« eEye to add web security, but will that be enough? | Main | Go Greased Lightening »

August 06, 2007

More on the WonderNAC

So it appears my last blog has Dominic hopping. This is the most animated I have seen him yet on his blog, but I am not sure he really wants to go here. After all as he says, I seem to be the old pro at NAC and he the young upstart. Nevertheless, after calling BS on me to which I responded, Dominic somehow thinks I am throwing FUD and seeks to teach me a thing or two. The student does not school the teacher that easy my friend. So to humor all of you, here are my responses in blue to Dominic's remarks:

DOM: Let me first say, "Those that can, do, those that can't, teach". Alan has spent a good number of column inches devoted to pontificating about our second rate this and that, how we have mashed up a bunch of old technology, and ends by giving me a history lesson in NAC. Alan, I bow down to your superior historical knowledge, but I'm not interested in being a history teacher, I'm interested in shaping the future. So you keep teaching history to the young 'uns, but try to avoid teaching subjects like "Other People's Technology Innovation 101" when you are not in possession of the facts. Our technology is neither old nor second rate, but if it let's you sleep better at night believing that, so be it.

Dominic, there is another old saying that those who do not learn from history are doomed to repeat it. Don't blame me because you have don't have the facts straight.  You can't shape the future if you don't know the past Dominic.  How is that for lesson one.  As to "others people technology", more on that in a moment. As to column inches, here is a freebie for you.  Colunm inches on blogs are cheap.  Its my blog I can use as much as I want, I don't get charged by the inch.  I hope you don't either.

DOM: At no point have I ever said that "pre-connect posture checks and such are useless". What I have said is that it's not a hard technology
problem to solve. Look around, there are a myriad of vendors out there
all claiming to do it, you and me included. Hell, there are even some organizations building it themselves from Open Source in their spare time. I'm a great believer in posture checks, I just think that it's one element of the solution.

OK, here is lesson #2 for you Dom.  There are posture checks and then there are posture checks.  Though you never said they were useless. You said they are easy, everyone can do them and the value they provide is dubious if you can inspect and find all malicious traffic anyway, negating the need for draconian quarantine.  Well Dom that is right if the only pre-connect posture checks you perform are as simple as the ones Nevis and many other NAC vendors do, before a client is on the network.  Yes, you can check Windows hotfixes and anti-virus DAT files.  And you are right, if that is all your pre-connect checks do, BFD.  But Dom, let me do a little crowing about our own product.  This is an area where StillSecure has consistently won customer deals and partnerships with some of the leading network players.  Pre-connect testing can be so much more then rudimentary hotfix and dat file checks. So here is a dose of your own medicine.  Before talking about someone's technology, maybe you should have a closer look.

DOM: 1) Yes, I disagree with Alan and Mike Fratto on a couple of issues. It's called debate and it's healthy

No problem here Dom, just don't get pissy when the debate gets heavy.

DOM: 2) We have plenty of customers, thank you very much. In fact I just
spent an entire analyst inquiry day with Gartner and shared a lot of information with them on this topic. You really lose credibility when
you have to resort to mud slinging about someone's business, especially when you're wrong.

Your right Dominic, let me have another look and see where Gartner ranked you in their Marketscope based upon all of these great references. (Hint: I think Gartner only ranked a very few NAC vendors as positive, and I don't remember Nevis in there, but feel free to correct me if I am wrong.  BTW, we were rated positive)

DOM: 3) Yes we sit in-line, no that doesn't mean your network goes down if
the appliance fails. Like any other in-line device we have high availability options, some of which are very innovative and won't cost you extra.

Dominic, just by how loud you have repeatedly defended in line architecture, I know that this is an issue which has come up repeatedly. You don't have to convince me, you have to convince the market on this one.  Good Luck!

DOM: 4) No our firewall is not based on IPtables, our IPS is not a bunch of
30 day old SNORT signatures and our switch is not a second rate Linksys
or D-Link (we have customers who have selected us over Cisco so I think that speaks for itself).

Dominic call me from Missouri, but I just don't think Cisco is losing many switch deals to Nevis.  Yes you may have found one here and there, but like my grandmother always said, "every pot has a cover".  I am sure you found your share of covers.  But lets get down to the meat.  I was under the impression your firewall is based on IP tables and you do run Snort.  If you don't, say so, but don't say you don't and then let us find out you do, like another NAC vendor we know.

If you don't use Snort, what type of IPS do you use?  Is it signature based?  How many signatures in your library?  Is it behavior based?  Anomaly or protocol?  Come on Dom rip off the covers and show this under the light of day.  What is this oh so powerful IDS that you have developed. Has anyone else tested it? I think it is Snort based, if it is not, speak up brother.  Same thing for the firewall.  Not IP tables based you say.  Fine, what is it then?  Is it stateful inspection?  Is it an OEM of something we know.  Has the firewall been 3rd party tested.  Again, Dominic I said what I think it is, you say no, prove it.

As to advance switch functions, besides security what other advanced switch functions does your box do?  Can you handle triple and quad play traffic? Other cutting edge switch technology?

DOM: 5) We have a team of 8 dedicated security research engineers in our
Nevis Labs group who have been credited with finding 11 vulnerabilities
in major OS's and applications in the past 6 months. So, we're not just
enforcing patches to vulnerabilities in the pre-connect posture check, we're out there contributing to the security community as a whole by finding the vulnerabilities in the first place.

Medal How wonderful Dominic!  So because you have found some vulnerabilities in major OS's and apps, your IPS is better?  Your attack detection is better?  Or does it just earn you a medal.  Here is your medal for finding vulnerabilities, but that does not make you a better NAC?

6) Don't even get me started on the FUD around performance. Let me
simply state that the reason we spent 2 years building an ASIC is because we believe that performance is at the heart of the solution and
how it relates to the real world problem. There are a host of patents filed and our innovation in this area is exceptional (even if I say so myself :-))

Dominic there you go again. When the going gets tough, fall back on your ASICs.  Is that a trait all of the secure switch NAC vendors use?  Geez, maybe you should have spent 3 years developing your ASIC. If this is what you did in 2, I can only imagine what you could have done in 3.  Seriously Dominic, I have my own feelings on ASIC.  As blades in servers and off the shelf hardware continues its inevitable march towards greater performance, your ASIC becomes a liability, rather than an asset.  But yes you have a big honking chip there!  Do you want another medal? The issue is that after that ASIC uses all of its horsepower with pattern matching, firewall and other security process, what else can you do to maintain parity with other switches?

DOM: 7) You know what? I'm tired of responding to FUD. If someone wants to have a debate about architectural approaches to solving customer problems, please let me know.

Dominic, architecture is one thing, but don't pull the tigers tail and not expect to get bit.

02:05 AM in NAC |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/547509/20613630

Listed below are links to weblogs that reference More on the WonderNAC:

Comments

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Forbes.com

StillSecure, After all these years, the podcast

  • Podlogo

Categories

Currently Reading

Read Recently

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About