the surface of malicious users.  What possible good comes from continuing to grant network access to a malicious user?  It is difficult for me to conceive of an answer that could be more wrong, more naive in its arrogance, than "just drop the bad stuff."

Likely the single most controversial part of the Mirage NAC product involves its use of ARP.  Stiennon referred to "ARP twiddling" as our means of quarantine during our recent, er, discussion on the usefulness of NAC.  As tempting as it was to respond to the comment in the thread, I thought perhaps it was better to leave it for its own post.  So, what's up with our use of ARP?  Why do we do it this way and why haven't we moved more quickly to one of the more common means of quarantining endpoints?  Here's the lowdown that before has been kept more on the down-low.

More than just quarantine.

One of the first discussions we (at least I) end up having with prospects surrounds the notion of device state.  The knowledge of network entry and exit forms the bookends of the NAC process.  Any NAC solution must have this basic notion in order to provide the necessary governance.  To be sure, many options exist.  Some solutions take alerts from the switching infrastructure (SNMP traps, Syslog messages, whatever) based upon either the link state of the port or the population of the bridging tables.  Others may have a RADIUS hook, on the assumption that any device that's connecting is authenticating in one way or another.  Still others may have a DHCP hook and use address assignment as the state trigger.  Finally, some of the inline solutions simply wait to see traffic flow through them.  There are three basic reasons we like ARP for this:  First, and most importantly, it's immediate since it's part of the initial stack initialization.  Second, it's independent of the switching infrastructure, in that it works the same way regardless of downstream switches, whether the switches can send traps, etc.) Third, it's independent of endpoint characteristics, such as OS type and whether the address is statically assigned or dynamically assigned.

But also quarantine

Yes, we use ARP for quarantine.  The marketing side of the house prefers "ARP Management" to "ARP Poisoning" or "ARP Twiddling."  I don't especially care.  The best way to enumerate why we do it this way is to back up and review, at a slightly higher level, what we think quarantining should be and mean:

Quarantining should be fast

This almost seems like it could go without saying.  Whether effected for the purposes of device-specific remediation or more generalized network protection, time is both money and risk.  A quarantining method that takes, for example, seconds to put in place is, at least to us, a non-starter.

Quarantining should be holistic

One of the fundamental disagreements I have with Stiennon's notion of network security (rant alert) is that packet (as opposed to endpoint connection) dropping is sufficient as a mitigation method.  With a threat blended into, say, a bot (with an https control channel), a file-sharing based worm, a keystroke logger that may be logging data but not sending it, and a spam relay, the very notion of separating "good" traffic from "bad" traffic is silly.  Take even one of the highly outdated threats (and quaint, by today's standards) threats like Blaster and Welchia.  The "bad traffic" in those cases was Windows networking traffic, whose primary usage was *inside* the infrastructure.  So then a "good traffic/bad traffic" policy removes windows networking functions from the connection, which removes access to both file shares and (assuming Exchange) corporate email.  Now then, how useful, really, is that endpoint's connection?  Well, they can get their stock quotes.  And they can get to internal portal-based applications.  Boy, there's a great idea.  "I see, Mr/Ms user that you're infected with malware; welcome to my Oracle Financials application."  How does that idea pass muster with anyone?

Quarantining should be full-cycle

This may or may not be a point of debate, but we continue to believe that a quarantine mechanism that is only available at admission time is wholly inadequate.  This is the "main" thing keeping us from leveraging 802.1x as a quarantine mechanism (the lack of this capability in 802.1x environments has been a rant of mine before, since the RFC that would allow for this is 5 years old).  As much as I like the idea of enforcement at the point of access, I simply do not see how it's workable unless and until it's possible to revoke previously granted access based on policy.

Quarantining should be transparent

I put this last since I think it's one with the largest amount of wiggle room.  The thing I always liked the least about SNMP and CLI based VLAN moving is that there remains the need to get the endpoint to go request a new address as a result of the VLAN change.  Similarly, the best that DHCP can offer is to play around with the timing elements, but that's not the same as the ability to do quarantine on-demand per policy.  Not to beat a dead horse or anything, but RFC 3576 would get us there if the switch vendors would just implement it.  Did I mention that the RFC is 5 years old?

So, there you have it.  We use ARP for state because it's fast, robust and hard to bypass.  We use ARP for quarantine because, quite frankly, we've yet to see any other quarantine mechanism that can fit the bill.

PS

I almost forgot.  The main knock against our "ARP twiddling" approach, beyond just the philosophical objection, is that it's easy to bypass.  Is it?  Some methods may be.  Ours is not.  Not from our own internal testing, and not from installations spanning 550 customers across 38 countries.  And, yes, we thought of the static cache-entry trick already.

A couple of months ago, Richard Stiennon (of 'IDS is Dead' fame) had a blog article up at Network World, making the argument that "Network Admission Control" is "added complexity and cost that reduces network access while doing nothing for enhanced security."  This drew a predictable response from the likes of Alan Shimel over at StillSecure.  At the time, at least for me, it was just another blog fight and didn't seem that interesting.

This came up again recently though, with the news of a live debate between Stiennon and Joel Snyder.  Shimel's apparently still annoyed and had this prediction on the outcome of the debate.  In re-reading all of the arguments as part of this latest blog-fight, something ocurred to me that changed my initial view of things.

I'm come to the conclusion that Alan is wrong and Richard is right.  Let's look first at the three things that Stiennon cites as how NAC is off-base:

1. NAC does nothing to stop the malicious user with a clean computer from having their way with your network.

2. A zero-day infection will infect properly configured machines with up-todate signatures.

3. NAC violates Stiennon's first and only rule of network security "Thou shall not trust an end point to report its own state." Just as IP address and MAC addresses are spoofed regularly by hackers, machine state can be spoofed.

All three of these reasons are perfectly valid reasons not to like whatever you've been sold.  To be fair, the bulk of Shimel's retorts over this have been to point out that Stiennon's view of the NAC space is behind what current NAC vendors offer to the market.  What occurs to me, though, is that there really is only one vendor that fits Stiennon's description of what NAC is.  A really, really big one.  Whose name begins with C.  The rest of the NAC space moved on a long time ago.

So, on further reflection, I agree with Stiennon.  IDS is dead and Cisco's NAC Appliance sucks.  It's too bad that Cisco's NAC is all Stiennon knows about NAC.

So, it appears that, as part of getting a new CEO, Consentry has re-entered the NAC space.  Welcome back, though it still seems to me that they've pretty much abdicated the policy elements of NAC, and I'm still not sure I get the whole Intelligent Switching angle.  As we continue our inexorable march down the standards path, the role of the switching layer seems clearly relegated to that of an enforcement point.  Not that there's anything wrong with that.  Enforcement of policy is crucial.  It's just that the box they'll soon find themselves in (if they haven't already) is choosing between (a) being standards compliant but no more intelligent than any other switch and (b) being more "intelligent" than competitive switch vendors, but in a proprietary way.  It's not an easy choice, and I'll be curious to watch which way they go.

By the by, is it too much to ask for an intelligent switch to implement an RFC that's 5 years old?  Pretty please?