Shimel's New Rules on NAC
One of my favorite shows on TV is Real Time with Bill Maher and one of my favorite segments on the show is Bill's "New Rules". So let me take a page from Bill. I give you Shimel's New Rules on NAC:
1. Blame Gartner for screwing it up if you like, but Network Admission Control is now just about synonymous with Network Access Control. They both add up to NAC. Unless we want to start calling it NA&AC (network admission & access control). That means all of you who bitch and moan about having to include admission control as part of access control, get over it. Stop belittling it just because it happens to be the aspect of NAC you are weakest in. Also, stop blaming Cisco, Microsoft and the TCG for holding up the NAC market because they only have admission control. They were here first compared to most of you whining. You jumped on their bandwagon, not they on yours.
2. NAC is not going to stop the most determined hacker, but a dirty machine is more likely to cause trouble than a clean machine (no pun intended to Cisco/Perfigo's Clean Machines). So in response to Mike Fratto, no matter what machine he is on, a Jordan Wiens is going to break into your network. NAC is more concerned with the casual offender than the determined hacker. The profile and health of a device entering the network is as important as who is on that device. Dirty bits make for trouble.
3. NAC is evolving beyond pre-connect posture checks and IDS and NBAD type post-connect analysis. NAC is becoming an umbrella for a wide range of technologies that deal with network admission and access. Pre-connect health and posture checks, identity based access control, post-connect behavior analysis, remediation and more all touch on NAC. NAC is an ecosystem, not a single product. It includes and touches on the endpoint agent, the network switches, Radius, DHCP, DNS, VLANs, ACL's, and all of the rest.
4. For those NAC vendors who only do pre-connect type posture checks, stop the BS and stop calling your re-occurring pre-connect check a post-connect NAC solution. You only add to the confusion.
5. In the end NAC is going to be a feature, not a product. NAC will be built into the network and the endpoint. Those NAC vendors who don't fit that model, go find another bandwagon to hop on. Of course there will be those who use the dumb pipes versus smart overlay argument. They are not going to integrate into the network, they will attempt to bolt on to it. I think they are going to be losers.
6. 802.1x is going to rule. Most people agree that eventually the benefits of 802.1x go beyond NAC and it will become a dominant standard in networking. However, there are enough NAC vendors out there who are frankly scared sh*^less by it and who spread FUD about its complexity. Yes it is hard to use, but so were computers at one time. This too will change.
7. NAC is not all about the quarantine! Too many NAC vendors and users get hung up on having the power to deny access. Quarantine is the bogey man of NAC. I think we need to publish a best practices on NAC deployment (I smell a white paper here) that calls for rolling out NAC in phases. Not just in phases of what parts of the network are deployed (remote, lan, wan, etc.), but in what NAC does. First should be an interrogation phase where you find out who is coming on the network and what they look like and where they go. Next you can start layering in remediation and than VLAN assignment. Then I would add manual quarantine, where a real live person is making the call to quarantine someone. Only after all of this is in place, would I enable automatic quarantine.
8. We have got to stop the Tower of Babel thing. Between the media, NAC vendors and NAC customers, we all sound like we are speaking gibberish to each other. Everyone has their own definitions and value of what is important and not important. We need to do some translation here. A Star Trek like, universal NAC translator would help us all be clear about what it is we actually want done and what our products do. In the absence of the Federation sending something back from the future for us to use, we need some sort of standards body or industry group to do this. Not sure how, but it is needed.
9. Do you really think you are going to buck Microsoft? Those NAC vendors who are sticking their head in the sand on the impact NAP is having and will have on this market are fools. Anytime Microsoft is in a market, you better have a damn good story about how you play nice with it or you are headed to be the next Lotus 1-2-3 or WordPerfect.
and finally
10. Don't believe the hype! NAC was so over-hyped that there was never any doubt that it could not live up to its billing. It was never going to be "the security thing" nor was it meant as a silver bullet. It is just another security layer. On the other hand don't believe the hype about its demise and failure either. Like I tell my little league sports teams, your never as good as you appear to be in your best game and your never as bad as you are in your worst game. The same is true for the future of NAC!
Comments