The Ashimmy Blog

I’ll tell ya, nothing like a NAC vendor going out of business to get the press to pay attention to NAC again. After cruising under the radar for a while allowing successful NAC vendors and users to actually get something done, ConSentry going under has brought the pundits out of the woodwork.  I wanted to just quickly comment on two articles/posts I came across today:

1. Pescatore on Knack for NAC – If you are in the security business you know Pescatore means John Pescatore the dean over at Gartner.  If you are not, you may think I am speaking about some seafood item on an Italian menu. Anyway, Lawrence Orans is the NAC point guy for the G-men, but John had an article up on the Gartner blog that I thought made some good points.

• Gartner’s definition of Network Access Control as a process has three elements:
  1. Noticing whenever something connected to your network and determining if it was one of your devices or not, and if it was one of your users or not.
  2. Determing the security status of the device connecting to your network.
  3. Given (1) and (2) deciding what to do.
• That despite the overhype there have been a number of success stories recently that “have taken phased approaches to NAC by first implementing (1) above to support guest networking and allowing unmanaged IT on the network. Once that is stable, turn on baselining - but still no quarantining. Once that is stable, start looking into (3) - what sort of network controls should be placed on vulnerable (missing patches) devices vs. dangerous (infected with malware) devices?” The distinction between vulnerable devices versus dangerous devices is a good way at looking at the classes of devices coming on.  Too often it is rogue versus managed or guest.  What is truly dangerous and what is just not in policy is a good way of looking at it.
• Guest Networking is the back door into many NAC deployments where customers did not go looking for NAC but in solving the guest network problem wound up with NAC. As a result according to Pescatore the market had some very hefty growth despite the economy.

2. Randy George at Information Week (is he Boy’s cousin or something. What is it with me and making fun of names today? I feel like Chris Berman on ESPN – He could go all the way!) on ConSentry going belly up being an ominous signal for system level protection technologies. Sorry Randy you got it all wrong. Randy’s mistake is classic. When you start with erroneous assumptions, you are going to come to erroneous conclusions (you know what happens when you assume). First lets look at his mistaken assumptions.

“After $80M invested by its VC partners, over $9M of which was received earlier this year in order to fund future growth, an innovator in the Network Access Control space, ConSentry Networks, closed its doors for good today.”

Randy here is the deal. Yes ConSentry burned through 80 million. But 71m or so was spent in an orgy of marketing and chip and hardware development during the NAC wars. ConSentry was locked in a battle with Vernier and Nevis, when the real enemy was Cisco. It was common knowledge that the only viable exit for any of the inline guys was to get bought by a switch vendor.  To compete in the switch market as an independent would require hundreds of millions of dollars, not 70!  By the time they raised the last 9m they were on life support. That 9m was a recap that crammed the original investors out. It gave ConSentry a short leash to remake itself as a switch, not a NAC vendor. Without some quick success in the switch market they would not be able to raise the additional dollars they would need to compete. That was the “funding future growth”. You may know how to test stuff in the lab, but you need a little help sifting through the PR speak.

Next ConSentry had not claimed to be a NAC vendor in a long time. They had been running away from the NAC moniker for years. The only ones who thought of them as an innovator or leader in this market were people at your magazine. They had less than 100 customers I believe. Again don’t believe the hype.

Finally, your biggest mistaken assumption of all. I just don’t get that because both both data protection and system protection are both hard and expensive, companies won’t do both, so are choosing data protection.  Faulty logic.  We could say the same thing about host based protection versus network based protection. Do you see UTM, Firewall, IDS/IPS, network vulnerability scans going away in favor of HIPS, personal firewalls and endpoint security? Can you say layered security? They are not mutually exclusive. As long as there is a problem that needs to be solved there will be system based protection.  NAC is not black and white and neither are the real world choices that security professionals make.  You can create a science experiment where you have to pick one or the other, but you need both!