The Ashimmy Blog

My friend Chris Harrington from Infosecpodcast tracked back to my article on Insightix and has an article up on his take of things.  Chris is a good guy and pretty security savvy, especially with IDS/IPS stuff.  I half agree with him and half disagree with Chris on this one though.  First why I agree.  Your right Chris, 802.1x is a pain to put in place, especially if the only reason to do it is for NAC.  Your also right, that if it is deployed, it is probably the best way to do NAC as securely as possible.  Your also right that 802.1x is not being adopted as quickly as some of us would like.  I still think massive 802.1x adoption is 12 to 24 months away.  But make no mistake about it, it is coming. Finally, you are right that a successful NAC solution needs to offer some other options besides 802.1x to be successful.

Chris you are wrong on a few things though.  First of all MS NAP is going to use several enforcement technologies, including DHCP, but their recomended is I believe IPSec.  Next you would be surprised that some NAC vendors who claim to support 802.1x, actually just ride on top of it and don't truly support it.  Without pointing fingers, I think some of the other vendors you mention fall into that category.  But Chris the biggest thing I disagree with you on is the history here.  I did not get up in front of us all at Black Hat and chide everyone that all of the other NAC solutions could be bypassed, some rather easily and that my company was going to have something bullet proof.  Ofir Arkin did.  Then they come out with ARP spoofing and SNMP.  That is the issue here.