Rescue NAC from the garbage pile? Part 1

This one isn’t marketing’s fault, although they didn’t do much to help. We’re talking about NAC and it’s dismal market performance. So what happened and should it be rescued? We’ll tackle this – piece by piece – over the next few weeks. Let’s start with the lack of standards.

The Trusted Computing Group’s Trusted Network Connect (TNC), an industry organization that crafts NAC architecture documents and standards, recently launched a certification program which allows participating vendors to get a hallmark guaranteeing that their products implement the TNC protocols correctly, and that their architecture is compatible with other certified products.

But of course, the certification program stirred some dissent among vendors, as often has in the group’s five year history. TNC’s standards have rarely debuted without — often provocative and rancorous — debate. Joel Snyder, of NetworkWorld, this week chronicled TNC’s controversies, as well as the stubborn issues that continue to plague NAC. NetworkWorld recently conducted head-to-head tests of 12 NAC products to boil down what’s ultimately gone wrong with NAC, which was once so hyped and is now often feared.

Despite the disputes surrounding the certification, Snyder rightly points out the necessity for having standards in place.

First, it represents the main path forward for interoperable NAC products. With enterprise networks hosting more non-Windows devices than ever before, the need to have a multi-vendor approach to NAC continues to gain in importance.

The second reason is that these architectures are designed by security and network experts who are more interested in solving problems than getting a product to market quickly. While there are always commercial interests in any modern standards development, network managers can look to TNC and IETF-based products with some confidence that the primary design goal was security.

Without standards in place, NAC will continue to be a complicated headache for customers, many of whom will ultimately reject the technology and convince themselves that naked WLAN – maybe a firewall or two thrown in for good measure – is sufficient. That is, until they’re faced with a security breach.

Is the TNC certification a path out of the garbage pile? Chime in and join the discussion.

What We’re Reading, Week of 5/24

Computerworld…
NAC: What Went Wrong
IDG reporter Joel Snyder and his colleagues spent four months in the lab testing the 12 leading network access control (NAC) products, and identified six barriers that have impeded the deployment of NAC within enterprise networks.  They also came to conclusion that “There’s no such thing as ‘best of breed’ in NAC, because for the 12 vendors evaluated, there are nearly 12 different ‘breeds’ of NAC product”.

The AShimmy Blog…
How Cisco’s Infighting Put Customers Last and Almost Killed the NAC Market
Blogger Alan Shimmy offers his perspective on how Cisco was the worst / best thing that ever happened to NAC, and shares his opinions of Joel Snyder’s article, “Cisco’s NAC Goes Off Track, Customers Taken Aback”.  Continuing on Cisco’s NAC customer beat and the fact that the company tried to kill off NAC, Alan believes the customers are the ‘biggest losers’ because they are sitting on tens of thousands of dollars of NAC equipment.

Forward Thinking with Michael Miller…
Using the iPad As a Work Machine
Michael Miller of PCMag.com tests out the iPad for business applications, and shares both his likes and the limitations he found.  One point that particularly stuck out to us is the need for a VPN client—as he points out, Michael would rather use a notebook and be secure.

What We’re Reading, Week of 5/17

Insecure about Security…
The Future of Endpoint Security
In this post, analyst, Jon Oltsik, gives us his take on the future of endpoint security.  Some experts believe that AntiVirus is dead and that there is a pressing need for new models, such as cloud security services, white listing, black listing, virtual desktops, etc.  Oltsik disagrees, and thinks that endpoint security will undergo massive changes to address new threats and requirements.  Check out Oltsik’s post to see how he envisions endpoint security in the future.

Accuvant Insight…
Perimeter Security – A Far Flung Fantasy?
Chris Morales, solutions engineer for Accuvant LABS discusses the complications of managing security for an IT infrastructure, particularly now in our mobile environment.  He was approached by a client and was asked what does it means to lose the workstation, to leave workers to their own devices, to place the users on the outside of the ‘kingdom’—what are the security risks? what are the security savings?  Chris ponders these points in his post.

