StillSecure, After All These Years

Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon.  As I predicted Snyder scored a knockout early on and it was mostly over from that point on.  The knockout came earlier than I expected though, right off the first question.  Each combatant was asked to define NAC and that was when it happened.  Richard brought an EPAC (end point access control) to a NAC fight.  That was akin to him bringing a rubber knife to a gun fight.  A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard’s comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don’t think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

After my “used car salesman of NAC” series I was going to give Ray and the gang a break.  But the depths they sink to just never cease to amaze me! Today I received a Google alert on NAC with a link to a press release announcing the NAC used car sales guys continuing to deliver best in class security management solutions, yada, yada, yada.  The basis for this claim was that “SC Magazine awarded ForeScout’s CounterACT a four-out-of-five star rating, lauding the product’s ability to “function like a firewall, an IPS and a NAC device all rolled into one”.  They wrapped some customer quote (that had nothing to do with the SC magazine story) and voila!, can they put you in this car today?

So why do I call this out? No, no sour grapes here.  Actually StillSecure Safe Access received the same 4 out of 5 stars and when we dig into the rating here are some interesting facts:

In actuality, our friends the used car salesmen only received a 2 star rating in ease of use, a 2 star rating in documentation and a 3 star rating in support.  In contrast StillSecure Safe Access received 5 stars across the board, except for a 4 star grade in documentation.  How both products finish up with a 4 star rating overall based upon this is frankly baffling to me. I think it has more to do with the reviewer not wanting to spank any of the products too badly.  I have already asked for a clarification and will let you know what I find out.  But being a slick marketing machine, I thought it the height of chutzpah that they would put out a release around this, considering the best buy and editors choice were two different products.  But I guess that is why they did not have a quote or a link to the actual review.  The review starts out with this memorable quote, “The ForeScout CounterACT was the device which took the most time to install and configure.”  Later on the reviewers had this to say, “The second part of the configuration was far more difficult. The initial screens for the GUI made us feel lost and we immediately began looking for the documentation CD.”  Now does that sound like a review to be touting?  Only those master car salesman would seek to put out a press release trumpeting the results of this review.  They are counting by wrapping enough other quotes (and frankly who knows about those) around it, no one will bother to dig into the facts here. Hey, thats what you guys pay me for, telling it like it is!

For too long we have heard the NAC knockers bad mouthing the benefits of NAC and bemoaning its lack of adoption. I have always believed that much of this was marketing spin and that companies were finding NAC highly useful.  Typical hype cycle kind of stuff. At the end of the day though nothing speaks like real world references by customers stepping up and publicly saying they use the product.  Of course, those of us in the security industry know that this is probably one of the hardest things to do. No one wants to stand up and say what they use for security.  This could give information to the bad guys and attract attention that many companies would rather not do.  At StillSecure this has always been a double edged sword for us. With many DoD networks using the product, we have not really been able to talk a lot about the great job our NAC product does on some of the most sensitive, mission critical networks in the world.  By the same token, usually we don’t announce or publicize many of the infrastructure providers who we partner with and who sell a re-branded version of our NAC product.

Recently several NAC customers have been stepping up and talking about how they use NAC and why. Last week there was a good article on Estee Lauder using NAC first for guest access control and most recently an expansion of their NAC deployment to help with PCI compliance.  This week in an article with the usual left-handed compliments, Tim Greene in between quotes by the so called analyst experts, talks about several NAC companies rolling out NAC.  One is American Bancard, another StillSecure customer who uses NAC to help with PCI and keep their network secure. The article talks about several other companies using NAC solutions from other vendors as well, which is also very encouraging.  Of course the companies I have spoken about I know for a fact are using NAC.  With some of the competition, you cannot always be sure as I have written about in the past.

In any event, I think it is important that we are starting to see some real public references for NAC deployments.  Nothing proves the point of a products value than real live customers stepping up and talking about it!

I know many of you think I am like a pavlovian dog the way I respond to Richard Stiennon's anti-NAC vitirol.  After my last article, I really decided to just lay off Richard.  But just to show you that it is not me, I wanted to point out Richards recent attack on Grant Hartline, CTO of Mirage Networks.  Grant blogs and put up an article regarding the latest exchange between Richard and I.  Both Richard and I commented.  Check out Richards expective laced reply that I think shows just how unhinged he has become on this subject.  Richard rambles and stumbles taking shots at anyone he can.  I am telling you, he is really losing it.

In the meantime based on this, I am going to change my prediction on the great debate and say Joel Snyder in 2!

AEP had been a victim of the NAC fallout.  They made a bad bet on an OEM partner to provide them with NAC technology.  When that NAC vendor went belly up, so did AEPs NAC product as a result.  Now Tim Greene reports that AEP has come out with a new device that while not strictly a NAC product, does more identity access control and does not seem to do any admission control.

