The Ashimmy Blog

Eric Ogren has a short post up on his ComputerWorld blog about the OEM deal between ConSentry and Alcatel-Lucent.  Before I address Eric's comments, let me congratulate Michelle McLean, Dan Leary, Sam, Mario and all of the rest of the ConSentry gang.  I hope this is a successful OEM partnership for both you and the A-L group.  Also, I agree with Eric about the "rising tide lifts all boats" theory. However, I view this a little differently than Eric (of course I do) and let me explain.

First off, this deal is more about what is probably the last of the 7 dwarfs who compete with Cisco in the switch vendor market choosing a NAC.  I don't use the 7 dwarfs moniker as a derogatory term either. These 7 dwarfs would actually dwarf most other companies. They are only small in terms of their market share compared to Cisco.  Companies like HP ProCurve, Nortel, Foundry Networks, Extreme Networks, Enterasys, etc.  Unlike the naysayers on NAC (you know who you are), the fact that every single switch vendor has moved within the year to acquire, partner or develop their own NAC solution is itself a testament to the impact NAC is having on the market.

Where I also think Eric is wrong and it goes to a point Michelle made on her blog last week regarding my discussions with Amrit, is over the value of so called pre-admission NAC.  Guys lets be clear about this, network admission/access control in the form of pre-admission checks is what the hullabaloo is all about NAC.  Any NAC solution needs pre-admission testing as table stakes to play in the NAC game.  Without it pure post-admission NAC would just be IPS.  Lets face it, when you look at what ConSentry, Vernier, Nevis and even we are doing around post-connect NAC, it is IDS/IPS mixed with identity based controls.  Do not underestimate the importance of the pre-admission test.  Frankly, companies that do are usually the ones that either don't have their own pre-admission testing and so partner for it or are weak in that area of NAC.  When you can perform deep testing with 100's of tests like a Safe Access can, the value is very apparent to users and frankly you don't need to forklift your network to do so.  Eric has always been partial to the IDS/IPS crowd doing post-admission testing though. 

The real answer is what we call complete NAC.  In todays maturing NAC market, you can't be just a pre or post connect NAC solution anymore.  What I see coming down fast though is that you can't just have a checkbox for pre or post admission testing either. You can't have just a hotfix and anti-virus pre-admission NAC and expect people to jump and down with excitment.  You can't have just IDS/IPS and a firewall.  You need true quarantine capability not just blocking.  You need the ability to designate access levels and permissions based up on identity.  Having one of these three will render you a loser.  Having two of the three will allow you to play for a little while in this market, but not for long.  You are going to need all three by end of year.  And you better have them working well, not just checkbox functionality.  And this is just the tip of the iceberg for what complete NAC will need. 

My paper on complete NAC is almost done and as soon as it is, Amrit and I hopefully will have a definitive dialog on NAC.  Until then, to Eric and the rest of the naysayers, don't let your views on the success of NAC be judged by the unrealistic, over-hyped expectations that some in the market have heaped upon it.  It is not the end all and be all in security but it is an important arrow in the quiver of IT security.  The best news of all is with all of the competition, the NAC market is evolving and functionality is maturing an a greatly accelerated rate.  Rather than being full of hot air or a disappointment, those with realistic expectations of NAC's penetration in the market are very pleased with the progress.  With NAC, he who laughs last, will laugh best.