310 posts categorized "NAC"

January 04, 2010

Illena Armstrong responds

Last year (OK it was just a week or so ago) I wrote a post about SC Magazine Labs and their recent coverage of an OEM’ed NAC product which they were heaping accolades on as if it was the greatest thing since sliced bread. Well OK, just one of the top 20 products of the last 20 years!

As I said in that article, I have a lot of respect for the SC Magazine and the folks that run it. Illena Armstrong and staff do a great job of turning out a great product month in and month out, year after year. They have tried to be a force of good in the security market. That is why it was particularly out of character for the Veri-NAC stuff. 

I also know that Illena and others at SC Mag read my blog. I figured it was just a matter of time until someone responded. Illena responded today with a comment on the follow on article to the original post. I think it is important enough to give it center field play. Here is her response in its entirety:

For the benefit of this blog's readers, I wanted to take a moment to provide some quick facts about SC Magazine's product reviews.
Our testing methodology is published each month in the Product Reviews section of our magazine. Additionally, on our website (www.scmagazineus.com) you can find even more documents about our Group Tests, such as our FAQs, How We Test, and a sample of our submission form that vendors must fill out in order to have their products considered for inclusion in any of our monthly tests. (Just check out the Product section's "About Reviews" link.)
As background on our regularly published reviews, typically following a two- to three-month lead time, we usually include at least two Group Tests in each edition that cover particular product categories of interest to our readers. Reviews, as described on our website and in the monthly magazine, are not bake-offs. Rather, ratings of products are achieved by testing individual solutions against our standard set of criteria. To expound further, we have a general set of criteria that we expect to be met in our reviews and, with each test, we send out submission forms that provide a little bit more explanation about the criteria for the particular class of products on test at that time. So, there are some specific criteria that are peculiar to both the category and product type, which change somewhat from product group to product group.
Now, we do not generally discuss those in great detail because that would allow a vendor to “prepare” a product to perform well in the review even if it is not as good a performer in a production environment. By noting general expectations, we offer a level playing field for all group review participants to ensure fairness. As well, a product under test should reflect what a buyer would experience.
As for the vendors included in each regular Group Test, we try to cover as many appropriate products as possible. With the start of each test, we review companies whose products we've already tested and research the space to add any other companies to the list whose products may fit the topic at hand. So, we contact all the vendors that might fit a particular category being tested and also consider those who approach us directly. Some vendors may choose not to participate because of product release dates. Others, after filling out submission forms, may not meet our criteria for that particular test. In short, there are various reasons why this vendor or that one may not make it into a particular Group Test. From our perspective, however, the more the merrier.
As for the annual Innovators issue, this is not a group review edition. We look at our potential innovators from a variety of angles. First, we look for innovative technology. This very often appears in small organizations, but not always. Second, we look for innovative marketing and business practices. A neat product is not worth much if it never gets into the marketplace. Peter's pretty clear about that in his product opener: “As in previous years, my formula for selection was a mix of technical and business innovation.” And, often these innovators have carved out a very specialized market space for themselves.
Overall, when you read the full Innovators issue – our third annual one – you should get the flavor of what we were looking for and what we are trying to accomplish in this yearly offering. We're calling out those players in the market who are demonstrating innovation in their overall company missions, their corporate and strategic planning, and the products they're offering. These vendors are chosen by us -- the editorial staff -- prior to even being notified of their selection. We then conduct interviews for this annual Innovators section to get the thoughts of the company’s visionaries, not to perform the review -- a fact that is explained in the introduction.
All our reviews are objective and well-researched. Indeed, our product reviews section, other special editorial sections and various features have won accolades from the Association of Business Publication Editors over the last couple years -- another fact we've touted both in the pages of our monthly edition and on our website.
I encourage all of you to hit the SC Magazine website for accurate information about how the content for our publication and its associated properties is gathered and published. And, if you have additional questions or comments about SC Magazine, its website, its other special publications, or its live and online events, you can contact me directly by emailing me at illena.armstrong@haymarketmedia.com or by calling me at (508)278-9768.
Thank you for your time.
Illena Armstrong
Editor-in-Chief
SC Magazine

I don’t doubt or dispute anything Illena says. However, I will stick by my original assertion. SC Magazine lab personnel were very well aware that this product is an OEM of another product. They thought it was a “big deal” for the company that developed the underlying product and were helping him out. By the authors own admission, he “stopped the presses'” to add this product as an honorable mention for innovation. At the very least they had an obligation to state it was an OEM. Also explain how an OEM’ed product would result in tremendous innovation, let alone being one of the top 20 products of the last 20 years.