AEP which makes a SSL VPN type of appliance has a new appliance that delivers an agent to an endpoint and authenticates the user.  It than according to the article inserts an identifier in the payload of every packet that shows where and who that packet is from which then allows it to either pass or not pass through, only to its allowed base.  I don’t know that seems a bit of a chokepoint/bottleneck to me, but I don’t know enough about it, only what I read in the article.

The appliance is not cheap with a price tag of over 50k for just 99 users.  It seems like an awful lot of money for what it does.  An important lesson I think on picking the right OEM partner.  Pick the wrong one and your product goes down as collateral damage to the OEM partners demise.

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff’s point in his article.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

For a long time I have been writing and speaking about the many ways that NAC can help with securing your endpoints and your network. Yesterday, Tim Greene lays out some good reasons for NAC and the many ways it can help.  However, he couches it in terms of NAC as a personal firewall.  I am not sure I agree with that one at all.  Personal firewalls are usually thought of as host based security on the endpoint.  While NAC certainly has an aspect of that, NAC is inherently about networks as well.

I am reminded by this article of Senforce.  They had one of the best personal firewalls in the market and were often called a NAC solution.  But when you spoke to Nolan Rosen and the folks at Senforce, they would tell you that they were not a NAC solution, but needed a network based NAC component to compliment their product.  That was the basis of a partnership we had with them.  In any event, I think we are seeing NAC used for a variety of uses and we will continue to see it evolve in the market.

Dark Reading had a good article today talking about GuideWorks, the TV Guide/Comcast joint venture's 2 year odyssey with NAC, which finds them finally starting to see some good results. I immediately went to the website of the NAC used car salesman to see if they claimed them as a NAC customer too, but didn't see anything yet. But with those guys you never know.

Seriously though folks, this story is a classic NAC story. GuideWorks had guests and unmanaged users visiting their offices all the time. When they would ask to plug in they were told sorry, wait till you get back to your hotel. Over time this answer became unacceptable and they realized they needed a way to give these people a way to get on the net and get their email while keeping their network secure. This very same need drives many initial NAC deployments.

Like many other NAC customers they wanted something easy, not add major overhead or network changes and easy to administer. Again straight out of the NAC playbook. In the Summer of '06 they began a pilot of the Tipping Point NAC product which is based on the old Roving Planet technology. Now Roving Planet was more of a wireless security company, but near the end they rebranded themselves as NAC and Tipping Point uses that with their IPS devices to enforce. Best of all for GuideWorks the price was sub 10k.

Here is where the other side of NAC comes in. This is what the article says:

While NAC tools are often advertised as plug-and-play, GuideWorks found that the NAC setup required a high level of networking expertise. Fortunately, the Inglewood site had plenty of technical expertise because that’s where many of the company’s developers are stationed. In addition, GuideWorks put one of its front-desk employees in charge of setting up new accounts. But because her technical background was limited, the company had to walk her through a learning curve.

Now the company is planning to deploy the system at its Radnor office, which will be a bit more challenging since there’s less technical expertise there, and that office gets a greater number of visitors. So GuideWorks has been on the search for employees to support the NAC system there. The company expects to have NAC up and running there by the end of the summer.

So 2 years after trial they are rolled out in one office and have to hire employees to support the NAC system at the next office. This was a problem with many of the failed NAC companies over the last few years and I think the problem with this Tipping Point solution. Just providing guest access should not be that hard! Yes the StillSecure Safe Access solution would have been much easier and faster to implement, but to be fair, any of the leading NAC solutions would have been up and running easier as well.

While this article was supposed to serve as reference and case study for the Tipping Point NAC solution, it is far from inspiring. If I were a customer looking into NAC, I don't think this would make run out and look at the Tipping Point solution. Moral of the story is, just because you made a good IPS doesn't mean you have a very good NAC product. When it comes to something like NAC, quality counts and buying a 2nd tier solution can cost you in time to implementation and total cost of ownership.

A Google alert caught my eye today about an article entitled "The Essential Guide to NAC", in ITSecurity.com.  It is by John Edwards and dated June 23, 2008.  It was pretty much the usual about NAC.  In line, out of band, agent based and agentless, yada, yada, yada.  At the end of the article was a list of "market leaders" including Vernier Networks and a few other smaller NAC vendors.  Now as we all know Vernier ain't Vernier no more and is not really in the NAC business.  I would not hold it against John Edwards or ITSecurity.com except at the head of the article it said, "Stay Current, Features - The Essential Guide to NAC"

Not exactly what I would call keeping current, would you?

Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati?  It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control.  I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products.  From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches.

Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. 

