StillSecure, After All These Years

Tim Greene has an article up called "NAC's dirty little secrets revealed by early adopters".  Unfortunately I think Tim reveals the wrong dirty little secret.  The point of Tim's article is that though the supposed main reason for NAC technology was endpoint checking (he means pre-admission health or posture checks), many early adopters are not bothering testing the posture or health of devices at all. Tim uses as an example the Massachusetts Department of Housing and Community Development.  They bought the Mirage (ahem) NAC appliances.  Tim notes that they are using the Mirage gear to keep unauthorized users off the network and secondly to monitor behavior once authorized users are on the network.Of course he doesn't mention that they are enforcing post-connect behavior by ARP twiddling, which in and of itself should disqualify it as a serious security method (I think TCP reset is probably even better than that).

Here is the Shimel view of it though.  The dirty little secret here is not what this customer is doing.  In fact this customers goals are great and worthy, but NAC it ain't.  The real dirty little secret is that the Mirage appliance is not a NAC appliance at all.  Go ask the co-founders of Mirage if that is what this technology is supposed to do.  Ask any of Mirage's early partners or OEMs.  The Mirage appliance is a behavior based threat detection tool.  The 2nd generation of management of the company jumped on the NAC bandwagon. They grafted on some half-baked pre-admission tests (is it any wonder that their customers don't use it) and called their threat detection tool NAC to get in on the NAC gold rush.  So Tim, the secret is not what customers are using this gear for.  The secret is that this type of solution is not NAC and calling it NAC is a joke. All they are doing is whitelisting and behavior based IPS.  When people in the media give this credence by calling it NAC, it adds to the confusion of what NAC is in the marketplace.

Tim points out in some other examples that people are going slow with their NAC deployments gather information on users for an extended period of time before moving to quarantine or enforcement.  There is no secret about that either.  In a best practices approach we recommend all of our NAC customers to spend some time in a "monitor only" mode.  This allows you to gather the information you will need to properly set policies.  Just flipping a switch and quarantining devices is a recipe for trouble.  Anyone who has been in the trenches of deploying NAC will tell you this.

So Tim the real dirtly little secret is many customers have problems that they are solving with technology and we as in industry slap a NAC name on it.  But it should take more than a name to make it NAC.