Illena, I seriously have the utmost respect for you and all the folks at SC Magazine. But having this product featured in 4 consecutive issues without some more disclosure around it should have raised some serious flags in your process.

Posted at 03:38 PM in NAC, SC Magazine | | TrackBack (0)

December 23, 2009

The Praetorian Prefect tries to ride to the rescue and a blog fight ensues

Its been a while since I have done one of these, but lets see if I still have it. It seems Daniel Kennedy, the Praetorian Prefect (sounds like a WWE character doesn’t it? Should I be Hulk Hogan) has come to the defense of Peter Stephenson in my NAC Twilight Zone post from earlier today. The Prefect writes a rather long comment with his opinion in this matter. I could have continued this little blog tussle in the side ring of the comments section. But it is long enough, I have enough to say and damn it, its the holiday season. Lets take it to the center ring and get reaaddyy to ruumble!

To start it off here are the Prefects comments in their entirety:

Knowing Peter Stephenson, I haven't found him to be biased. I can base that on the fact that many vendors whose products are reviewed don't like his and his son's findings very much (usually a good sign of someone who's not 'in the bag'). They also have taken the time to explain their lab setup, methodology, and link the results back to both. Sounds like StillSecure might be on that list.
You've "watched a budding relationship"? Senior people at security product companies are supposed to form relationships with trade magazines, and especially those who test their products. People who don't are boneheads who shouldn't be in sales. But you talk around this fact to suggest that the reviews of the lab are biased because of this relationship. That's a bold piece of conjecture without better proof.
It looks and sounds like a pretty honest and up front operation. You get the results they found based on the environment they have and the inputs they are looking for. If they don't match the inputs you want to use for a buy decision, their findings probably won't be helpful to you. Still, the reviews are basically free, I understand what they're doing, I know their competency level, and thus this is helpful in determining players to look at in each space. Better than a quadrant anyhow.
Regarding this product, you have two entries, one from October that is the actual review, and this bizarre stub of a page in November that contains none of the regular review ratings. Sounds like a plain old clerical mistake. Picking it for the award? A little bizarre, but clearly it was fresh in everyone's mind over there (and no surprise that the most recently released product has features other products haven't had over the years). Its a little strange, but a far cry from then moving to claim that the Stephensons are publishing biased reviews.
Aren't you the guy who tackled me at a security conference because I picked up a StillSecure T-shirt?

OK, lets take this apart with my 10 reasons why Constantine was right to dissolve the Praetorian Guards:

1. Good Daniel, you know Peter too and have not found him to be biased. Has he reviewed any of your products? Have you been involved in any reviews he has done? Have you ever done any business with Peter? Was this when he worked in the lab at Norwich University or after he left and started doing consulting?

2. You are basing the fact that he must not be biased because you have heard vendors complain about his findings. Well that sounds downright scientific to me! Maybe they are bitching because they have a reason to? Maybe the fact that the testing there is a bit “out of the ordinary” yields the results that we see. Take a look at what products they choose for awards and consistently SC Mag product reviews like to choose winners “off the beaten path”.

3. They take the time to explain the methodology and lab set up you say?  Daniel what if I told you I have won best buy awards from SC Magazine lab doing a phone demo of my product and power point slides? They never actually touched the product. Would you think it was such a good set up then?  Before you run off at the mouth, you should make sure you have the facts straight.

4. StillSecure is on the list of disgruntled vendors. Wrong again my Praetorian friend. In fact StillSecure has done extremely well on SC Magazine reviews.  Just about all of our products have taken 5 stars, best buys and been finalist in reader choice awards at SC Magazine. Most recently in September I believe, our MSSP service took a best buy.  So you are very wrong on that front.  Not to mention that I don’t work at StillSecure any more. So any ax to grind from the StillSecure front is moot.

5. The relationship between Peter and a CEO of a company.  Daniel ask around the community, they will tell you I can schmooze with the best of them.  I was not referring to that type of relationship building. But I don’t want to get sued either. Yes I was vague. I am going to remain vague.  But I have my own good reasons to say what I did. The important thing is that relationship should not carry over to an OEM client without disclosure. 

