Buck up boy!
Nothing worse than seeing a grown man cry. So I found it somewhat embarrassing reading Jamey Heary's Network World Cisco Subnet blog decrying that Cisco NAC did not get a fair shake in the recent Network World NAC tests. Jamey has been authoring some very specific Cisco NAC stuff on this Network World blog for a while now. Some of it even has application beyond Cisco NAC specifically. However, I think this time he is coming off as a little whiny Cisco bigot. By way of full disclosure, though our own Safe Access product was rated well ahead of the Cisco product on this review, I was not thrilled with the testing methods and conclusions either. I don't think the author and tester really understand what NAC does and seemed to confuse it with IPS meets vulnerability management. Subsequently, NAC solutions that had deep roots in IPS and vulnerability scanning were favorably rated. The bottom line though was that the review was one persons opinion and these things happen in reviews. They are a bit of a crap shoot and we have won more than our share. So you learn from what they say, take it with a grain of salt and move on.
Jamey on the other hand, seeks to take the whole review process used and the conclusions to task here and can't seem to get past it. So in his admittedly Cisco-biased view what does he site as evidence? Of course like any good Cisco employee he falls back on market share. Hell if my company had a 70+% market share of the networking market I would too I guess. How can he argues, Cisco NAC not be the best when it has a "commanding 47% market share in the cluttered NAC space". Jamey, let me answer that for you. Cisco can sell a ham sandwich as a NAC solution and get 40% market share. When you are packaging it with all of those blue boxes and often giving it away if you buy enough switches, your market share is not that impressive. In fact why wouldn't your NAC product have the same market share as your market share in the equally crowded networking gear market. In fact Jamey here is a news flash for you. Ask any NAC vendor out there and they will tell you that much of their customer base is made up of customers who have already thrown out Cisco's NAC solution. There is just a sizable piece of the market who is going to buy anything Cisco pushes, regardless of quality. In fact I tell my sales team that if the potential customer is a Cisco shop (most are) to make sure that they are even willing to look beyond just the Cisco solution. Like in the old days about IBM, no one gets fired for buying Cisco.
However, once Jamey gets beyond the "we are Cisco and big argument", he makes some good points. Jamey feels they weighted authentication less than security posture. While I am not as upset at this as Jamey, I do agree that the authors did not weigh authentication, because they felt it was sort of table stakes.
He says they were looking for "God Box" features with lots of widgets and not real world NAC. I think Jamey you are referring to the fact that the world has moved on from pure pre-connect testing, to post-connect and behavior based protection, which is now part of the NAC equation. I think Cisco has just put their head in the sand on this and have chosen to ignore this fact, but the market has not.
Jamey makes some other points of varying degrees of relevance, but in the interest of brevity I want to concentrate on this little tirade -
Third, let’s analyze the test bed topology itself. The only deployment method used in the test was inline deployment. Again, real world considerations were not taken into account here. The easiest path, not the most likely path, was taken. Most customers do not want to deploy NAC inline in a LAN environment due to performance and high-availability concerns among others. If given the choice almost all customers would choose an out-of-band solution for wired ports. The NW NAC test doesn’t mention OOB results because they were not tested, in fact they call out-of-band a controversial option. Huh?? If OOB options would have been tested I guarantee you that all of the 802.1x solutions would have performed less than admirably. Deploying 802.1x [maybe add “for wired”? it’s widely adopted for wireless] is riddled with issues on all sides, the client supplicant, the switches need to support it, guest access support, non-dot1x enabled client support, certificates, OS support, the list goes on and on. Can it be done, yes, but it is a huge undertaking with many caveats, the omission of this info from the test docs is telling. Cisco NAC Appliance should have gotten points just for its ability to deploy OOB without the need for 802.1x!
Jamey this is where I call BS. First of all the Cisco NAC framework itself uses 802.1x as a deployment method. Secondly, it is generally agreed that the 802.1x method of NAC is probably the most secure. Just because the Cisco NAC appliance is built on some old wireless security technology (Perfigo) that was not originally intended for NAC and designed for the edu market and is hence incapable of utilizing 802.1x lets not throw the baby out with the bath water. Fact is Cisco NAC appliance's OOB deployment method works best in a Cisco only network and uses a proprietary Cisco version of SNMP and is still not secure. It is equally as complicated and does not give you an equal level of security. Last I checked Cisco was pretty high on 802.1x supplicants, as your sales force certainly makes a big deal out of the Meetinghouse stuff. Cisco NAC's OOB deployment options are not any more elegant or easier than any other OOB deployment so lets put that back in the box.
In conclusion Jamey, a couple of things. How does Cisco NAC appliance use Nessus? Are you asking your customers to violate the Tenable license terms by downloading NASL scripts into a non-registered version of Nessus in the NAC appliance? The review seemed to like vulnerabiity scanners, I thought they did not like the way Cisco did it though. Would like your answer on that. Secondly, though again I don't agree with the reviewer, this is far from her first product review in general as you say. Take a good look for her name and you will see this woman has been doing product reviews for some time. So get over it, move on and buck up boy!
Comments