The Ashimmy Blog

As I wrote about earlier this week, regarding the article Mike Fratto wrote in Network Computing, our Safe Access product does now have post-connect NAC capability.  I said I would talk a little about it, so here it is. The decision to add this feature into the product was not done without a lot of careful thought about does it belong there and how should it work.  In order for this to make any sense to you, lets first define post-connect NAC and by definition you will need to understand pre-connect NAC.

1. Pre-connect NAC - refers to network access control where the testing of the device to ensure compliance with network access policies is done prior to the device being granted regular access on the network.  This "guilty until proven innocent" paradigm is the cornerstone of the command and control pre-connect NAC such as StillSecure's Safe Access.  Some NAC solutions perform some pre-connect NAC testing but primarily rely on post-connect NAC.
2. Post-connect NAC - refers to network access control where the traffic from a device is monitored after access has been granted. If any potentially malicious traffic is detected, the originating device is quarantined from regular network access.  Some NAC solutions, especially ones who cannot complete an in-depth test in a short amount of time will also use post-connect to quarantine a device after it has been allowed on but then further testing shows it deficient in some manner.

With Safe Access's ability to do in depth testing in pre-connect mode, as well as the ability to retest devices at scheduled intervals already in place, only the monitoring of potentially malicious traffic was of any value to us from a post-connect view.  Now monitoring malicious traffic may sound a lot like IDS/IPS to you, it does to me too.  Traditionally, IDS/IPS can sniff or inspect each packet of traffic that passed through. In IDS mode you can alert and log the malicious traffic.  With IPS you could block the traffic or drop the packets.  If you could do this and if you see anything malicious, quarantine the device that sent it out. That would be effective post-connect NAC. In fact several NAC vendors do just this.  For instance, ConSentry Networks, Nevis Networks and Vernier Networks are all boxes that sit in line.  They perform IDS packet inspection of traffic passing through and then quarantine and/or block devices that send out bad traffic. Most of them use a Snort engine and signature based IDS. The problem with them is that they have to be inline to block bad traffic.  This can get expensive buying ASIC chip boxes and placing them all through the enterprise.  But I digress.  Really when you look at this, what is the difference between this type of post-connect NAC and what you and I call IDS/IPS? I don't think there is a difference.  Old security technologies never die, they just get renamed.

StillSecure Strata Guard is a pretty well known IDS/IPS.  We thought that the idea of giving users the ability to block and/or quarantine devices based upon a deep packet inspection capability was worthwhile.  Also, if we could quarantine devices using some of Safe Access's out of band capability, then we could move the IDS out of band as well.  This would allow for great scalability in the enterprise.  It was relatively easy to make Strata Guard talk to Safe Access because they both have our enterprise integration framework set of API's.  We now can offer this to customers. However, we are not stopping there.  We have a great vision for taking this to the next level.  We call this vision "Full Spectrum NAC".  I will write more about this vision in the next article on this subject.