New Cliches for Shimmy
The man with the longest domain name ever (compensating for something?) has decided to pick on last week's blog post. His main point seems to be our "lack" (perhaps he missed my truth meter) of pre-admission compliance checks, but in it, he uses his favorite hammer-nail turn of phrase. Now, we all have our favorite cliches, and it has to be especially tough for Alan given how prolific his entries are. So, in the interest of helping out a fellow blogger, I have a few suggestions:
When you're a cat, everything looks like a canary
When you're a dog, everything looks like a hydrant
When you're Ted Stevens, everything looks like an earmark
When you're the Church Lady, everything looks like Satan (this one's my favorite; who wouldn't want to be compared to the Church Lady?)
Now, then, here's my three-point rebuttal to Alan's post:
1. What part of "you can always get fancier" was unclear? My post was not at all intended to represent the sum total of admission checks we can perform. It was simply to advocate that IT and Security staff take the low hanging fruit first, then move up the tree (see how I did that? A brand new cliche).
2. Setting up and configuring a NAC solution should not involved rocket science. Presenting NAC administrators with a laundry list of 1800+ pre-admission checks is, at least to me, not a benefit. Solving 80% of the problem out of the box, then providing enough flexibility (via additional pre-admission checks, behavioral controls and a web services API that integrates other security tools) strikes me as a better approach. Granted, StillSecure is more VA focused than we are, but that makes sense, given their product suite. After all, when you're a VA company, everything looks ... Never mind.
3. I continue to wait for a post from Alan, or anyone over at StillSecure, on how DHCP based "quarantine" (StillSecure's primary methodology) is so much more secure than ARP based quarantine. See here for an example of what I mean. And have I mentioned that if the switch vendors would get off their collective keisters and implement RFC 3576 we could leave this particular argument behind and fight about other things?
In addition to wishing everyone (yes, even Alan) a happy Thanksgiving, I'll leave you with these parting thoughts.
I'm just glad to be here, and hope I can help the ball club
You have to play them one game at a time, and the good Lord willing, things will work out.
Sometimes you win. Sometimes you lose. Sometimes it rains.
Think about that for a while.
I've always thought the longest domain out there (but very likely overcompensating) was http://www.thingsmygirlfriendandihavearguedabout.com/
It's a good eight characters longer than the site you mentioned and much, much funnier...
Posted by: George Bright | March 18, 2009 at 05:27 PM