The Ashimmy Blog

It was with great sadness that I read the end of Tim Greene’s NAC column today. Tim tells us that he is ending the NAC column and newsletter and transitioning to cloud security (that should make Hoff and Amrit happy).  While I don’t always agree with what Tim writes about NAC, he has been a consistent voice and great advocate for the technology.  The NAC industry will miss the spotlight he shined on it.  I am sure he will do a bang up job on cloud security and wish him well.

The following quote from Good Night, and Good Luck movie is by Edward R. Murrow about TV, but in many ways it could be said about NAC and Tim’s column:

To those who say people wouldn't look; they wouldn't be interested; they're too complacent, indifferent and insulated, I can only reply: There is, in one reporter's opinion, considerable evidence against that contention. But even if they are right, what have they got to lose? Because if they are right, and this instrument is good for nothing but to entertain, amuse and insulate, then the tube is flickering now and we will soon see that the whole struggle is lost. This instrument can teach, it can illuminate; yes, and it can even inspire. But it can do so only to the extent that humans are determined to use it to those ends. Otherwise it is merely wires and lights in a box. Good night, and good luck.

Good Luck Tim!

Image via Wikipedia

Almost a year ago I wrote a blog post called “Shimel the NAC Prophet”. In it I poked fun at what I hold told a reporter months before the story was written, but it didn’t take a real prophet to foresee where the NAC market was going.  With the recent news around consolidation in the NAC market (Vernier finally dying, Mirage getting scooped up) many are wondering what is next.  Tim Greene writes today about the continuing evolution of the NAC market.  I wrote yesterday that of the three NAC appliance vendors that I know of (including StillSecure) at least one of them is actively seeking strategic alternatives.  I heard today that another one is pulling out of its RSA booth plans.  So will NAC be a casualty of the current economy? Is it just the natural evolution of the marketplace? Is it that NAC does not work?  Do I still believe in NAC?

Sometimes I wish I could write on my blog everything that I think and say in my role at StillSecure as chief strategy officer.  But alas if I did it would do serious harm to our strategy, our company and would be akin to shooting myself in the foot (or somewhere else).  About a year ago I gave a presentation to our executive team where I white boarded what I saw as the future of NAC from the end of 2008 through 2010. I may not speak to as many people as Rob Whitely at Forrest-er or Lawrence Orans at Gartner, but I feel that I certainly have my finger on the pulse of the NAC market as much as anyone else.  Let me share with you now what I told our team over a year ago.

The NAC market would break down into three categories.  The first would be infrastructure players.  Cisco, Juniper, HP ProCurve, Extreme Networks, Enterasys, Aruba, etc.  These guys are providing the network pipes and connections.  NAC is so inherently intertwined with network infrastructure that these folks were a natural fit for NAC. They would continue to offer NAC as part of their secure pipes strategy that they were all going to push.  They were not going away and would either own or partner for NAC capability.

The second group are the endpoint providers. Symantec, McAfee, Sophos and I put Microsoft in there.  They had significant real estate on desktops.  They already had agents there and it was a no brainer to bundle a NAC agent with it.  I thought that this model had some inherent weakness.  They still had to integrate with the network in order to have a premium NAC product and did not have a post-connect NAC capability.  This has proven right on, except for Microsoft NAP.  Symantec had to retain the old Sygate SNAC piece to be competitive and that was long in the tooth.  McAfee was forced to use IPS as enforcement, a weak model or buy something (like a Lockdown).  Sophos was building on the old Endforce, but seemed to be becoming more and more to relying on the unified agent model.

The third category of NAC vendor was the stand alone NAC vendor.  You could break them into out of band and in line, but my feeling was that in line really did not scale.  Sure they could morph into something more than NAC as what is today’s ConSentry and Nevis have done, but as NAC appliances, out of band would win out.  Even still, there were too many out of band NAC vendors and many of them didn’t really scale. My prediction was that by late 2009 there would only be two or at most three NAC appliance vendors.  I still stick by that prediction. 

My challenge to my fellow StillSecure teammates at the time was what did we have to do to make sure we were one of the two or three survivors.  They key for us was the fact that we had developed military grade NAC, not a NAC bought and bred for the edu market.  Where most NAC vendors were hard pressed to show deployments of more than 10,000 devices, we were checking in excess of 300k devices a day  at one location.  Ultimately that scalability was what we thought would win the day.

So lets be clear.  I still am very much very bullish on NAC.  I think we will still have a lot of choices in NAC.  Infrastructure, agent or appliance.  I think more then ever the market is coming around to seeing that NAC is a versatile technology that can solve several problems. NAC today is much better then early versions. It is ready for prime time. There are multiple deployment options and not one size fits all. I hope that is clear enough.

This week Tim Greene cautions to make sure that your NAC gear is compatible with your network switches. This is a big issue especially if your NAC solution uses SNMP to communicate with your switch.  As Tim points out many out of band NAC solutions do this.  However, this does not have to be the case!  There are many out of band NAC solutions that do not use SNMP for a variety of reasons. I have written on this before, SNMP is just not a scalable way to solve this issue. It is one of the primary reasons that the Lockdown Networks (now McAfee) NAC was so unsuccessful that Lockdown had to shut down.

