StillSecure, After All These Years: If you have to be ashamed of what you do, don't do it!

As most of you know I enjoy talking to many of my fellow vendors in the NAC world. One company I speak with frequently is Forescout. Ray W is their VP of marketing and Ray and I enjoy catching up at trade shows, events, etc. Forescout was actually an IPS product for many years and I believe still sells some IPS. They tout their agentless NAC approach and claim that they will never have an agent. We have agentless NAC too. But as any person worth their salt in NAC will tell you, there are only so many ways you can do agentless NAC and some of them don't work all of the time. For this very reason, we offer a web based perishable agent and a desktop agent testing method as well.

I always asked Ray and others at Forescout how they could do agentless testing all the time, as I know its limitations. I repeatedly asked Ray and the team if they were using Nessus. Using a vulnerability scanner like Nessus is one way of doing it, but that usually entails its own issues which I have written about earlier. Chief among them is who is paying Ron Gula and company over at Tenable for the use of Nessus and the NASL scripts. This is where it gets goofy. Ray and company have sworn up and down to me that despite what I have heard they would never use Nessus and they know the legalities and limitations and have some other "secret sauce" they use. Hey, far be it from me to raise an eyebrow at their response , so I let it go at their word and left it at that.

Today Network World published a review of 13 NAC products (more about that later). In reading the review of Forescout, how do you think they check for things like Windows patches? You guessed it. Here is the quote: "Windows patch checks are available as a standard feature and rely on either Nessus (built-in) or Qualys (optional, via a plug-in) vulnerability assessment to identify which patches are missing from the system trying to gain access."

So here is my point, at the end of the day I don't care whether a vendor uses Nessus or not, it is their problem. I don't care whether they give their product away for free and then count those users as customers. Ron Gula and the Tenable crew can take care of their own licensing issues. What I do wonder about is, if you cannot at least be honest about what you do and use, is it because you are ashamed of it? Can you at least admit to yourself about what you do and use? Why not tell people the truth? I really think that says it all. In the words of the immortal Ricky Ricardo (of I Love Lucy),"somones got some splaining to do".

As to the review in Network World by Mandy Andress, it contains some great info on many leading NAC products. I personally was a little surprised that Mandy gave so much weight to NAC products conducting vulnerability scans (hence the Nessus and Forescout stuff). Me personally, I think vulnerability scanning is best left to vulnerability scanners. Had I known this before hand I would have voted to not have Safe Access entered and considered using our VAM product, which is a true vulnerability scanner (and does use Nessus). But you live and learn with these things.