The Ashimmy Blog

Sean Michael Kerner at Internetnews.com is the latest in a long line of journalists to ask if NAC interoperability is a myth and ask when, if ever will it be achieved.  Lately, whenever I hear this I am reminded of one of my favorite movies when I was a child.  In my house during Easter/Passover time, a highlight for me was when when our family would gather around the TV and watch Charlton Heston in The 10 Commandments.  They just don't make movies like that anymore.  Anyway, there is a line when Sethi, Pharaoh of Eygpt tells Yul Brenner, who is Ramses, the future Pharaoh to find out the truth about the prophesied deliverer of the Hebrews. Sethi tells Ramses that if the deliverer is a myth bring him the myth in a bottle, but if he is a man bring him in chains.  Of course Ramses returns with an empty bottle, for the Hebrew deliverer is no myth. Instead he has Charlton Heston as Moses in chains.

Well here is my empty bottle about the myth of interoperability of NAC.  The bottle is empty because NAC interoperability is no myth and is very much real.  The problem is that most people are waiting for that golden moment when the Sun aligns, the angels sing and interoperability is proclaimed throughout the land.  What does interoperability really mean?  Does it mean one NAC solution is going to work with another and are interchangeable?  I don't think so.  Interoperability means to me that all of the moving parts involved in NAC work together across different vendors.  My friends we have that now.  Call off the hunt for the myth, the reality is here.  What NAC interoperability means is can your NAC controller work with switches from different vendors to test and enforce for access control.  What NAC interoperability means, is can NAC systems use a soon to be ubiquitous agent, such as the Microsoft NAP agent? If so, we have that today with any TCG compliant NAC.  Can NAC systems use just about any DHCP or Radius server? Yes.  SNMP or 802.1x? Check. Default supplicants? Yes again.  Guys the systems and tools used to install NAC, the switches, VLANs, ACLs, Radius, AD, DHCP servers all work together today.  Cisco works with NAP, TCG works with NAP, NAP works with everything else.  Stop waiting for the mythical deliverer, the NAC promised land is right here before your eyes.  It is just not a StillSecure thing either.  Take a look at any of the leading NAC solutions with the exception of Cisco and you will see a high level of interoperability with the network infrastructure components that NAC needs to function.

Cisco is another story. My personal belief is that they give lip service to wanting to be interoperable, but frankly they would rather see hell freeze over.  With their dominant position in the network market, they want their stuff to work best on their own gear.  They want to use that as a reason to use only their equipment and lock you into the Cisco mono-culture. Every other NAC vendor will work with a wide range of network switches and gear.  So it is in Cisco's interests to sow myths and misconceptions.  To drag their feet in working with other solutions.  But other NAC solutions work just fine on Cisco gear. Make no mistake about it. NAC is interoperable right now!