As usual though Richard can't resist taking a few cheap shots at NAC vendors.  In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work.  Richard will just admit that these tests have value and people want them.  They do not preclude doing the rest of the job of access control that Richard seems to approve of though.  Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important.  In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them.  Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. 

Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often".

So my friend Mr Bump has a problem with my post on vendor frustrations with customers. For those who don't know Mr Bump, he writes about "NAC in the real world", originally about his deployment of Nevis Networks product. At first I thought Mr Bump was a pseudonym for Dom Wilde over at Nevis, but over time I actually like some of what Mr Bump writes and he contributes to the security blogosphere in a positive way. I just like to give him crap about his choice of NAC vendors, but it is all in good fun. Plus I actually like and respect Dom Wilde and that kind of unscrupulous behavior is not his thing.  There is another NAC vendor who plays fast and loose like that though and I will be writing more about that this week, so stay tuned.

Mr Bump responds to each of my three points, but before I get to that, let me clear up a few things. First of all Mr Bump says that this is his problem with 90% of all "sales" people. Mr Bump, you obviously have some issues with sales people. Were they mean to you when you were young? Did your Mom like the salesperson sibling better? Do you secretly dream of being a sales person? Just kidding, but seriously, I did not write my article from the point of view of a sales person. Sorry you confused me with one, though as I have said before we all sell everyday, whether we admit it or not. I was writing from the point of view of a business owner, trying to build a solid business one customer at a time. I am not concerned with short term commissions, but building out a solid customer base. This way I can sell the business for a huge profit and you can call me a slimy entrepreneur ;-).

Also, I can complain as a customer, that is my right. Equally so it is my right to complain about customers as well. I guess I can complain about anything I want on my own blog, not sure why that should bother you. Think of it this way. We all wear different masks in different roles in our lives. Sometimes we wear the Daddy mask, sometimes the boss, sometimes the employee, etc, etc. Being one in one situation, does not preclude you from being another in another situation.

Now, on to the show. Mr Bump doubts my sincerity about being upset when a new guy comes into a customer replacing the guy who bought the product and we have to start all over with them. He says I am kidding him. I made my sale and collected my commission and am on my way. Well Mr Bump, I suggest that if that is the kind of security vendors you deal with, find new ones! Any good business person can tell you that one unhappy customer is worth 10 happy ones. It is about building long term customers. That is how you build a business, not about being bandits who come in, rape and pillage, collect the commission and move on. I have known sales people who have sold to the same people over and over again, because they do care for more than the short term commission. I am sorry you can't believe it and you can't see how it frustrates a vendor. But sometimes we will work with a person for months or even years and build a deep relationship. As part of the game, they move on, I get it and that is the way it is. But it is very frustrating starting from square one with the new guy who may have a pre-conceived prejudice.

Next Mr Bump finds it unbelievable that I would care if a product implementation got delayed. Again, this speaks wonders to the kind of security vendors he deals with. It is not about if my resources are committed at all. Mr Bump I can't wait to get you up and running so you can tell your friends and others about what a great product and company you deal with and we can continue building the business. Also, believe it or not I care that all of a sudden a maintenance fee comes up because the time starts running from the date of sale and the customer hasn't even used the product yet. Shelfware is a failure for a vendor. Delaying implementation is the first step to shelfware. Please Mr Bump spare me your "in the trenches and grenades" story. Most hard working people at security vendors or anywhere else for that matter are not sitting around playing foosball either! We all deal with emergencies and priorities. I am keenly aware of the security and network admins job pressures and have tried to build a company that actually makes your life easier. Again, I can only assume you are dealing with quite a bunch of vendors if you feel this way.

Lastly Mr Bump almost agrees with me about using the product in unintended ways. Mr Bump I can put you in touch with people who have done this. You have to remember that unlike your NAC vendor, our stuff is built on off the shelf hardware with open, standards based OS and database, etc. People who are comfortable around a command line and Linux like to play. We don't mind, just realize how hard that makes our support obligations though and don't expect us to fix what you "developed"

So I hope that clears that up. Like I said in my comment on your blog, too bad you didn't pick a better NAC solution you might have a different opinion of security vendors and maybe even sales people ;-)

Dennis Fisher blogs over at SearchSecurity.com about a new critical flaw found in SNMPv3. I have blogged before how some NAC vendors that utilize SNMP have tried to fool unknowing sys admins that SNMP stands for security network management protocol, instead of simple NMP.

The SNMP zealots have always tried to counter the SNMP is not secure arguments by pointing to v3 as very security method and now this flaw is found. How many more will be found? In any event glad they found and fixed this. Now if they could just find someone using SNMPv3 it would be great!

