The Ashimmy Blog

Ross Brown over on his Technobabylon blog writes about what's killing NAC.  While much of what Ross brings up is certainly valid, the problem is he is mixing up and confusing the three heads in Cisco's  Ghidrah (that is a three-headed monster from the Godzilla movies, for those who don't know). In order to really understand what Ross is talking about and why I think he is mixing it up and possibly confusing us, lets first get them straight.  So here are the three elements in Cisco's endpoint universe:

1. Cisco NAC or sometimes called CNAC.  This is the original one and probably the least used of the three.  It refers to the use of the CTA (Cisco Trust Agent) communicating with the Cisco ACS (Access Control Server) and NAC compatible network gear.  It is also the one that has the 75+ plus vendors in the program (only a small fraction of them are actually lab certified to work with CNAC).

2. Cisco NAC Appliance - This is the old Perfigo Clean Machines nee Cisco Clean Access appliance.   It was originally a wireless security play, then an early NAC play, primarily in the .edu market.  Since Cisco took it over, they have developed an out of band version in addition to the original in line version that relies on SNMP to communicate with switches.  As far as I know, it is still not CNAC compatible but will be someday.  I hear Cisco is planning on making the NAC appliance the policy server in a more unified Cisco NAC offerring. It offers agent based scanning or Nessus based agentless scanning (I believe it still does, if someone from Cisco wants to tell me I am wrong, go ahead).

3. Cisco Security Agent or CSA - This is the old Okena Storm Watch HIPS product.  I suspect it is what causes Ross and the eEye folks the heartburn, as it goes head to head with their Blink product.  It is a monster to set up and tune, but from what I understand provides good HIDS/HIPS and it does work with the CNAC framework.  For a long time, the Cisco sales force claimed CSA did everything but slice bread (some of them even claimed it sliced bread, but you know how those slimy security sales guy can be).  However, I don't think it is anywhere near as bad a product as Ross makes it out to be.

So with that out of the way, here is where Ross is wrong and right.  Yes, the problem with the CNAC partner program, is that the Cisco sales force is not compensated to sell or even recommend their NAC partners product (are you reading this Russel Rice or Bob G.?).  They do spin a compelling story around NAC and then use it to drive the NAC appliance (clean access) and/or the CSA stuff. I think because CNAC  by itself is just not that powerful.  All you get is hotfix level checking, anti-virus dat file check and that is pretty much it.  Yes with CNAC 2.0 you can kick off a Qualys scan (I am sure Ross would rather see a Retina scan kicked off) and the Cisco sales and marketing team use that to say CNAC has agentless capabilities.  I say bull!  Putting a device in quarantine or not allowing access to the network. while I do a full vulnerability scan is just not realistic or scalable and not a solution.  Ross knows this, in fact he says "... real scanning - malware, exploits, spyware, patch levels, firewall compliance, and so on - without making the user wait more than 5-10 seconds to connect."  You are not going to do this with an agentless remote vulnerability scan. So Ross is right again, but then he falls off the track.  He says that either you run a retina scan like eEye is doing with the Citrix remote access solution (Ross not everyone is a remote user) or I would assume you have Blink to do the scan report to the NAC server.  Ross can you imagine running thousands of Retina scans at the same time and not delaying more than 5 to 10 seconds?  The only answer is to let them on the network, then scan them and remove them if they are dirty.  This is flawed and I think even Ross would have to agree.  You need a purpose built NAC testing engine that does this job quickly and correctly.  You can do it agentlessly or agent based but it has to have nill false positives and be under 10 seconds.  Also, the vulnerability scan paradigm is not right.  You don't want a SANS top 20 scan.  It is a complaince with access policy test, not a vulnerability scan.  I don't think the two things are the same.

The patch issue is another one where Ross makes a good point but there are other choices.  There are ways of patching non-company owned assets and we will have more on this in a while.  However, patching is not the only answer.  What about using intelligent network technology to limit where a unpatched device can go to minimize risk to the network.  At the end of the day you are protecting the network from the endpoint, not the other way around.

Finally, Ross I agree with you, I have been waiting a long time for Cisco to really work with their NAC partners. However, it looks like unless your name is Microsoft, you still have a while to wait.