More on dirtly little NAC secrets
Want to return to the dirty little secrets of NAC theme. I love it when a johnny comes lately tries to revise history to fit their own private Idaho. When last we left this story we were talking about how Tim Greene said that there was a dirty little secret among some early adopters of NAC. They were not using the pre-connect health checks. I said there are more dirty secrets than that and laid some of them out. Now comes along one, Seth Goldhammer, Director Product Management, NAC for TippingPoint. Here is what Seth has to say in a comment to Greene's article:
Posture checking was never initial reason behind NAC
Submitted by Seth (not verified) on Thu, 11/15/2007 - 11:54am.I believe posture checking is a valuable service, but would never have
proposed that this is the initial and foremost reason behind Network
Access Control deployments. As the name suggests, our customers have
predominantly selected NAC products for identify-based access control.This compartmentalizing of access becomes necessary as devices
become more mobile within the enterprise, whether wired or wireless,
and network administrators can no longer use port segmentation and ACLs
tied to VLANs, since different types of users/devices could access the
same port.Keep in mind, Cisco purchased Perfigo in 2004 to launch a network
access control product. This implies that a market was already forming,
with several vendors helping to fulfill market requirements.Posture checking, like identity, location, schedule, device-type,
authentication method, etc is just a criteria for developing a network
access control policy. As networks and endpoints advance, other
criteria will be added to policy creation as necessary.Seth Goldhammer
Dir Product Management, NAC
TippingPoint
Of course Seth takes this approach, his product really doesn't do much of anything with posture checks on connect. Lets face it Tipping Point has taken their existing IPS and uses that to block devices that are exhibiting bad behavior. On top of this it is now known they bought a failed wireless security play called Roving Planet that had some identity based controls, mashed that up with the IPS and they are a NAC player too! This is exactly the kind of nonsense that clouds the NAC market and makes people scratch their heads and say "what the heck is NAC anyway".
Also, Seth here is a news flash for you. Cisco did not enter the NAC market when they bought Perfigo in 2004. In fact their NAC framework was out and about well in advance of them buying Perfigo. I know, I was there. Not sure where you were at the time but you have it all wrong.
Tim Greene is right. Pre-connect posture and health checks were what NAC was about. It is also what NAP is all about. The post-connect, behavior and identity based stuff has been layered in. I think that stuff is valuable and part of an all around NAC solution, but with out the pre-connect posture or health check, you don't have NAC!
Comments