The Ashimmy Blog

First it was Rothman on NAC and now it appears that post emboldened Amrit to throw his two cents in with his "current failed state of NAC". First off, reading Amrit's rants on this stuff I am tempted to look for the typical Gartner footnotes at the bottom.  He still writes a nice analyst report, but things are a little different over on this side of the rainbow (hey I couldn't resist a Wizard of Oz reference). Yes NAC is overhyped, as is most every new technology that comes down the yellow brick road.  Amrit you know the hype cycle better than most.  Here is my Shimel theorem to the peak of inflated expectations from the Gartner hype cycle. The inflated expectations of any new security technology are directly proportional to how appealing it is to the market. 

Guys, lets face it, the reason Cisco, Microsoft and 128 or so other vendors have come out with NAC solutions, is that people get NAC and it appeals to them.  The idea of finding devices that are not compliant, do not conform to access policies or doing something wrong and quarantining, fixing them or doing something about them is very appealing.  People get it.  I have seen this first hand for almost 3 years now that we are selling NAC.  People understand it.  Many security solutions are so complicated to explain that people have a harder time grasping the benefit. 

Another key driver in NAC-appeal is that unmanaged devices, remote users and other types of visitors and guests have overrun our networks.  Amrit that is why "a program of continuous policy enforcement of managed systems" doesn't do it for people looking for NAC.  Yes the managed systems are a threat, but it is the unmanaged systems that keep them up at night.  Another thing is quarantining devices is not the be all and end all of NAC.  It is merely a way station to place a non-compliant device for a couple of things to happen.  First off most NAC solutions have some methods (some better than others) of remediation in place.  Second, some NAC solutions rather than quarantine, can place devices in restricted use VLANs based upon their non-compliant posture.  I don't think any NAC vendor wants to just place devices in a dead end quarantine segment and leave the device there.

Finally, yes there will always be new, smarter attacks the bad guys use. Yes, forklifting a network is an expensive proposition if you are just doing it for NAC. However, people do upgrade their networks eventually and todays NAC solutions will continue to evolve and get smarter and easier to use as well.  They will evolve new detection methods for newer, smarter attacks.  They will also merge all of the different types of NAC (pre, post and ID based) into one generally accepted NAC functionality. Amrit it is the natural way of things, through the trough of disillusionment comes the plateau of productivity.