StillSecure, After All These Years

Richard Stiennon over on his Threat Chaos blog, uses Ofir Arkin's Black Hat presentation, to highlight some technical issues with NAC.  Big deal, we have covered them already,  DHCP, static IP, spoofed MAC, NAT, yada, yada, yada.  I know Richard is too smart a guy to have been waiting all of this time for Ofir to enlighten him on this.  However, Richard does not mention that even Ofir says, 802.1x done right, actually is pretty hard to fool, if that is the reason you are deploying NAC. 

Richard gives all this a good so what, and instead uses it as a launch pad to dredge up his old and tired arguments on why Richard has never been a fan of NAC.  He sites his NAC vs Secure Network Fabric column published last week.  It may have been published last week, but Richard has been pushing this for years.  I could not find it again on his old Threat Chaos blog when he was still with Web Root, but I know I have heard Richard say this before.  Not only that, all of the secure network fabric stuff, talks about events in 2003, including the "recent example" of Tipping Point being acquired by 3Com.  I would not be surprised if that was not when this was originally written.  Richard should at least say that this has been his position for years and he still believes it, but that he republished this.

When I spoke with Richard last, it appeared that he had changed his mind somewhat on NAC, but it appears not so.  In Richards model, you have to decouple host-based endpoint security from network security.  I think this is Richard's first mistake.  The network security part is impossible without the context and information received from the endpoint part.  Working alone, we have yet two more security technologies acting in their own silo's instead of leveraging each other for a sum of the whole, greater than their parts equation.  Richard further fumbles when he says, that the problem NAC addresses has already been solved by patch and configuration management.  Richard says laptops that are patched don't get infected and the fear of zero day attacks have proven unfounded.  Hey Richard, pass me some of that stuff your smoking, it must be really good!  If this is the case, lets all pack up and go the beach right now, security is solved.  It is just not the case.  Patching and configuration management though effective tools in the arsenal, are not the be all and end all.  Not to mention that they are useless against unmanaged or guest devices.  I used to think Richard spouted this stuff because at the time he was at Web Root and it fit their outlook, but I guess this is not the case.  If it was ttrue, no matter how loud Cisco and other NAC vendors beat the drums, people would not buy technology to find a solution to a problem that no longer exists.

The SNF  elements of  Richard's dream works by taking flow data from what we used to call behavior based IPS's (another failed technology) and passing to the switch information to enforce policy.  Context, analytics and network performance are three reasons why I don't think it works today and will not work anytime soon.  The vendors Richard sites are all struggling in search of a solution for the technology they have developed. Richard, you did not like NAC then, you don't like it now, at least update the argument.  Also Richard says Network Access Control good, Network Admission Control bad, not sure what the difference is to him. I have a feeling I am going to find out.