CTO Chronicles

Since it's sum-sum-summertime, I'm inevitably reminded of afternoons spent at the swimming pool, which in turn (of course) reminds me of candy.  Now, everyone had their own favorite candy back then.  Some would continue to insist on candy that, in the space of about 3 seconds, was going to melt in the heat that is a trademark of Texas summers.  Others would go for a more heat-resistant candy that, while far less delicious, at least wouldn't melt away like a wet wicked witch.  My own favorite was Now and Later.  Marketing delayed gratification to kids is always a tricky business; however, these candies were a stroke of genius.  Eat them now.  Save them for later.  They're a tasty treat either way.

I was reminded of all of this last week, reading Tim Greene's article on the Gartner Marketscope report.  Greene summarizes Gartner's viewpoint that even initial NAC deployments must take into account the organization's larger strategic vision of network security, endpoint compliance, etc.  Certainly, we agree with that.  However, the article also seems to pose a choice to organizations between an "overlay" solution that may have a short shelf life (say, a Snickers bar), and a more broadly integrated infrastructure-based solution that's not quite there yet (those fun dip things that had the inedible edible stick).

Any pure-play (overlay, whatever you want to call it) NAC vendor that cannot articulate a vision for how their solution fits into a larger overall framework is going to melt away very quickly.  And even before it melts away altogether, organizations are likely to get disgusted with what it's turning into and simply toss it.  By contrast, current pure-play vendors that do have that vision are like the Now and Later candy.  They provide a good firm texture now, but are pliable enough later to mold into your general network security strategy.

So, I say the choice is not as stark as portrayed in Tim's article, either for customers or vendors.  You can get your NAC snack now, knowing that even after some cannonballs and back flips, you'll still have something that is not just relevant, but delicious.

Tim Greene has a newsletter story on Symantec's "Peer to Peer NAC."  No, this is not using NAC for the purposes of governing Peer to Peer application usage, but rather leveraging the idea of Peer to Peer communication for the purposes of enforcing NAC policy.  Setting aside, just for the moment, whether the chickens can guard their own henhouse, this is just a silly idea.  It's a silly idea from an enforcement perspective because NAC policy enforcement (especially for managed assets capable of running a persistent agent, which is the only kind of asset Symanatec can govern in any event) will be done at the point of access (WAP, Wireless Controller, VPN Termination, Ethernet switch, etc.).  It's silly from a policy definition perspective since, again, it has no notion of unmanaged (or unmanageable) assets.  So it's purely a short term stop-gap, useful only until standards evolve that allow for ubiquitous enforcement at the point of access.  Yet, it's only a stop gap for general purpose computing assets that are tightly managed by the organization.  Pretty much by definition, these are the assets that pose the least risk to your organization.  Why would you start there?  Why implement a short term stop-gap product for assets that pose the least risk?

Silly.  Fusilli, Jerry.

While I am sitting not attending any of the regional Educause conferences this year, our own beloved VP of Marketing, Trent Fitz, is speaking along with Chuck Adams of Northwest Mississippi Community College.  We love it when any of our customers speak in public; and Trent, in spite of being from Oklahoma, is a good speaker and all around fine American.  If you're headed down to Jacksonville, by all means stop in and throw a tomato (or a tomatoe, if you prefer) at Trent.

Since the release of NAP compatible 2008 server ostensibly inaugurated this blog, I thought this week would be good time to revisit the big hairy beast that is Microsoft NAP.  While it's true that our (read: my) primary focus around infrastructure-based NAC is biased towards what the IETF ratifies, we remain NAP partners and continue to follow its progression.  One of the more common RSA questions, from press, analysts, and booth visitors was how we (specifically) and NAC pure plays (generally) compete with Microsoft NAP.  The answer, of course, is that we don't.  And the smart ones won't even try.  Here's why:

First, it's worth exploring what NAP is, what it isn't, and where its focus lies.  While some amount of "NAC is stupid/dead/bad" hay has been made over the number of NAC "Standards" offered, the truth is that CNAC, MS NAP, and TNC don't really differ by all that much.  They all look to leverage the initial authentication event to glean endpoint data characteristics; they all have a model for both granting and gating a level of network access based on the combination of endpoint characteristics and user identity; and they all have a fundamental presumption that the endpoint has the capability and willingness to run the endpoint software to make the declarations.  They presume what's connecting to your network are general purpose computing devices, with general purpose operating systems, managed by you, the IT organization.

Now, what's wrong with that model?  The answer, really, is nothing, so far as it goes.  Governing access to your network for your general-purpose computing assets is definitely a problem for you to solve.  MS NAP, with all of it's tradeoffs, is as likely to solve this problem for you as anything else is.  But controlling access for assets you *don't* own, as well for assets that you own but that are specialized in their function (printers, security cameras, cash registers, HVAC controllers, badge readers, the list goes on) is also a problem for you to solve.  Reasonable people can disagree over what percentage this is, and the percentage likely varies by vertical in any event, but that it is "some number greater than zero" is a slam dunk.