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week.  The requirements for this customer were not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc.  This direction is where a lot of the traditional vulnerability management solutions have been heading.  Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area.  However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue.  Usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7.  Therefore it is important to reach and test these devices when they are on the network.  That is the rub.  How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time that usually they would not be on at?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am.  That is an important question for who is president, but for compliance, nswering the phone when someone is there to talk to is more important.  I think this is where NAC provides an advantage.  By utilizing NAC to detect devices coming on the network and than using a low impact NAC/compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so.  Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this.  What do you think?

Frost & Sullivan is the latest analyst firm to note that NAC is coming on through to the other side. They say, "As common misperceptions are dispelled and NAC gains acceptance as a key part of network security, these technologies become the center of a highly competitive and lucrative market ..". They have released a new report according to this article in Trading Markets. The report further states, "NAC has made its mark in the market to such an extent that more participants have entered the NAC space. In the near future, this growth phase of the market will get a strong boost from the entry of major participants."  The report goes on to say, "NAC has proved its worth as an enterprise security product that can effectively enforce security policies. Now that many third-party product evaluations and customer reviews are available, customers can make well-informed decisions and purchase a superior NAC product. This also expects to help drive the market."

OK, enough quotes from the article.  My point is that despite the ramblings of the naysayers like my friend Stiennon, there is a gathering storm of evidence and commentary showing NAC is real, it works and it is valuable.

That gadfly of the security world, Richard Stiennon says NAC is dead. In fact he says NAC actually never was and never will be. Of course, this is the same Richard Stiennon who said IDS was dead so many years ago. If NAC is only half as alive as IDS has been, I would be very happy. Why do I call Richard a gadfly? Because Richards MO is trying to find what the next hot thing is and to jump on it, then another hot thing comes by he runs to that and so on and so on. He thought anti-spyware was big and joined Web Root, after a relatively short time there he left. He than took a whirl at his own analyst firm, when a few others were forging a new breed of analyst firm and after a short time doing that moved on again. He then was CMO at Fortinet and again after a short time left there too. Now he is the CEO of an MSSP (hey, I hear SaaS is the next big thing), how long this will keep his attention or the powers that be keep him on is anybodys guess. But if past track record is any indication, Richard will hop on the next big thing sometime next year. I mention this because fundamentally I think Richard's attention span or maturation horizon is why he does not see that NAC is marching on.

As you can probably guess I strongly disagree with Richard's opinion on this one. However, to understand why, some clarification is necessary:

1. Richard is mixing metaphors with Network Admission Control and Network Access Control. Both are NAC. Admission control was coined by Cisco, access control was first used by Gartner I believe. Richard seems to indicate that admission control is bad, access control or at least some definitions of it are OK. More importantly, Richard uses admission control as a code word for pre-connect health checks, access control for identity based and post-connect control. I think both are very important and as I have said many times a good NAC solution needs all of these.

2. NAC vendors being depressed, etc. Yes Richard some NAC vendors not making it are depressed and having lay offs and hard times. That is the way of capitalism and competitive markets I am afraid. There are winners and losers. I would bet that even in the $500 million /year UTM market that you spent a whole year in, there are some vendors who are just not making it and would be classified as depressed.

3. Gartner says several NAC vendors are getting traction. They recently released a marketscope on NAC and sorry Richard, but StillSecure is one of the few out of 17 vendors which was given a positive rating, the highest rating Gartner gave. BTW Richard in that same marketscope your "buddies at Gartner" estimated the NAC market at $225m for 2007 and expect 100 percent growth in 2008. In case your calculator is not handy Richard, that should put NAC around the $450m mark in 2008. Not that different than the number for the UTM space that you use in your article. Hopefully that will allow you to put your "magnifying spectacles" away, unless there is something else that you would want to make look bigger than it is.

4. NAC being created by Cisco in 2003 to solve the worm problem. Richard, perhaps that is why Cisco did NAC. BTW, they announced in like November or December, 2003. We released Safe Access in April 2004. It was under development for at least 12 months before that. We did not call it NAC of course, our working title was endpoint policy compliance. Richard today Safe Access solves that same problem, endpoint policy compliance. We have not deviated from our original plans around this from day one. It is purpose built to solve a problem that customer after customer told us was they wanted a solution to. Maybe that is why we have had success with the product.

We did not jump on the latest, hottest thing bandwagon. In fact I have found that companies and people who jump on the latest big thing, inevitably fail. You cannot time the stock market or the technology market. The NAC market is a perfect example of this. Companies who have taken products that were not successful in another incarnation and morphed them into a NAC product are the companies that are failing. Maybe I am more of an EF Hutton type than you are Richard, but I believe in building a company the old fashioned way. Find a problem that customers are willing to pay for a solution for. Then build that solution and bring it to market and work hard making it the best it can be. If you did your research right and you built the right product, the market will come to you. It may take longer than you think, but if you keep at it, cream always rises to the top and quality always wins. You cannot win running to the next big thing, see through what you start to the finish. Richard if you want to consider that some free advice, take it!

