Setting the record straight on NAC
Sometimes when you try to explain something you can't help but muddy the waters. That is exactly what happened to Tim Greene in this article he wrote about endpoint based NAC in Network World. Hey I am not knocking Tim though. I get some of my best material from his column. Anyway, in this weeks adventure Tim is seeking to compare the pros and cons of endpoint based NAC to other types of NAC technologies. He has the same old regular guest stars featured, Rob Whitley of Forrester, Ofir Arkin and a couple of special guest star NAC customers. I am not going to regurgitate Tim's entire article. Instead lets go to the videotape to the facts.
Here is the background. There are three types of NAC
- Network or infrastructure based NAC - Like Cisco and Juniper and StillSecure, it uses the network switches and infrastructure to enforce and detect devices coming on the network
- Endpoint based NAC - an agent on the endpoint does the heavy lifting and the testing and enforcing.
- Appliance based NAC - sits on top of the network and usually uses some clever (or flaky) way of enforcing like ARP poisoning, TCP reset and the like.
Also, whether the NAC system is based on testing before or during a device logging on or just waiting until you see something bad is another way of separating the real deal from the pretenders in NAC.
So with that as a background here is what Tim wrote and what I say:
NAC products that enforce policies via Dynamic Host Configuration Protocol (DHCP) proxy servers do nothing to stop machines that obtain static IP addresses and don't use DHCP to make their network connections. That makes significant portions of corporate networks invisible to the NAC access control products, says Ofir Arkin . . .
Come on Tim that is so 2005. I don't even think Ofir is pushing that crap anymore. Yes spoofed and static IPs are a challenge, but not fatal. There are many best practices to overcome this type of issue, not the least of which is an RDAC (remote device activity capture) or scan on connect module such as StillSecure Safe Access NAC has. Also depending on your switch and DNS/DHCP vendor you can handle this problem that way as well.
Next:
The major downside to endpoint-enforced NAC is largely theoretical so far and one that customers seem willing to overlook. The problem is that rootkits can take over machines to make them lie about their health. This underlying endpoint problem can be mitigated by software that monitors behavior of machines to determine if they are acting badly. And lying endpoints haven't actually proven a problem for many customers.
Tim, the "theoretical" problem of trusting an endpoint to report on itself is more real than that. Ask Richard Stiennon if you have any questions. In fact this is a reason why some people choose not to go endpoint based NAC. However, that is not the major downside to endpoint based NAC. The major downside is there is no guest access solution. What do you do if the endpoint does not have the agent installed and you can't make them install the agent. Saying that you than need a second type of NAC is not elegant as Rob Whitley says. In fact it is downright ugly. When you consider that guest or unmanaged access is the biggest driver in NAC, that pretty much sinks the endpoint based NAC approach.
And finally:
To deal with this problem, McAfee, for instance, is adding enforcement of NAC policies based on behavior via its IPS appliance and next year via a dedicated NAC appliance.
Guys, if the only defense you have is IPS, that is fine, but lets not say that is an effective NAC solution for guests. You are bound by what the IPS can detect and it takes a lot of IPS boxes usually. Not a scalable model at all. Of course you could wait for McAfee to resurrect the Lockdown appliances. It didn't work before and it probably won't work now.
Now wouldn't it be great if there was one NAC solution that covered all of these bases from one management console? You bet. If you are looking for one that does that let me know or check out StillSecure Safe Access!
Comments