6. Better than a quadrant you say. Perhaps. But Daniel that assumes the tests are what you think they are. Yes, they should be taken with a grain of salt and as I said most people think all magazine reviews (not just SC Mag) are bought and paid for anyway.

7. Daniel you say I have two entries? Go read the post again and click all the links. There is a full review in the NAC group test for October.  There is a separate “product review” in November (yes that is bizzare, but BlackBox didn’t have the product up on the website in time for the October issue). Then there is the special mention for Innovation of the year in December. (would you give an OEM of an existing product an award for innovation?) Finally there is today’s press release from BlacBox itself that Veri-NAC has been picked as one of the 20 top security products of the last 20 years by your friend at SC. A little strange? More than just a little Daniel.  So Romans were good in math, how do you get 2? By my math it is 4 times in the last 4 months.

8. I am not saying they are biased reviews, they are pushing this product in an unusual way and it begs the question of why.

9. Did I tackle you at a security conference for taking a StillSecure t-shirt? Usually if I tackle you, you stay down, so I am not sure. Maybe I didn’t get a clean shot in. But I always liked to think t-shirts were for customers and not adult trick or treaters. Which one were you?

10. (Just because I need a 10 for my top 10 list). Don’t come on my blog spouting off without the facts to back them up.  Have a happy holiday.

Posted at 09:32 PM in NAC, SC Magazine, Weblogs | | TrackBack (0)

Reality check please! You are about to enter the NAC Twilight Zone

nac twilight zone You know I am big fan of the people at SC Magazine. From Illena Armstrong on down I really like the folks from Haymarket. Also, over the years at StillSecure, the magazine has been very kind. StillSecure has won its share of awards and bake offs from the folks at SC Magazine. I have Dan Kaplan as one of the judges for the Security Bloggers Awards. But especially now that I am not affiliated with a vendor, I have to call them as I see them.

Peter Stephenson and his son Mike basically run the lab for product reviews and group reviews over at SC. Over the years to say they have made some unorthodox choices is a great understatement. While it is good to see some new names rather than the usual suspects, it also calls into question the creditability of the judges.

That is a bad thing.  Most people already look at most product reviews as bought and paid for by vendors. There is a portion of the security world who think of SC Magazine as the “People" magazine of security (yes I have actually heard that from more than one person). I thought I knew better. I know the people there and know they try their best to put out a great magazine, month in and month out.

But I just am compelled to call this out. Hey I wouldn’t be ashimmy otherwise. Rothman is already saying that I am going soft. So there is a real creditability problem at SC Magazine labs. It is around NAC.

Over the years I have watched a budding relationship between the lab director at SC Mag, Peter and the CEO of NetClarity. For those of you who don’t know, Net Clarity is the maker of a NAC product that is aimed at the lower end of the market. The CEO there does a good job of smoke and mirrors and marketing, but like most NAC vendors I doubt they are doing much in revenue.

Interestingly though every time Net Clarity would be reviewed by SC Mag they would always get a stellar review and either a best buy or what ever the highest rating was. Hey, I get it – they like the product there and the CEO and Peter are buddies. That is the way of the world.

Interestingly, another player entered the NAC world (at least at SC Magazine, because it was unseen anywhere else) back around October.  All of a sudden an SC Mag group test of NAC had no Net Clarity, the usual winner for SC Mag. Instead the recommended product was a product called Veri-NAC by BlackBox.

Now I know the NAC market pretty well. I had never heard of the product. A Google search turned up nothing at the time. Even more interesting was that there was nothing on the Black Box site about the product either. I think you would have to agree, its pretty strange for a supposed best in class winner at a major magazine review to be totally unknown even by its own vendor.

So being the journalistic blogger I am, I did a little digging. That is when I came across some interesting information. The picture of the BlackBox NAC product and description was a dead ringer for another NAC product I knew. Which one? Bingo, you got it – Net Clarity! It seems BlackBox is an OEM of Net Clarity. Now, no one has confirmed this officially to me, but you can take it to the bank. Unless by now they have bought Net Clarity outright and it has not been announced yet.

