The Ashimmy Blog

Leave it to Tim Greene to put a positive spin on an obvious hole.  Tim's NAC newsletter today talks about a new marketing spin put out by Lockdown Networks.  Before I get into it, I have to give Dan Clark points for having the chutzpah to run this one out.  It seems that Lockdown had gotten dinged for not being able to scale up beyond about 30 pre-connect devices being tested and logging on in a minute.  Since the overwhelming majority of people log on to the network between 8:15 and 9:15am, this could cause a real bottleneck and I am sure caused Lockdown's customers a lot of grief.  So instead of making their appliances more scalable, what did the spinmeisters come up with? There answer is easy.  If your log ons are going to exceed this number, lets just shut the thing off.  That is right, you can selectively decide not to test devices before coming on the network.  Now that sounds like a secure strategy?  Tim says "new software for the devices allows suspending use of NAC". Don't blink, you read that right.  It can't handle the heat so the answer is shut it off!  Of course Tim is generous and says this is a great solution for a disaster recovery situation.  Yeah right.  At 30 users tested a minute, you are going to use this every damn morning in most enterprises.  So what is the sense of deploying NAC, if you are not going to test a bunch of devices. It only takes one bad apple to spoil the network.  I think this is just a marketing band aid spin on an inherent scalability problem.  It is this kind of solution that leads people to think NAC is still immature.  If NAC is going to be successful it has to scale to the enterprises needs.  Having more than 30 people log on in a minute is not excessive and customers have a right to expect their NAC solution to handle that load and more. I know that this is just the type of scalability that we develop and test for in our own NAC solution.

Other news from Tim is that Lockdown has apparently discovered Radius protocols working with switch ports.  Sounds like 802.1x type functionality to me. Even Lockdown admits it is a much more efficient (and I say more secure) way of doing NAC than SNMP and CLI.  Glad to see what I have been preaching for years vindicated. This news is on top of Lockdown previously announcing that it is going to start offering DHCP relay as another enforcement/quarantine method.  They acknowledge it is less secure, but makes set up easier.  It is plain to see that Lockdown has decided that it is OK to sacrifice security for speed of testing and ease of installation.  Lets see if customers agree.

I just wish Tim would take a harder look at this and ask the tough questions.  Like how can you have a NAC that doesn't scale beyond 30 devices a minute.