« Does this smell funny to you? | Main | A-Rod back with the Yankees? »

November 14, 2007

A funny thing happened on the way to the guest VLAN

Vlan_forumAnother eWeek article I read yesterday was by Brian Prince about Cisco's new Network Admission Control Guest Server (that sounds so new, that not even a marketing person has gotten hold of its name yet).  Mitchell blogged on this one too (now that he is doing his own thing, it is easier for him and I to blog on the same stuff). Mitchell liked the idea of allowing designated users to set up guest access for visitors, but Mitchell questions who will be given this responsibility in many organizations and if they recognize that it literally is the keys to the kingdom.  Mitchell also brings up a good point that the article at least doesn't say anything about whether or not these guests machines are checked for policy compliance or anything like that.  It is just a guest account set up on a portal and allows a user to move on to a guest VLAN or segment.  Their usage and presence on the network is noted, so that there is a trail of their presence.

So here is the Shimel view on this.  While I think the guest server has some limited benefit from an auditing and reporting prospective, I don't think it is what the market wants.  Increasingly I hear from customers about guest access that all they want is this:

1. Identify a guest user from an employee/managed user.
2. Test the managed user/employee and if they pass, give them their regular access
3. Move the guest into a "dirty" guest VLAN that has web and email access and little else.
4. They don't want to test the guest, as long as he is kept off the "real" network and don't care about what he does to other guests.

Frankly, they view the guest VLAN as almost outside their own network. If they can accurately identify guests, they have no desire to authenticate them, test them or anything else.  They just want to move them to the guest VLAN and forget them. To me what the customer wants is simple white listing/ black listing. Frankly, this was a hard lesson learned by us here.  We kept banging our head on the brick wall of insisting that they check the guests device too.  But people don't want that additional effort.  So as usual the market wins and we have made it easier than ever to set up guest VLAN access for our NAC product.  I am not sure I would call this out though as a separate server.  Clearly this is just a feature.  But I guess from Cisco's prospective it is another SKU they add to the quote, with another dollar amount in the column.

Posted at 01:06 PM in Cisco, Mitchell Ashley, NAC |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451e4d369e200e54f96ab598834

Listed below are links to weblogs that reference A funny thing happened on the way to the guest VLAN:

Comments

My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About