5. NAC is only for the .edu market. Again Richard take some time to dig in here. Yes the edu market is a big adopter of NAC. But let me give you some other examples. Any network that will have a large number of unmanaged visitors or guests is going to be fertile ground for NAC. That includes the government sector, where many users are contractors or visitors. I know you have much disdain for the federal governments IT security practices Richard, but if you spend a little time (there is that phrase again) digging in to what they are doing, you will see that NAC does indeed solve a real security problem for them and is why we have had a great deal of success in the government vertical.

Richard no one ever claimed that NAC is a reason to avoid other security tools. Just the opposite, NAC should work with and leverage your existing network infrastructure and security technologies.

6. NAC does not tie you down to one vendors eco-system if you don't want it to. The TCG/NAP interoperability and now the new IETF standards are bringing one standard to NAC. It does not tie you down, but frankly in case you haven't noticed with all of the moving around, Microsoft already has you pretty tied to one vendors eco-system and frankly Cisco has you pretty tied to another. Don't be so naive Richard.

BTW, I notice you like what ConSentry and Nevvis do without quarantine. While neither of those companies are apparently setting the world on fire as secure switches, you should check out our white paper on a phased approach to NAC that talks about NAC being more than quarantine. You can get it here.

Authors note: BTW Richard while I am chief blogger here at StillSecure, my official title is chief strategy officer and I have been working here for about 7 years now.

Its no secret that over the past year it has been quite fashionable to bash NAC.  It has not lived up to the hype.  It is not the promised silver bullet.  Some companies in the market went belly up.  Yes, yes and true.  But as I have said all along this was I think just the natural evolution of a technology as it matures.  There was no way it could live up to the over hype that it was saddled with.  Those who spoke about it realistically always said it was not the next "great white hope" of security, just another arrow in the quiver. However, the reason that people got excited about NAC was that at a rather simple level it was very easy to describe the problem it was trying to solve.  As it turns out, solving that simple problem takes a rather complex solution, no matter how you slice it.

In the end though what we have seen in the NAC market is textbook hype cycle.  The technology triggers for NAC were unseen before numbers of guests having legitimate reasons to access the network.  The spread of malware not through downloading via the Internet, but by introduction via devices logging on and the need for compliance or otherwise to enforce access policies with the network technologies to make it happen.  With Cisco announcing their Network Admission Control program in December, 2003 and Microsoft announcing NAP that summer (interesting that it would be years before either one was actually available) NAC buzz went through a big bang expansion to the very height of inflated expectations. What goes up, must come down and NAC certainly has been dragged into the trough of disillusionment. However, the inherent appeal of the problems it can solve continue to drive customers and interest.  Now we are seeing real signs of NAC emerging into the slope of enlightenment on the way to the plateau of productivity.

What has got me so optimistic?  It is a variety of things.  Let me list them:

1. Network Computing's 3rd annual NAC survey which while it shows demand is down for NAC from past years, it is still substantial and appears to be deeper if not as wide. It also has several other metrics that show people are being more realistic in what they want to accomplish with NAC and have more confidence that it will work.

2. Forrester's new report that shows that customers think NAC is mature enough to be ready for more wide scale deployments. Remember this is the same Forrester who said that NAC as we know it would fail last year. Has NAC changed so much in a year or has Forrester?

3. That Ebenezer Scrooge of NAC, Mike Rothman, actually admits that maybe we are seeing some progress with less inflated expectations with NAC. What could be next, the NAC Grinch, Richard Stiennon admitting it might be OK as well. Here is my prediction: When Rich's new MSSP can make money offering a managed NAC service, Richard will jump on the NAC bandwagon with bells on.

4. My own observations at Interop, RSA, SANS and other events where I spoke to real live potential customers.  I have personally seen a marked upturn in the amount of real NAC projects that we see coming into both our partners and our sales pipelines. I assume that other NAC products are seeing the same pick up.

All of this is very gratifying to see after the bashing NAC has taken.  Now it is onwards and upwards to the plateau of productivity.   See you there!

From this press release it looks like the newly named Autonomic Networks (formerly Vernier) has found a sucker an entity to take over ongoing support and perhaps development of the EdgeWall 7000 line of appliances (what about the other Edgewall models?). Before we go any further, one might say that unlike Lockdown, at least they are getting someone to support the customers. But before we go there, maybe we should ask, who or what is Milton Security Group? I am afraid when we peel the layers of this onion we find more of the same old, same old from the folks at Vernier.

I went to the Milton Security web site and it looks like the paint is still wet. They are in protection, compliance and reporting, but I am afraid the links are not yet working to dive in much beyond that. When you go to the company page you get this:

About Milton Security Group LLC

Success in the 21st century is defined by your agility in a changing time. This includes adapting to the needs of your employees, contractors, outsource providers on the workforce side and the changing landscape of how to provide the right access to each one of these groups. Your current infrastructure may be limited in its ability to change as well. Real time auditing and control is required in this age, The Age of Compliance(T).

