Oh NAC, We Hardly Knew Ye...
...before ye were corrupted by the Forces of Evil(tm).
An acquaintance of mine just returned from Interop with a drawerfull of information which he showed to me. Having spent 18 months doing NAC deployments around the country and overseas, I was bummed at the direction many of the security^H^H^H^H^H^H^H^Hsoftware companies are taking this technology.
Let me clarify NAC (Network Access Control) for you. NAC is:
-Verifying the security posture of a system and the identification of a user to allow the user to use the system to gain access to the appropriate network, such as the enterprise, management or guest network. (Authorization may then allow the user to access resources on said network).
NAC is not:
-Anti-Virus (A/V)
-Anti Spyware (A/S)
-Endpoint (personal) firewall (E/F)
-posture/profile control (blocking USB devices, for example)
-A patching system
Once upon a time, NAC was a tool independent of the desktop security posture components (A/V, A/S, E/F, etc...) used to verify the functionality of these tools. A NAC posture server would communicate with the endpoint to test the endpoint to ensure that all of the requisite components were in place.
Now we have the SAK (Swiss Army Knife) "security" companies who make entire suites of products entering the NAC game. I have no problem with this.
I *do* have a problem with them verifying the integrity of their own suite.
Here's why: one common thread to most of the NAC installations I did was that the A/V tools consistently give false positives on their own deployment to the tune of 5% to 10% of the time. Translated, this means that for every 100 computers on an enterprise, 5 to 10 of them report as having A/V, BUT DO NOT HAVE A FUNCTIONAL A/V SOLUTION IN PLACE. This may be for a number of reasons, but my point is that if McAfee (in one example) has just mis-reported 800+ computers in an enterprise of 10,000 as having anti-virus when it is NOT installed and running, then I do NOT want to use McAfee as a tool to verify my security posture!
I want a tool unrelated to the system's security posture to verify everything else.
Don't get me wrong McAfee having an 8% false positive rate does not put the "suck" label on them. To the contrary, it puts the "typical" label on them! Symantec and Trend fared no better. Additionally, tests we ran on the success of MS SMS changes fared slightly poorer. In cases where SMS was used to push out an application, we typically had a 10-20% failure rate, and many of the failures reported as false positives.
Don't let the SAKs influence you. Simply adding a NAC component to a suite you already have deployed is shortsighted thinking (or it's "shut up the auditor" thinking...been there...done that). Do it right, and let NAC stand alone. Think of it as the programmatic equivalent of separation of duties.
An acquaintance of mine just returned from Interop with a drawerfull of information which he showed to me. Having spent 18 months doing NAC deployments around the country and overseas, I was bummed at the direction many of the security^H^H^H^H^H^H^H^Hsoftware companies are taking this technology.
Let me clarify NAC (Network Access Control) for you. NAC is:
-Verifying the security posture of a system and the identification of a user to allow the user to use the system to gain access to the appropriate network, such as the enterprise, management or guest network. (Authorization may then allow the user to access resources on said network).
NAC is not:
-Anti-Virus (A/V)
-Anti Spyware (A/S)
-Endpoint (personal) firewall (E/F)
-posture/profile control (blocking USB devices, for example)
-A patching system
Once upon a time, NAC was a tool independent of the desktop security posture components (A/V, A/S, E/F, etc...) used to verify the functionality of these tools. A NAC posture server would communicate with the endpoint to test the endpoint to ensure that all of the requisite components were in place.
Now we have the SAK (Swiss Army Knife) "security" companies who make entire suites of products entering the NAC game. I have no problem with this.
I *do* have a problem with them verifying the integrity of their own suite.
Here's why: one common thread to most of the NAC installations I did was that the A/V tools consistently give false positives on their own deployment to the tune of 5% to 10% of the time. Translated, this means that for every 100 computers on an enterprise, 5 to 10 of them report as having A/V, BUT DO NOT HAVE A FUNCTIONAL A/V SOLUTION IN PLACE. This may be for a number of reasons, but my point is that if McAfee (in one example) has just mis-reported 800+ computers in an enterprise of 10,000 as having anti-virus when it is NOT installed and running, then I do NOT want to use McAfee as a tool to verify my security posture!
I want a tool unrelated to the system's security posture to verify everything else.
Don't get me wrong McAfee having an 8% false positive rate does not put the "suck" label on them. To the contrary, it puts the "typical" label on them! Symantec and Trend fared no better. Additionally, tests we ran on the success of MS SMS changes fared slightly poorer. In cases where SMS was used to push out an application, we typically had a 10-20% failure rate, and many of the failures reported as false positives.
Don't let the SAKs influence you. Simply adding a NAC component to a suite you already have deployed is shortsighted thinking (or it's "shut up the auditor" thinking...been there...done that). Do it right, and let NAC stand alone. Think of it as the programmatic equivalent of separation of duties.
Comments