According to this story, a panel at the Infosec World Conference and Expo in Orlando opined some serious doubts about the current state of NAC. As a former InfoSec Manager, I understand the doubts about implementing a technology that isn't mature, but I really think some of these doubts about NAC are starting to give way as more and more people realize that the standard story by the big grey behemoth (can't mention their name since I sell competing products) is not the only story to tell.
The problem is that the first NAC solution that so many people look at is from [big grey behemoth]. I think this is caused by two issues:
- [big grey behemoth] is the obvious choice for many people because they are comfortable with them and use their switches / routers / firewalls
- There are TOO MANY choices out there. Everyone and their brother is jumping on the NAC bandwagon, and the choices make them turn to the trusty [big grey behemoth] in the hope that [big grey behemoth] can make it simple.
But look at this quote from the story:
The common admission control architecture touted by [big grey behemoth] and Microsoft is dependent upon customers using [big grey behemoth] infrastructure and Windows machines.
When a security manager or network manager looks at these solutions, they just end up looking at a huge price tag and a lot of infrastructure changes that aren't necessary. There are many other vendors that offer NAC solutions that could care less about your switch vendor. And many that are agentless could care less about your desktop OS.
Here are some other issues I have with the panel:
One of the hold-ups to adoption is an internal conflict within organizations, Herbst said. Some people want to enforce a strict policy denying foreign PCs on the network, others want to allow foreign PCs from contractors and specialists to plug into the network, but they want a mechanism that will isolate them to conduct a health check of their systems. A third group wants to assure that nothing bad is being introduced into the network and that all PCs are checked to make sure that antivirus definitions are up to date.
"One of the reasons why we haven't deployed anything is because of these competing groups within the organization and we haven't decided yet which one is going to win out or which combinations we're going to deploy," Herbst said.
Ummmm, why is this any different from pre-NAC days? These types of debates were held way before NAC came around. Maybe some of the arguments were a little different because of the level of control possible with NAC, but access is access is access. I remember having arguments about whether my company was going to create a guest VLAN and assign different ports to it for visitors to plug in to the switch. Basically, you have management make a business decision, and you implement. Get 'er done!
The uncertainty and complexity of deploying NAC is likely causing most enterprises to defer deployment plans...
First, this quote is likely directed towards big enterprise environments. There are more SMBs out there than Fortune whatever-number's. Their environments are not typically that complicated, so this is not hard to do.
Second, there are solutions out there that are not that complicated, even for big enterprise networks. People just need to do a little more investigation.
While the technology appears promising, it still needs time to mature, the panelists said. There are still no established standards or best practices to follow.
I'm not sure what standards or best practices they want. The TNC is going down that path, and many of the NAC vendors are supporting the effort. But IPS and IDS are trusted technologies, and there is no one standard set of standards that IPS vendors adhere to for signature creation or other issues. But IPS can take down your network as hard or harder than NAC. And best practices are best practices, no matter the technology. Yes, there are best practices on where to put and IPS or a firewall, but those are typically based on common sense and what you are trying to accomplish. The same rule applies with NAC.
Companies considering the technology need to conduct a standard risk assessment and figure out how much the project will cost to deploy NAC as well as ongoing support costs. When considering NAC products, companies should ask a vendor how much network reconfiguration needs to be conducted, whether infrastructure needs to be changed and whether the environment needs to be homogeneous, Maier said.
"Make sure the impact of the existing network infrastructure is clear," Maier said. "Lay out the architecture for the vendor before you accept an answer."
I don't have any issues with these statements other than it makes it sound like you only have to do this stuff before deploying NAC. An assessment just needs to be done, regardless if you aren't planning on implementing anything or not. How's that for a best practice? And when would you not "[m]ake sure the impact of the existing network infrastructure is clear"?
I'll say again, I wasn't at the conference, much less this panel discussion. But from the story, I think this panel really does a disservice to what I consider a fairly viable technology. I think more research needs to be done by the panelists, and I think the narrow scale of thought in the discussion should be broadened.