Milton Security Group LLC is a security company with a consulting practice. The Principals and Staff at Milton Security are dedicated individuals with many years of experience with diverse organizations from small businesses to government agencies. Combined with this and our unique range of experience and knowledge, Milton Security serves only one purpose, helping our customer's succeed.

OK, not really too much there. They are a security company with a consulting practice. I did a little more digging. They have two job openings posted, one for a Sr Systems Engineer for the current and next generation of MSG NAC products. I guess this is the guy who will continue on the development of the Vernier line.

But you guys don't pay me what you do to stop there do you? I did some more digging. Seems that Milton Security is the brainchild of its founder and CEO, James McMurray. I did some more digging and it seems James is the former head of the SE group at Vernier, what a surprise! Looks like he was able to get them to let him take over the IP and run with it. I bet he and his friends paid little if anything for this.

People lets get real here. I applaud James for biting this off and wish he and his band of merry men the best of luck. But is this fair to the people who spent all that money on the Vernier boxes. At best Milton will be pressed to keep up with the snort and nessus signatures the Vernier boxes use. I guess being this small, without VC money behind them, they might be just better off using the Tenable and Sourcefire signatures and hope that those guys figure they are too small to sue.

If you are a Vernier customer you have to be checking your underwear. I mean do you want Milton-Bradley supporting your NAC system? This isn't board games we are talking about here. There are too many replacement and trade up offers from StillSecure and other NAC vendors for you to want to be a guinea pig in yet another experiment from the folks at Vernier. How many times do you have to get burned before you learn? You deserve better!

I had to comment on an article in GCN by William Jackson on network access control. William I am sure with the best of intentions set out to do an article on different types of NAC that are available in the network and its continued adoption rates. However he made the mistake of positioning his article on the federal governments NAC adoption evolution based upon just speaking to Greg Stock over at Mirage Networks and some of the folks at Enterasys. Neither company has any real NAC presence in the federal government. So of course the perspective would be that the federal government has not been an early adopter of NAC. You know what they say, when you are a hammer, everything looks like a nail. The fact that Stock even brings up a NAC managed service as a potential option for the federal space screams that we are talking about someone who knows nothing about the Federal space.

So let me add a voice of experience and and some truth here. The federal government has not only been an early adopter of NAC, but it has been a leader in driving NAC standards and functionality. Go talk to the DoD and the armed forces about what they have been doing around NAC. Go talk to DISA about NAC deployments. Speak to Homeland Security, FCC, Transportation, USDA or any number of other federal agencies who have been looking at and using NAC for years already and than try to tell me that the Feds are lagging on NAC adoption. Go ask Cisco how much NAC they have sold into the federal space.

I wish Mr Jackson would do a little more digging besides talking to vendors with little or no presence in the federal market and in some cases even less experience in it. GCN readers deserve better!

One of my favorite activities of RSA week is getting dressed in a tuxedo and attending the SC Magazine award show.  As I have written before, I like the SC Magazine awards because it is one set of awards that I don't think you can buy. It is actually based on user votes.  This year for the 3rd time in 3 years our Safe Access NAC product was a finalist in the Best Endpoint Security Solution category.  We won in 2006.  This year we came back and won again! 

This year, with everyone throwing dirt on NAC it was especially sweet to win this award against the many other competitors. It is a great testament to all of the hard work that many people at StillSecure have put in to making Safe Access the best product in the NAC market.  I also want to thank the many people that voted for Safe Access as well. 

NAC is alive and well at StillSecure.  Thanks to Ilena Armstrong and the rest of the SC Mag crew for putting on another great awards show this year.

ForeScout Technologies Expands Buyback Program for Customers Looking to Replace Network Access Control Solutions

CUPERTINO, Calif., March 31 /PRNewswire/ -- ForeScout Technologies, the leading provider of clientless network access control (NAC) for Fortune 500 enterprises and government organizations, today announced an expansion of its Lockdown Networks buyback program to cover any qualified NAC product from competing vendors including Bradford Networks, Cisco, ConSentry Networks, Juniper Networks, StillSecure, Vernier Networks, and others. This comes after a week of partner requests to apply credit to other NAC products which have not satisfied customer needs in order to migrate to ForeScout's ....

