Stiennon's Right, Shimel's Wrong - NAC Sucks
A couple of months ago, Richard Stiennon (of 'IDS is Dead' fame) had a blog article up at Network World, making the argument that "Network Admission Control" is "added complexity and cost that reduces network access while doing nothing for enhanced security." This drew a predictable response from the likes of Alan Shimel over at StillSecure. At the time, at least for me, it was just another blog fight and didn't seem that interesting.
This came up again recently though, with the news of a live debate between Stiennon and Joel Snyder. Shimel's apparently still annoyed and had this prediction on the outcome of the debate. In re-reading all of the arguments as part of this latest blog-fight, something ocurred to me that changed my initial view of things.
I'm come to the conclusion that Alan is wrong and Richard is right. Let's look first at the three things that Stiennon cites as how NAC is off-base:
1. NAC does nothing to stop the malicious user with a clean computer from having their way with your network.
2. A zero-day infection will infect properly configured machines with up-todate signatures.
3. NAC violates Stiennon's first and only rule of network security "Thou shall not trust an end point to report its own state." Just as IP address and MAC addresses are spoofed regularly by hackers, machine state can be spoofed.
All three of these reasons are perfectly valid reasons not to like whatever you've been sold. To be fair, the bulk of Shimel's retorts over this have been to point out that Stiennon's view of the NAC space is behind what current NAC vendors offer to the market. What occurs to me, though, is that there really is only one vendor that fits Stiennon's description of what NAC is. A really, really big one. Whose name begins with C. The rest of the NAC space moved on a long time ago.
So, on further reflection, I agree with Stiennon. IDS is dead and Cisco's NAC Appliance sucks. It's too bad that Cisco's NAC is all Stiennon knows about NAC.
Grant - it is not often that I agree with anyone who says "Shimel is wrong". But you are right. Richard is focused on admission control as espoused by Cisco, not on what NAC is today. I still say Snyder by a knockout in 3.
Posted by: alan shimel | July 16, 2008 at 10:32 AM
Listen folks. If you are going to leave "admission" ( quarantine based on state of end point) out of the debate why the f*ck is there even a point to all these NAC products?
We already have Radius, TACACS, ACLs, tons of great stuff to enforce network access controls. Enterasys has had a great solution for at least a decade.
Shimel still talks about deployments at the DOD that are to help clean up lap tops carried by troops returning from Iraq. That sounds like CNAC to me.
I see that Mirage has jumped on the NAC bandwagon in a big way so I see why you would argue that Stiennon is confused. You do not want to be lumped in with sh*tty NAC, you want to differentiate your "dark IP" method of detecting abnormal behavior from the end point health check guys.
Consentry, Nevvis, Arbor, all have post admission control solutions that do not require endpoint agents as well. Fortinet, Reflex, Tippingpoint all do signature based post admission control while also being able to block those attacks. Mirage does ARP twiddling to accomplish blocking right?
While it might be a good strategy for a struggling startup to "draft" on huge marketing machines like Cisco and Microsoft by confusing end users into thinking that they offer NAC as well, I think it would have been better to argue the merits of their products with out supporting a failed idea.
I gotta go do my homework on Microsoft's NAC solution. I hear Joel is hot on that. Is that what you meant by "The rest of the NAC space moved on a long time ago."? Microsoft?
Posted by: Stiennon | July 16, 2008 at 12:13 PM
Easy, easy, gentlemen. Richard is still suffering from PASS, Post Analyst Stress Syndrome.
This is a lifelong illness and while offering some tough love is the usual prescription, there are times when the patient just needs unconditional love from us. Please, we don't want Richard to go postal on the nearest NAC vendor he might get his hands on.
Posted by: Mitchell Ashley | July 17, 2008 at 08:25 AM
Hi Richard
I generally prefer to respond to arguments rather than rants, but I'll give this a shot anyway.
What Mirage does, and has done for a while is what we think is the basic value pitch for NAC: directly controlling the network access of endpoints based on a *combination* of identity, posture and ongoing behavior. We can argue over the how as long as you want, but we should at least get the basic backdrop of "what" correct.
And no, it was not the point of my post to remove the idea of pre-admission posture assessment, rather to point out that any solution that *begins and ends* with pre-admission (including both CNAC and NAP) has at least all three of the problems you call out. What you seem to be arguing is that, since pre-admission posture assessment is imperfect, it's not worth doing at all.
This seems roughly analagous to: Airport screening will never catch all of the knives. Therefore, you need to lock the cockpit doors and put air marshalls on the planes. Therefore, screening for knives is a waste of time. That notion is fundamentally wrong-headed to me. You always want multiple layers of security, precisely because no individual layer is perfect.
And no, I don't hold Microsoft's NAP up as any kind of standard that others should follow. What's true about the NAC space is true about every other space (including your former IPS/UTM one): innovation comes from smaller more dynamic players rather than incumbent vendors. This is as American as mom and apple pie. You don't hate apple pie, do you Richard?
Posted by: Grant Hartline | July 17, 2008 at 08:57 AM
No, I love apple pie. I also love air marshals, they rock. I hate airport screening though, just as I hate all security measures that cause more pain than the problem they address.
NAC, in the holistic way you are trying to defend, is not justified. Of course if you do *not* do the following in your organization you may want to invest in NAC:
-Control access by group and user policy.
-Use good (if not strong) authentication.
-Update virus signatures on a regular basis
-Use SMS or some other great product to update configurations and software versions.
-segment guest networks for contractors, visitors, etc.
-use VLANs to segment operational portions of your network.
Hmmm, who does that profile fit? Oh yeah education and the military. There is your market. Go for it.
In the meantime, the rest of the world can move ahead investing in technology that blocks attacks and helps to manage security in general.
Posted by: Stiennon | July 20, 2008 at 06:23 PM
I'll of course disagree that checkpoint screening is more trouble than it's worth. Recent stories from the TSA (like http://www.tsa.gov/press/happenings/12hours_tampa.shtm) show what nonsense people continue to try to bring on airplanes. Air marshall or no, I (and likely the bulk of the flying public) would prefer they confiscate loaded handguns prior to passenger board. The same goes for network entry.
But the larger point your missing is the idea of the holistic governance of the endpoint's network connection. The way that malware threats have blended over the years, the idea that a stateful packet filter can just "drop the bad and allow the good" is, well, quaint. But wrong.
Posted by: Grant Hartline | July 21, 2008 at 12:07 PM