This is really where pure play vendors come in, and why (at least here) we openly welcome the advancements of NAP/TNC/NEA.  I've believed for a while now that you will govern your internally-owned desktops and laptops with something other than us.  Symantec.  McAfee. IBM.  Microsoft.  Juniper.  That's a good list; go to it.  But remember the "courage, serenity and wisdom" prayer?  You not only need a solution that brings governance to the class of non-managed (both unmanaged and unmanageable) devices, but you also need one that has the wisdom to know the difference.  The basic visibility of detecting and classifying what's connecting to your network is a tough thing to make a must have or to wrap ROI around (around which to wrap ROI?  Honestly, some times it's just better to end with a preposition).  But the truth is that discovery and classification do have value, and are critical pieces of any kind of reasonable NAC policy (They may be critical for an unreasonable NAC policy, but I try not to worry with such things).

So, what you get with NAP is governance for the Windows Vista and Windows XP SP3 devices that you own and administer.  What you don't get is governance for anything else.  That's a perfectly fair tradeoff, and a perfectly appropriate thing (I think) for Microsoft to go off and solve.  But what's left?  Why might you want some other (granted, integrated) NAC solution to help?  Here's why:

State:  What's on your network?  The importance of answering this basic question can't be overstated.  At least in all the environments I've ever had to manage, it's a moving target.  Minute by minute, second by second.  Which means that robust, real-time state of all devices is the first step.

Classification:  An extension of the above, this is where you get an additional level of detail about the endpoint, as well as when you split between, say "MS NAP" devices and "Non MS NAP" devices.

Post-Connect Monitoring:  Wheels within wheels.  This not only helps make your network safe by providing another layer (importantly, defined within the same management console, under the same policy construct), but it also gives some flexibility on making the front-end admission decision.  Reasonable people continue to disagree over whether organizations will accept a NAC policy that restricts at entry based on what many consider to be IT failures (firewall, patch, AV status), and Microsoft's own internal NAP deployment called out that tension.  A strong monitoring policy post-connect is the best way to cross that chasm.

Integrated Rollups and Status:  Duh

Enforcement:  Duh. See previous post and don't forget the C.

(Note:  In this brave new world of making up words rather than learning the words we have, I thought I would introduce one of my own:  advertog, which I define as a company advertisement disguised as a blog entry.  An example of such an animal is below.)

Case Study - Vandelay Industries

Vandelay Industries, an industry-leading manufacturer of best of breed latex products, implemented Network Access Control (NAC) from Mirage Networks to ensure endpoint compliance across its enterprise network and protect its networks from day-zero malware.

Vandelay Industries has direct operations in 43 countries, across 6 continents.  Its state-of-the-art latex manufacturing facilities, located in Sao Paulo, Brazil, Memphis, TN and Taipei, Taiwan make heavy use of embedded OS devices to run the manufacturing line.  Vandelay Industries is also a IP Telephony customer, leveraging IP based phones in all of its locations.  Finally, Vandelay employs a direct latex sales staff of over 500 people, and provides hoteling facilities at all of its major branch locations around the world.

"We evaluated a broad range of NAC solutions available in the market place," said Kel Vansen, Vandelay's Chief Security Officer.  "The Simple Network Management Protocol (SNMP) based NAC solutions we tried, not that there's anything wrong with the protocol, disconnected our IP phones.  Similarly, inline enforcement contained too many latency and availability risks, and the large number of embedded OS devices in our environment precluded any kind of wide-scale agent-based solution.  Mirage's virtually inline approach was the perfect fit."  "It's the best, Jerry!  The best!" added Keny Bania, Director of IT Security.

With a large online catalog of latex products available for direct sale, Vandelay Industries also had a strategic PCI compliance initiative.  Yet simply finding and tracking the servers responsible for financial transactions was proving problematic for Vandelay's on-demand business model.  "By the time we could compile the list of financial servers, the list was stale.  Latex is big business," said Kosmo Kramer, Global Compliance Director.  "Mirage allowed us to govern the use of service ports across all endpoints on the network and implement the spirit as well as the letter of PCI.  Mirage made us masters of our domain.  Giddyup!"

Manageability and reporting were also key concerns.  In an effort to cut costs and improve efficiency, Vandelay merged the Network Operations and Security Operations Center staff across the 4 dedicated centers worldwide.  "With our reduced staff, we needed some shrinkage in the number of deployed management tools," noted Vansen.  "Mirage's ability to integrate with existing security and network event management tools was a key factor in our decision."  The global compliance group also leverages Mirage's report infrastructure to deliver timely reports to compliance auditors, greatly increasing the productivity of the compliance team.  "Prior to implementing Mirage's solution, compliance audits made us all want to quone." said Mr. Kramer.  "We have serenity, now."

Happy April 1, everyone.  Remember to have some fun out there..