Compared to this:

StillSecure Offers Vernier Networks' Customers Dollar-for-Dollar competitive Upgrade on NAC,
Competitive Upgrade Program Available to All NAC Customers Seeking a Stable NAC Vendor
(Superior, Colo. – January 11, 2008) – StillSecure®, provider of secure network infrastructure software, today announced a Competitive Upgrade program for NAC users that allows customers using products from Vernier Networks and others to easily migrate to StillSecure Safe Access®. The program offers a dollar-for-dollar trade-in up to $100,000 for previously purchased NAC software. Participating companies receive credit for every dollar spent on their current NAC solution, which is automatically applied to their purchase of the Safe Access NAC solution.

Notice the dates. Hey, you know what they say: Imitation is the sincerest form of flattery!

I had an interesting meeting with Microsoft on NAP the other day.  While, I think you would have to pretty delusional to not realize that eventually NAP will dominate pre-connect health checks of devices, I was surprised at the "Microsoft-ease" they still speak about around NAP. First of all they insist that NAP is not a product or even in deference to my friend Hoff, a feature. Instead NAP is a platform. Implying that other products will run on top of it. Next they again reiterated what we have heard before, that NAP is not a security tool, but just a real estate play.  Enabling devices to be up to spec.

My take on this is I don't know if the Microsoft folks are being disingenuous regarding these two points or just are they that naive?  My gut tells me that Microsoft is usually not naive.Yes, third party vendors can show that they can add more tests than NAP will have. Yes, you can use SHVs and SHAs, but how much are people really going to value them?  You can take the information it generates and do some reporting around it. But lets be clear the NAP "platform" is most certainly going to be used as a product. 

It will be used as a product, it will be a security product at that.  Configuration management could be said to be borderline security by some.  But when you add the ability to deny access to those not up to snuff on configuration, I think you have clearly crossed the line into security.  I think Microsoft would come of better saying that NAP is not meant to keep out the determined hacker, but saying it is not a security tool just doesn't ring well.

So what is the rest of the NAC vendor world to do?  Should we all pack up and follow Vernier and Lockdown to the next cool thing?  No, not at all.  I think there are exciting opportunities at hand with NAP. Yes it is a security product, but it also is an enabler for more NAC features. The successful NAC vendor has to figure out what those are and capitalize on them.  Also NAP is all about health checks.  Post-connect, identity based NAC and other NAC  features can be used here to enhance the health checks.  Overall NAP will drive the NAC market to move beyond just health checks and that will be a good thing for the NAC market and customers.  But guys lets be real, it is a security product!

So I guess all of this back and forth on the NAC market and Lockdown has some people getting a little emotional. First, founder #4 (I wasn't even aware there was a founder #4) of Lockdown, Daevid comments on my last post taking me to task for having the audacity to moderate my comments, even after I require people to put in their name and email address in order to comment. I think Daevid is under the impression that I wouldn't publish comments critical of me and that this is cowardly of me. He thinks that this somehow gives me the courage to speak my mind.

Wow. First of all I guess Daevid has never had a blog before, so is not aware of the blog spam problem that forced many of us bloggers to install moderated comments. As I am sure most of you are aware, but for Daevid's benefit, I don't censor any comments to my blog, in fact I encourage them. I just won't allow spammers to use my blog. It has nothing to do with my courage or cowardice, it is more to do that I think blogs should be two way conversations. It makes blogging fun. It goes to blogging for the sake of blogging, something I am not sure Daevid quite understands. I do understand that this is a difficult time for Daevid. No one likes to see something they helped start not be successful. I am sure he thinks that I was not sensitive enough to the situation there. But anyone who has read my blog for a period of time knows that my views on Lockdown Networks have been pretty consistent for a long time. I am sorry if that ruffles his feathers, but I do blog for the sake of blogging and say what I think. One thing though, if I say something, I always have the courage to say I said it and put my name to it. Whether to your face or on this blog, I am pretty straight forward and don't hide behind anything.

Now, that leads me to a comment I read on another blog involved here. A really brave guy who signs himself in as James Kirk, leaves a comment and urges another vendor/blogger on NAC to "try and be as neutral to the industry as possible" and not be a new blogger "that blogs for the sake of blogging". He goes on to say some other things that my own paranoia makes me pretty sure he is talking about me. The neutral thing though is a bit naive, don't you think. If someone is blogging on a company blog, don't you think they are going to try and put their company in the best light and not be just neutral? Come on Kirk, you should have learned that in your first day at Starfleet Academy. You as the reader should be the arbiter of what is true, partially true or false. But the naievite of that comment pales in comparison to the second quote. Don't blog for the sake of blogging. James Kirk, to quote one of your friends, that is not logical. Why else should you blog, but for the sake of blogging? Bloggers blog because they want to hear themselves and they want the world to hear them as well. Blogging is singularly an ego-driven sport. Your total lack of understanding of this fact makes it clear why you did not have the courage to use your real name. You just don't get it. James Kirk maybe you should stick to fighting Romulans and leave the blogging to us.