In any event, someone’s hands are in the cookie jar here! Hey you want to give the award to your buddies OEM partner, that is fine. At least have the creditability to say that it is an OEM of a proven product we have reviewed before. Don’t try to put one over on anyone here.

Frankly I confronted the lab reviewers about this but let it go because I was leaving StillSecure anyway. But I have seen some things that compel me to bring this to the full light of day.

One month after the October award review, the SC Mag lab reviews the same product again! Have you ever heard of a magazine reviewing a product two months in a row. Could it be that BlackBox screwed up the launch of the Net Clarity OEM product by not having it on the web site yet and so SC Mag labs reviewed it again, so that this time people could actually go to the web site of BlackBox and buy the damned thing? I don’t know, its pure speculation on my part. But it sounds logical.

But wait there is more! SC Magazine ran a special for security innovator of the year in early December. Who do you think the lab manager asked to be added for a special mention? You got it Veri-NAC by BlackBox! Now that sounds like innovation to me. What about you?

The tangled web gets even stickier . SC Magazine recently celebrated their 20th anniversary (congrats guys). The lab folks have come up with a list of the 20 Most Influential Security IT Security products over the last 20 years. Who do you think made the list? That’s right, blow me down, but BlackBox’s Veri-NAC is one of the top 20 over the last 20 years.

Are you kidding me? A NAC product? An OEM of another NAC product that is not generally rated at the top of its class by many?  I don’t know about you, but it is time for a reality check here. Is Peter Stephenson imitating Rod Serling and am I in the NAC Twilight Zone? 

Guys you want the security industry to take you seriously, you need to get serious. This kind of stuff needs to be taken to the curb with the rest of the trash!

Let me also end with I don’t work at StillSecure. I don’t care if you pick their NAC or any of their products. I really don’t care what NAC you pick. Frankly I really don’t care much about NAC these days. But this kind of stuff just won’t fly. You might as well come out with your own Silicon Valley Reporter awards.

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 01:15 PM in NAC, SC Magazine | | TrackBack (0)

December 15, 2009

An Incite-ful Tuesday: Playing catch up

It happens to me every year at this time. I want to enjoy the holidays with the kids. Friends are having parties, lines are long at the stores and it seems like I can never get to everything on my list.  On top of this I am hard at work putting everything together for the new venture. I almost forgot what its like to get the website together, power points, business cards and the thousand other little things in that make it real.  Luckily I have some great folks I am working with and I don’t have to carry the load myself. In the meantime I have like 6 or 7 tabs open on the browser (in Chrome as I am really liking it better than Firefox right now) on topics I want to comment on. So will do a Rothman and lump them together here.

Anyway, I am sure you are all busy with your holiday plans and activities as well.  It may seem like nothing ever gets finished and there is always so much more to do. But take a moment, look around and realize what the season is all about. Be grateful for what you have, it is probably more than most in this world have. Enjoy!

1. US, Russia and UN in SALT-START treaty negotiations on limiting cyberwarfare.  I am old to enough to remember first President Nixon and then many others signing treaties with the former Soviet Union limiting the number of nuclear missiles we had aimed at each other.  I remember always thinking phew, now each side only has enough to destroy the world 20, 10 or even 5 times over.  But bothering me was the fact that it would only take one time to destroy the world. I still remember shelter drills where we would have to either crouch down under our desks or go into the school basement in case we were attacked.  Like hiding under one of those crappy little desks at school was going to save us from a nuclear holocaust! Anyway, I was reminded of all this reading an article in the NY Times detailing that the US has joined the rest of the world, but especially Russia in discussing limiting cyberwar weapons.  My only question is you can supposedly count missiles, how are going to count logic bombs? But I am sure there are smart people working on all of this and will be watching what comes out of it.

2. Security is a people thing! One of the lessons I have certainly learned about security is that you can have the greatest technology in the world. You can have the latest new security gizmos and appliances, layered in one after the next. But if you don’t have the right people in place, empowered with the resources and authority they require, it just don’t mean a thing. Max Huang, CEO of O2Security says the same thing in this opinion piece over at SC Magazine. Good to see a vendor guy coming to the same conclusions.