Education Research Report Blog…
Teachers’ Use of Educational Technology in U.S. Public Schools: 2009
Jonathan Kantrowitz summaries some of the data that was discovered in the May 2010 report, Teachers’ Use of Educational Technology in U.S Public Schools:  2009.  He shares with us that teachers indicated that a system on the school or district network was available for entering or viewing grades (94 percent), attendance records (93 percent) and student assessments results (90 percent).  Of the teachers with these systems available, the percent using it sometimes or often was 92 percent for grades, 90 percent for attendance records and 75 percent for student assessments.  These statistics prove the importance VPN and security have within an educational setting.

De-provisioning is Just for Former Employees, Right? Wrong!

There’s the nightmare scenario where your network is targeted by professional hackers in a distant country unleashing any number of bad things on your systems. But, really, any associate with some hacking skills and an active ID into the network can do serious damage.

Case-in-point highlighted by new details that have emerged in last year’s squelched July 4th cyberattack –  that show the damage of a guy ‘just playing around’ and presumably not disgruntled.

Jesse McGraw, 25, worked as a contract night shift security guard at a Dallas hospital. There, he accessed 14 different computers on several occasion and could even retrieve patient data. But his ambitions were even loftier than patient theft. He wanted to show up a rival hacker group.

McGraw, the leader of an online hacker group, installed a program so he could remotely access the data. He planned to use the machines in a denial-of-service attack. This outrageous story took an even weirder turn when authorities learned McGraw had posted a YouTube video of himself sidestepping the computer’s security and then downloading the malware onto a nurse’s station – with the theme of Mission Impossible playing in the background.

Of course, the damage he did was even more far-reaching. According to a statement from the Justice Department:

He also impaired the integrity of some of the computer systems by removing security features, e.g., uninstalling anti-virus programs, which made the computer systems and related network more vulnerable to attack.

Each count McGraw faces carries a maximum 10-year prison term and up to a $250 000 fine. He will be sentenced by a US District judge Jane Boyle on Sept. 16, 2010, reports Inforsecurity.

This is a glaring example of why strict provisioning is absolutely necessary to an organization – especially those involved in healthcare. In the McGraw case, the bad guy was an active employee. Now replicate this across the 10,000’s of provisioned contractors, full and part-time employees, as well as partners that an average healthcare organization has to manage. Further, if HR handles provisioning requests manually from IT … Are you starting to see the issue? But implementing an effective solution to the problem is certainly a complicated process.

Who owns provisioning in an organization? Should it be a shared responsibility?

How common is it for organizations to provision employees at varying tiers?

What to do about users who need network access from time to time, such as contractors?

What We’re Reading, Week of 5/10

Computerworld…
For IT, enterprise wireless to get more gnarly in next decade
Reporter, Matt Hamblen discusses the major increase of wireless technologies being used within enterprises and how it will impact companies. He poses some important questions to consider: Are IT shops integrating wireless into their technology processes and systems? Will there be a need to create new position, chief mobility officer? If this momentum continues, we think so. There needs to be a central point of management for all of the employees and devices.

SecurityWeek…
Network Administrators Say ‘Securing Remote Access’ Is Their Top Priority
Staff at SecurityWeek report on a recent survey completed by more than 350 network administrators entitled “What Keeps Network Administrators Up At Night”, and 52% identify securing remote access as the number one concern. Remote access remains a major concern, especially as more employees telecommute and the variety of mobile devices expands and increases.

The Register…
Working remotely: What are the solutions?
Freeform Dynamics analyst, Andrew Buss shares with us a variety of solutions for working remotely—on his remote access list are VPNs. He goes on to say that VPNs are one of the oldest network security tools used; however, many companies still do not implement them—rather shocking. Buss believes that VPNs are not as widespread because they have the reputation of being complex, which isn’t the case anyone with universal solutions, such as NCP.