Everyone loves Raymond, but hates agents?
My friend Ray Wizbowski, VP of marketing over at ForeScout has an article up on Communications News on "Why you don't need an agent, Achieve complete access control without adding management overhead". I like Ray a lot, at trade shows, we always find time to sit down and shoot the breeze, talking shop. However, on this article he is getting himself involved in a religious war. I was always taught that if you want to avoid a fight, stay away from religion and politics. So at the risk of starting a fight with a friend, let me take Ray to task a bit here.
First of all, yes in a perfect world, no one would want to add yet another agent to the already breaking burden of network and endpoint management. Secondly, yes there are some places that totally agentless testing is possible and appropriate. Fact is by default, Forescout uses the same RPC protocols we do to get on the device to test. However, real world experience dictates that "you can give some of the people agentless some of the time, but you can't give everyone agentless all of the time". There are some times when you are going to need either a disposable or permanent agent to complete the test. Otherwise you can rely on traditional vulnerability/nessus type scans (Ray says Forescout does not use Nessus, but I am not swearing either way) or not totally test a device before allowing it some network access. What I suspect Forescout and Ray is saying in this article, is that they simply black list any device they can't scan as a guest and move them to a pre-configured guest VLAN. I guess some people can live with that, but if the untested device really needs some sort of custom access, just shuttling him off to a guest VLAN with internet access may not do the job. If I can't test you, you don't get to go where you need sounds good, but you have to balance productivity with security. That is why we think that a more flexible approach that offers agentless, dynamically delivered persistent and non-persistent agents are more preferred in the market. Agentless assumes that you have some sort of credentials to perform the test and that is not always the case.
Ray next talks about will the NAC solution address malware. What he really means is does it contain a type of IDS/IPS. It helps if like Forescout, you really started out life as a IDS. What Ray says is that, hey with my limited agentless capability, I can't fully test you, its OK I can let you on but still continue to "test and monitor" you to make sure you don't infect us. Classic post-connect, and again similar to how our Safe Access product works with our Strata Guard PC (post-connect). However, that is not an excuse or reason not to do a full test before access is granted, and that is where Ray and I disagree.
Finally, Ray says that out-of-band is far superior to in line. Again, sometimes it is, but sometimes it isn't. There are times when in line is a better architectural choice. That is why Ray, I think the thing you leave out of your article is flexibility. A truly great NAC solution has to be flexibile enough to offer both agentless and agent based solution, full pre-connect and post-connect functionality and the ability to be in line, out of band or what ever is going to make sense for the myriad of network designs we see in the real world.