3. NAC market shrinks to 37m in Q3. Jeff Wilson and his band of Infonetics have put out a new NAC report which I wrote about earlier. In this article in TMC Net they use Jeff’s numbers to report that the NAC market actually shrunk to about 37m last quarter. Of course you need to know what they define as the NAC market. Is it just appliances, is supporting gear included or agents? I think he is talking just appliances. In any event, I think that is widely optimistic. But even giving Jeff the benefit of the doubt, it pales in comparison to the wild numbers that were tossed around a few years ago by the analyst community on where NAC would be now.  But hey they weren’t the only ones wrong about NAC ;-)

4. Raising the barriers to resell your products – FAIL. I never understood this strategy. WatchGuard announced a new MSSP partner program in this report on the MSP mentor. Nothing special really, they are packaging the on premises appliances and remote management to the MSP partners to offer a turn key managed service for them to go to market with. Fortinet and others do the same thing.  But what Watchguard is saying is their special sauce is “is their 4-part certification process to become a partner, according to Chris McKie, director, global analysis and public relations, WatchGuard.” They are going to make partners go through 2 levels of technical certification. There sales teams have to be of a certain size and quality and WatchGuard’s support team has to approve the partner as well. 

I understand raising the bar and having skin in the game. But if you make it too hard for people to resell your products, guess what? That’s right, they won’t resell your products. I am not advocating that you have a Cisco situation with resellers cutting each others throats for a point or two, but when you are WatchGuard I would think you want to broaden the channel.

Anyway, that is it for today. I have a podcast scheduled for tonight with Mitchell and whole list of other stuff I have to get on to. Have a great day!

Posted at 09:59 AM in Current Affairs, General Background, General Security, Holidays, Mitchell Ashley, NAC, Security Incite, the security industry | | TrackBack (0)

November 24, 2009

The evolution of NAC

evolution_of_man Jeff Wilson over at Infonetics Research has always been one of the biggest supporters of NAC. It was early Infonetics reports that really helped fan the flames of the NAC craze. So while most of the world seems to have moved past NAC, Jeff and the Infonetics team are still beating the NAC drums.  Of course with companies going out of business and market numbers not growing as projected, you need to take a new angle if you are going to point to any kind of a rosy picture regarding NAC.  That is exactly what Jeff and team have done with their new whitepaper titled the “The Evolution of Network Access Control”. It is available for a free download if you still have any interest in NAC. 

Jeff points out how “modern NAC” products (all three of them) have moved beyond the original NAC mission to perform valuable tasks in today’s complex network environments. Frankly I think Jeff’s idea is right on, but I question whether today’s NAC solutions actually perform these tasks or is it more NAC hype.  In any event, the argument can be made that for many of these tasks there are other products that can perform these tasks better, cheaper and faster. NAC by definition can be complex, so without a clear cut mission worthy of the challenge of implementation it is a tough value prop.

infonetics

One interesting thing is what respondents to Infonetics gave as drivers for buying NAC. Guest Access was near the bottom but stopping propagation of threats was still at the top. That hasn’t changed since the beginning of NAC.  I am just not sure that is a big enough mission to drive NAC though.

Posted at 10:02 AM in NAC | | TrackBack (0)

November 04, 2009

Bradford Networks distances themselves from NAC

Bradford Networks fresh off of winning a best buy award in a NAC group test from SC Magazine, yesterday announced an ambitious new line up of solutions based on what they are calling their Adaptive Network Security (ANS) platform.  Network Sentry is the new line and here is what Bradford says it is all about:

    1. Protecting the network from unauthorized and at-risk users and devices;
    2. Ensuring that confidential network resources are protected;
    3. Eliminating endpoint vulnerability;
    4. Ensuring that security policies are established and enforced;
    5. Maximizing existing investments in security systems and network infrastructure;
    6. Provisioning, securing and managing user, device and guest access;
    7. Detecting and profiling managed and unmanaged devices; and
    8. Automating security actions and policy enforcement to unburden IT staff.

What you don’t see there is NAC or network access control though.  Many of these functions were already accomplished by their NAC Director and guest access NAC products.  But they are clearly choosing to distance themselves from the word NAC.  Hey, who can blame them? 

What remains to be seen is if Bradford has the breath and girth in the market to make this comprehensive vision actually pan out.  They have a great base in the edu market and this could be just the thing to move them beyond that.

