Since we're nearing the end of the silly season that is the presidential election cycle, and since I've spent the past few weeks in the field, I thought it might be fun to run through the truth meter some of the competitive FUD that has come my way. Competitive FUD is a natural part of the landscape, so this is not at all intended to cry foul; simply to set the record straight. Thanks and apologies in advance to the good people at
politifact.org for my shameless pilfering of their graphic.
They say: Mirage technology is based on behavioral threat detection, which while a useful security feature is not NAC.
It depends on what your definition of is is. It's true that behavioral threat detection is at our roots; it's also true that revoking network access as a result of behavioral badness is controlling network access. I suppose one could say that controlling network access is not Network Access Control. I'm glad I'm not the one saying that.
They say: No persistent or dissolvable agent, which provides a less comprehensive endpoint assessment.
We do offer an on-demand Java control for full endpoint assessment, including patch levels, SMS currency; AV/AS currency and firewall status. This assessment is done in addition to an OS and Service Port map done from the network side (see below).
They say: Host-based firewalls must be disabled for compliance scan to take place.
Wrong on at least two levels. First we have a Java control that can perform a deeper compliance scan, independently of any firewall status. Second, our network-side scan that maps endpoint OS and open Service Ports is a combination of Active (meaning, packets that we send to the device) and Passive (meaning frames we receive from the mirror) scanning. So a host that, for example, sent us a RST on port 25 but send another host an ACK on port 25 gets marked as an SMTP server. Indeed, Mirage is the only company of which I'm aware that uses a combination of active scanning and traffic monitoring to present a complete picture of how an endpoint is behaving on the network.
They say: Savvy users can circumvent quarantine by setting static ARP cache entries.
What Mirage FUD is complete without some ARP related FUD? I've written about all of this before
here.
They say: Provides no integration with third party devices (IDS/IPS, VA, etc.)
We've a third-generation API available and documented, as well as any number of vendor-vendor partnerships, including IPS, SEIM, VA, DHCP and more.
They say: Sensor appliances need to see all endpoint traffic using port mirror or "SPAN" port function on a switch.
More like "is capable of receiving all endpoint traffic." Every Mirage sensor can take a mirror feed, but no mirage sensor must take a mirror feed. Further, the communication of endpoint status and behavior through our common security fabric allows a "mixed" deployment, where traffic mirroring is performed at ingress/egress points rather than at every appliance. This allows us to make behavioral decisions based on traffic from the endpoint headed to, say, the public Internet or the corporate WAN, while avoiding the economies of scale hit that would come from a requirement of mirroring at every deployed sensor. Somewhere north of 90% of our deployments fit this mixed model.