So the security blogging world welcomes a new contributor in Chris B over at Napera Networks. The Napera blog joined the security bloggers network a short time ago with the public unveiling of the company. Chris's first article is called NAC is dead, long live NAC. Evidently Chris was at one time working over at Lockdown Networks and brings his own unique views on what went wrong at Lockdown.

Chris makes some good points about the Lockdown shutdown. One in particular that I think we should all realize is that Lockdown's failure is not a failure of NAC technology, but rather a failure of Lockdown's execution. NAC still solves problems that customers have. Done right, NAC is valuable and will find its place in the security world. Over the past few days there have been more people people jumping on the "NAC sucks" bandwagon than there were vendors coming out with NAC solutions just a few short years ago. I read with disbelief Eric Ogren's piece in ComputerWorld the other day about him never being a believer in NAC. I don't remember him saying that when we were briefing him a few years ago. But maybe he was getting paid to cover NAC than, I don't know. But it is certainly fashionable to throw dirt on NAC now and there are plenty of people only too happy to do so. Frankly, part of me wants to say sure go ahead, throw dirt. It will be that much sweeter to show the naysayers wrong. Actually selling the solution, we see the real market for NAC and remain jazzed. For us it is about execution.

What I fear is that we are throwing out babies with the bath water here with all of the NAC bashing. Yes there are companies in this space that frankly don't have the technology or the team to make it. Lockdown is a perfect example. But there are others who have actually built a better mousetrap and the market (the ultimate decision maker) is rewarding them. But if the media and analysts just keep bashing NAC it becomes almost a self-fulfilling prophesy. No matter how good the technology or the team it is like spitting into the wind. I saw this happen with the dot com bubble first hand. Many companies that were doing great things were killed off in the great extinction of the dot coms. It took years for the market to come back. In the case of NAC not only would the better NAC companies and technologies be the ones to suffer, but the networks they can protect would suffer. NAC is attractive because it solves a real problem that people have. In spite of what Paul Roberts at 451 or Amrit say, there are no existing tools that solve that problem for them as well.

My only issue with Chris is he confuses the problem that Lockdown was solving with the way they were solving it. Yes using the network including switches is a great way to control access. However Lockdowns technology to test these devices with Nessus doing vulnerability scans was circumspect for the NAC mission. But more than that, SNMP is never going to scale for NAC. It is not secure. but more importantly you just can't wire and script every model and version of switch out there. Ultimately much of Lockdown's problems revolved around that. Inherently Lockdown had the wrong solution to the right problem, on top of some of the other focus issues that Chris talks about.

All in all though, Lockdown's failure should stop being used as a blunt instrument by the NAC naysayers to bludgeon the NAC vendors who are executing and solving customers problems!

As some of you may know Richard Stiennon and I have had our disagreements over the years around NAC.  But say what you want about Rich, at least he had the stones to ask what many of you would probably like to ask but wouldn't. Here is Rich's comment and my reply:

Posted by Stiennon: OK, so one well regarded security company turns out not to be that successful after all. As you point out Allen, from the press releases everything seemed like it was going great for Lockdown. As you know I think NAC is a waste of time (the health checking part, not the access control part). And of course I am going to say that companies founded on purely bad concepts like admission control are going to fail and Lockdown is a great example. So here is the question, thou supporter of NAC. How are we to know whether or not StillSecure is on the brink of shuttering its doors as well? How can you assure us that NAC is such a great concept that customers are beating down your doors to get some of that magic? Just wondering..... -Stiennon

Richard, first of all thanks for the opportunity to respond. Secondly, you would think after all this time you would know that my name is spelled Alan.  With that out of the way, lets dive in here. 

First of all on your characterization of NAC being all about health checking, Richard NAC has grown beyond that a long time ago and I don't see much sense in us wasting time on that one.  But for the record maybe you should let Microsoft, Symantec, McAfee and all the rest of the host based health checkers in on your revelation.

Next Richard, who said Lockdown was a well regarded security company and that it was founded on a pure concept of admission control?  You know what happens when you ass-u-me Richard, don't you?  I have been out here hammering on a lot of these companies that I don't think have real solutions.  There has been a ton of smoke and mirror games from marketing people (you wouldn't know about any of that would you Richard?).  When I called these companies on the BS, too many people said I was just being biased against them.

You don't see StillSecure putting out those kinds of releases. Fact is Lockdown with all due respect to the folks there, was set up from the beginning to be a quick flip.  It was a speculative an endeavor as some of the condo owners who are left holding the bag down here in South Florida.  They were going to do something around vulnerability management and flip this quick.  Richard, I have been there.  When you dress up a pig for market, often times you end up with a dressed up pig. No amount of lipstick is going to help. On the other hand, we just keep executing.  At the end of the day Richard, companies who succeed are companies that execute.  You have certainly been at your share of companies and should know