When you're a hammer, everything looks like a nail
Grant Hartline, CTO over at Mirage has an article up on his blog called Pre-Admission NAC. In it Grant tries to give some advice about the "often controversial topic of pre-admission NAC policy". Grant says that at a start and perhaps at an end too is you need to determine us vs them (managed versus unmanaged) and un-testable (IPphones, etc.). Then Grant says you can set tests for on going risks and gives a few examples.
Grant is right on if you are using the Mirage product which has at best limited pre-connect testing. The real strength of the Mirage product (at least according to them), is in detecting malicious behavior after a device is on the network and ARP twiddling it (hey don't make fun, they have patented ARP twiddling raising it to a new level of I don't know what). However, because Grant uses this particular hammer to solve this problem, everything to him looks like the same nail. But if you had another tool that was capable of much more in the way of pre-connect testing, you might look at this problem very differently.
At StillSecure, our Safe Access NAC product can perform over 1800 tests in a matter of seconds as a device seeks to log on. Because of this, the spectrum of "nails" we can check is greatly expanded. Therefore you are not limited by performance or time to settling for a minimal set of tests.
Now whether you think there is value in having so many more potential tests available is up to you as the NAC administrator. But like many things, getting the right result depends on using the right tools!
Comments