Also some of the traditional knocks on Bradford’s NAC product seem to have been addressed in the new release. GUI, set-up and reports all claim to have been upgraded.  I haven’t spoken to anyone yet who has used it to say for sure. 

In any event seems like another vendor trying to move away from NAC. The problem is that many of those who have tried have already spent too much time and effort and didn’t seem to have the fuel necessary to achieve escape velocity. But with Bradford building on what they already have, lets hope it turns out different for them.  Good luck to them and we will have to keep watching.

Reblog this post [with Zemanta]

Posted at 08:32 AM in NAC | | TrackBack (0)

October 06, 2009

SSAATTY Podcast: Mirror Pond - The best Safe Access NAC ever!

Mirror pond
This is a special edition of the StillSecure, After all these years podcast. I am joined by John Curry, director of customer security at StillSecure to discuss the latest, greatest version of StillSecure's Safe Access NAC product code named Mirror Pond.  Mirror Pond has won rave reviews from customers, media and engineers alike.  John tells why and what you can do with Mirror Pond.

WARNING: Listening to this podcast could change your attitude on how, when and why you should use a NAC solution. Listen at your own risk.

If you have any questions about the podcast, please write to podcast@stillsecure.com. If you have any questions about Mirror Pond, NAC or other StillSecure products, check out the StillSecure web site.


Posted at 11:15 AM in NAC, podcasting, StillSecure stuff | | TrackBack (0)

September 04, 2009

Network Access Control for Dummies who like Juniper

nac for dummies At one time the “for Dummies” books were pretty cool. They had legitimate books that had simplified information on a range of topics.  Unfortunately the whole “for dummies” thing has been co-opted by marketing hucksters. Even in the infosec arena we have seen it happen. First it was Qualys coming out with Vulnerability Management for Dummies, now it is Network Access Control for Dummies by Juniper.  Hey I don’t blame them it is a great way to educate and steer customers to your point of view.  I guess what bothers me is that to the average user it is not clear that the book is written with a slant towards a particular vendor.

I have not read the entire book. I did read the first chapter which you can read here. The book appears to contain some good information. The thing is when you look at their descriptions and pros and cons of different types of NAC you can see the Juniper bias coming through.  Very 802.1x focused, but what do you expect from a Juniper NAC book?

Anyway my point is that if you really wanted a good NAC for Dummies book instead of having 3 authors from Juniper, a more non-biased or balanced group of authors would bring the book more creditability. My personal opinion is that NAC for Dummies is best done by using a managed service for NAC. NAC for Dummies is a bit of an oxymoron :-)

Related articles by Zemanta
Reblog this post [with Zemanta]

Posted at 08:59 AM in Books, NAC | | TrackBack (0)

August 25, 2009

When you're a hammer everything looks like a nail

One of my favorite sayings and I have Mike Rothman to thank for it.  It popped into my head this morning while reading a guest opinion piece in SC Magazine by Jon Green, VP of Aruba Networks (VP of what I don’t know). Once you get past Jon’s cutesy wireless and NAC = BFF stuff and read what he is talking about there are some good things there about how NAC can help a network.  But you need to remember what kind of hammer Jon is. 

Aruba is a company that makes and sell wireless gear and OEM’s Bradford Network NAC product.  They sell a lot of the OEM’ed NAC into the edu market. So of course what Jon says is based upon the experience Aruba has selling NAC. Therefore when Jon says retrofitting NAC onto wired networks is much harder then putting NAC into the wireless networks understand the perspective. You see the nail?  He says this is because the wireless networks are new and don’t need to be retrofitted. But what about if you are upgrading the wired network too? That does happen.  At the end of the day if you are using 802.1x whether it is wired or wireless, NAC is much easier to do, assuming you know your 802.1x. 

Here is my point though, what good is just putting NAC on your wireless network if the wired network is not protected? As the song goes “it just takes one bad apple”. In fact NAC’ing your wireless network while leaving the wired network open is like locking the door but leaving your windows open.  If you are going to use NAC you need a plan that will have all devices coming on your network being authenticated and secured.  Not just the ones that come on through the gear you sell.  Otherwise instead of BFF, it is just BFD!

One other thing Jon, not sure how many actual NAC deployments with remediation you have actually worked on, but let me know how many endpoints are patched and remediated in a just a few seconds. Maybe the testing takes a few seconds but remediation takes longer then that. Makes your piece sound a little too PR'sh.

