Posts Tagged ‘NAC’

Between The Lines, The Security Threat When the Insider Gets Outside
InfoSecurity UK, Securing the Remote Working Environment
Insecure About Security, It’s Time To Re-Examine Endpoint Security
V3.co.uk, Facebook and Web Apps Threaten Network Security
ZDNet Australia, Security Q&A: The Father of Firewall

Enterprise Networking Planet, IPv6 Day is Coming (But Not Until June)
Gartner Blog, Security Search Shenanigans – Where is NAC on the Hype Cycle?
Insecure About Security, Nearly Half of Large Mid-Market and Enterprise Organizations Will Increase Networking Spending in 2011
InfoWorld, Security Admins: Prepare for Tomorrow’s Tech Trend Today

We continue our conversation with Jennifer Jabbusch, a network security engineer and founder of the blog Security UnCorked who recently tweeted a thought-provoking comment, “NAC is a philosophy, not a technology.”

VPN Haus: What do you think caused NAC’s dismal market performance and why do you think it’s changing?

Jabbusch: The birth of “Franken-NACs.” I say this all the time. The industry created the confusion and the vendors have perpetuated it by creating homegrown products and labeling them ‘NAC’ so they can play in the market. Look at the NAC vendors – we have everything from switch manufacturers (such as Cisco, Juniper, HP, Enterasys) to software and application vendors (such as Symantec, McAfee). Very few vendors started off with a dedicated NAC solution (Bradford is one of those). In what other world does an antivirus vendor and a router manufacturer have the same product? None. It’s ludicrous. Everyone saw a market opportunity and took whatever product they had and turned it into a NAC. Well, they turned it into something they *call* NAC. Each vendor approaches NAC from a completely different angle, with a similar set of marketed features and completely diverse ways of accomplishing them. The market confused the public and the public threw their hands in the air and said “I give up.” The failed implementations have killed the market growth.

VPN Haus: How are vendors getting better at embracing NAC, rather than stirring up more confusion?

Jabbusch: Standards! Standards and common frameworks will be the saving grace of NAC, and vendors that embrace these standards are the ones bringing NAC out of that dismal market performance. By having common frameworks, the vendors can offer similar solutions with similar functionality under the hood and THAT will decrease the confusion in the market.

VPN Haus: What is the major misconception about NAC that you’d like to set straight?

Jabbusch: There’s not one best NAC. Different solutions work better in different environments. There are a few that are universally good across the board, a few that are perfect fits and many that will be horrible matches for any one environment. Consumers and vendors need to understand that so they can pick something that works.

For Part 1 of this series including more on why Jabbusch sees NAC as a philosophy, click here.

Jennifer Jabbusch, a network security engineer and founder of the blog Security UnCorked recently tweeted a thought-provoking comment, “NAC is a philosophy, not a technology.” We recently caught up with Jabbusch to dig deeper into this fascinating idea. To get this discussion started off, Jabbusch defined philosophy for us (via Wiki).

Philosophy is the study of general and fundamental problems concerning matters such as existence, knowledge, values, reason, mind, and language. It is distinguished from other ways of addressing fundamental questions (such as mysticism, myth, or the arts) by its critical, generally systematic approach and its reliance on rational argument. The word “philosophy” comes from the Greek φιλοσοφία (philosophia), which literally means “love of wisdom”.

VPN Haus: You recently tweeted that NAC is a philosophy, not a technology. Can you explain what you meant by this?

Jabbusch:  Sure! See the definition above. It’s pulled from Wiki, but gets the point across. Network access control is a philosophy in that it truly is the result of studying fundamental issues of networking and security. NAC attempts to address some pretty nebulous concepts of authenticated users, access rights, endpoint security and network connectivity. Whom do we allow to connect; when, where, how and for what purpose? Because NAC tries to address such a breadth of fundamental security issues in one ‘solution’, there’s really no clear-cut definition of what NAC should be doing. Instead most consumers of the technology have only a slight notion of what it could be doing. Hence, we have to approach NAC as a philosophy, not a product or technology.

VPN Haus: What does it take for someone to “get” the NAC philosophy? What is the biggest barrier in getting people to “get it”?

Jabbusch:  Helping people understand NAC and “getting” the NAC philosophy is extremely difficult. It really requires you to take a step back and pull your thoughts out of the fray of marketing lingo and vendor verbiage. If you want to “get” NAC, you should understand what ends you’re seeking and by what means you can get there. What I mean by that is – what do YOU want or need from NAC? Do you want port security, endpoint scanning, user authentication, or everything? Which functions are most important to you and which are directly supporting other business goals? Do you need part of the functions for compliance or is it just a nice management add-on for the network team? Once you know what you need, you have to understand your current posture and environment, and then connect the dots to a solution.

Connecting the dots is the hard part and that’s really where the opportunity to “get it” comes in to play. The ability to dissect the various vendor offerings and understand on a technical level how they’re accomplishing a feature (the means to the end) is how you “get it”. I realize I just said you need to understand specific technical pieces in order to get a philosophy, and I know that may sound backwards to many people. The complication is that NAC is NOT a product, it’s NOT a specific technology, so in order to understand the philosophy of NAC, you really have to understand all the possible pieces that are feeding in to it. Once you “get it” you’ll have that enlightened feeling that will help you and your organization pick the right solution.

Stay tuned next week for more from Jennifer Jabbusch, including NAC misconceptions and its poor market performance.

In the second part of our series on NAC, let’s look more closely at the way the industry has tried (and, we think, failed) at solving the complexity around NAC. Rather than dealing with the complexities of NAC head-on, many vendors have stirred confusion and conflict, but ultimately, very few viable solutions.

NetworkWorld’s Joel Snyder taps into this frustration in his recent piece on NAC: What Went Wrong. He points out:

NAC’s three components are authentication, end-point security and access control, but vendors tend to deliver NAC products based on their particular strong suits. This means NAC products tend to focus on one of those three components, often ignoring the other two… The broad variation in products is also due to legitimate disagreement on the best way to reach the final goal. The problem with this lack of consensus is that it causes confusion in anyone who is interested in adding NAC capabilities to their network. For example, is authentication important or isn’t it?

At VPN Haus, we believe that endpoint policy enforcement is the most critical NAC function. The reason is, this gives the customer the flexibility to make remote access as easy as possible for the end-user, while still maintaining high security standards. Once the process gets too sticky for end-users, they often start scouring ways around NAC. And ultimately, that’s just as dangerous as forgoing NAC altogether.

What are your thoughts? What’s the most important component of NAC?