Even 802.1x, which is of course a vendor agnostic standard has differences in support from switch vendor to switch vendor and even from switch OS to another OS.  But overall because of the standardization of 802.1x it is much more uniform than the catch-as-catch can world of SNMP. As such there is less of a chance of your 802.1x capable NAC solution not working with your 802.1x capable switch.

Of course there are other ways besides SNMP and 802.1x of doing out-of-band NAC. DHCP is a viable alternative, especially if you deploy best practices to lock out static and spoofed IPs.  Companies that use SNMP include Bradford Networks, Cisco and some others. Overall though, yes make sure your NAC works with your switches. You should not have to buy new switches to use NAC.  But like everything else about NAC, a little bit of planning and aforethought goes a long way!

One of the things I hate most about the Internet is that it affords too many people the luxury of hiding behind anonymity.  I understand the need for it sometimes, but my feeling is that if you are going to throw stones at someone, at least have the stones to stand up and say who you are and why you might be saying those things.  A case in point:

Yesterday I wrote about two articles Tim Greene wrote about NAC. As I often do when I write about someone’s article, I went back to Tim’s column and left a comment with a short statement and a link to my article. When I went back there was a response to my comment from some guy who calls himself LAN Guy. Here is what Mr Guy had to say:

Alan,
It's interesting you'd point out on you blog that "other" vendors jumped on the NAC bandwagon with their IPS roots.
To quote your blog... "Just like the underlying technology powering several NAC solutions were originally designed as worm-catching IPSes ... that failed because of a lack of mission and became NACs instead, NAC for worm catching just doesn’t cut it anymore either."
Hmmmm.... didn't StillSecure (a.k.a. Lattis Networks of old) start out with IDS/IPS and VAM?
Keep up the good work Alan - you're very entertaining. Ever consider politics??

I replied to Mr L Guy with this:

My LAN Guy (I love people who like to throw stones, but don't have the stones to use their real name), the fact is that exactly because we already had IDS and VAM we knew they were not the right tools for NAC and instead built Safe Access from scratch. Glad I entertain you and no I never consider politics!

This got me to thinking though about what is LAN Guy’s angle and why he wouldn’t use his real name. So I looked under his name on Network World and found LAN Guy likes to comment about NAC articles.  Here are his two previous comments:

Novell's NAC play is a joke

By LAN_Guy on Mon, 10/06/2008 - 6:47am

Interesting that Novell has gotten press recently about having a NAC solution. The 'news' that they OEM technology from StillSecure is not 'news' at all. This comes from their acquisition of Senforce over a year ago in August 2007. As for integration with other products: they've done nothing as a result of this acquisition in over a year - so what would make anyone think they'll integrate anything any time soon. Just another company jumping on the NAC bandwagon. What a joke...

and

RE: ConSentry's LANShield gear has NAC

By LAN_Guy on Thu, 08/14/2008 - 1:00pm

Tim,

"In situations where budgets are tight" (btw is there any other situation?), ConSentry is one of the LAST vendors I'd look at based on price. Their list price is about $300 per port - VERY pricey for an edge switch, even if it sorta does NAC and sorta does some pseudo-content filtering. ProCurve and others have some very strong offerings at less than 1/2 the price, which frees up funds for a REAL NAC solution, a REAL content filtering solution, and/or other things. I'm very wary of an "all-in-one" approach like ConSentry's. I'd rather have a separate hammer, screwdriver, and pliers (i.e. the right tool for each job) than some hammer+screwdriver+pliers gizmo that doesn't do any one job particularly well.

So it looks like LAN Guy while fancying himself quite the NAC expert, does not have much good to say about any of them. I wonder if perhaps he works for another NAC vendor? Does he have another axe to grind. 

LAN Guy from your comments it sounds like you read my blog. If you read this, why don’t you step up and say who you are and lets have a real discussion about what you like and don’t like about different NACs. If you just want to hide behind some anonymous identity and throw stones, maybe you should crawl back under the rock you came from.

Did you ever eat in a Chinese restaurant with the paper place mats that have the different animals of the various years?  You know the year of the Rat, the year of the Monkey, the horse, etc.  For too long, too many people kept predicting that the next year was the year of NAC. You would expect to see it next to the rat, horse and monkey on the next place mat.  But alas like a good Chinese meal, with NAC 2 hours later you were hungry again.  I am past those kind of bold predictions.  As Tim Greene says in his newsletter today, NAC won't get its own year.

However, I don't think it is a bad thing.  Enough of the over hype, enough of the impossible goals.  What NAC has become is a real way that enterprises in all verticals and sizes are using to make their networks more secure.  It is beyond the silver bullet phase.  There is no magic. It is not a panacea.  But it does work, it does help improve your security and is getting better all the time.  What more can you ask for?