Posted at 01:40 PM in NAC, SC Magazine | | TrackBack (0)

August 21, 2009

Knock NAC, Knack for NAC, Who gives a NAC?

I’ll tell ya, nothing like a NAC vendor going out of business to get the press to pay attention to NAC again. After cruising under the radar for a while allowing successful NAC vendors and users to actually get something done, ConSentry going under has brought the pundits out of the woodwork.  I wanted to just quickly comment on two articles/posts I came across today:

1. Pescatore on Knack for NAC – If you are in the security business you know Pescatore means John Pescatore the dean over at Gartner.  If you are not, you may think I am speaking about some seafood item on an Italian menu. Anyway, Lawrence Orans is the NAC point guy for the G-men, but John had an article up on the Gartner blog that I thought made some good points.

    • Gartner’s definition of Network Access Control as a process has three elements:
        1. Noticing whenever something connected to your network and determining if it was one of your devices or not, and if it was one of your users or not.
        2. Determing the security status of the device connecting to your network.
        3. Given (1) and (2) deciding what to do.
    • That despite the overhype there have been a number of success stories recently that “have taken phased approaches to NAC by first implementing (1) above to support guest networking and allowing unmanaged IT on the network. Once that is stable, turn on baselining - but still no quarantining. Once that is stable, start looking into (3) - what sort of network controls should be placed on vulnerable (missing patches) devices vs. dangerous (infected with malware) devices?” The distinction between vulnerable devices versus dangerous devices is a good way at looking at the classes of devices coming on.  Too often it is rogue versus managed or guest.  What is truly dangerous and what is just not in policy is a good way of looking at it.
    • Guest Networking is the back door into many NAC deployments where customers did not go looking for NAC but in solving the guest network problem wound up with NAC. As a result according to Pescatore the market had some very hefty growth despite the economy.

2. Randy George at Information Week (is he Boy’s cousin or something. What is it with me and making fun of names today? I feel like Chris Berman on ESPN – He could go all the way!) on ConSentry going belly up being an ominous signal for system level protection technologies. Sorry Randy you got it all wrong. Randy’s mistake is classic. When you start with erroneous assumptions, you are going to come to erroneous conclusions (you know what happens when you assume). First lets look at his mistaken assumptions.

“After $80M invested by its VC partners, over $9M of which was received earlier this year in order to fund future growth, an innovator in the Network Access Control space, ConSentry Networks, closed its doors for good today.”

Randy here is the deal. Yes ConSentry burned through 80 million. But 71m or so was spent in an orgy of marketing and chip and hardware development during the NAC wars. ConSentry was locked in a battle with Vernier and Nevis, when the real enemy was Cisco. It was common knowledge that the only viable exit for any of the inline guys was to get bought by a switch vendor.  To compete in the switch market as an independent would require hundreds of millions of dollars, not 70!  By the time they raised the last 9m they were on life support. That 9m was a recap that crammed the original investors out. It gave ConSentry a short leash to remake itself as a switch, not a NAC vendor. Without some quick success in the switch market they would not be able to raise the additional dollars they would need to compete. That was the “funding future growth”. You may know how to test stuff in the lab, but you need a little help sifting through the PR speak.

Next ConSentry had not claimed to be a NAC vendor in a long time. They had been running away from the NAC moniker for years. The only ones who thought of them as an innovator or leader in this market were people at your magazine. They had less than 100 customers I believe. Again don’t believe the hype.

Finally, your biggest mistaken assumption of all. I just don’t get that because both both data protection and system protection are both hard and expensive, companies won’t do both, so are choosing data protection.  Faulty logic.  We could say the same thing about host based protection versus network based protection. Do you see UTM, Firewall, IDS/IPS, network vulnerability scans going away in favor of HIPS, personal firewalls and endpoint security? Can you say layered security? They are not mutually exclusive. As long as there is a problem that needs to be solved there will be system based protection.  NAC is not black and white and neither are the real world choices that security professionals make.  You can create a science experiment where you have to pick one or the other, but you need both!

Reblog this post [with Zemanta]

Posted at 09:04 PM in NAC | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Lijit Search

MyBlog Log Community

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search

Blog Networks

  • Find the best blogs at Blogs.com.

Categories

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About