NAC Fight - Five Rounds and Counting
A blog fight! A blog fight!
No surprise Alan Shimel’s involved, and this time he’s taken on Dominic Wilde at Nevis. It started with Dominic’s post responding to Mike Fratto’s blog on the limits of NAC. I took issue with some of Mike’s blog too and left a comment.
Then Alan took Dominic to task, Dominic responded , Alan replied, Dominic replied, and Alan replied again, promising it’s his last post on the topic.
So what’s to gain from jumping into the fray, with emotions running so high and allegations flying back and forth? I think both guys have gotten a bit lost in the weeds, whining at each other about various details, but the overall nature of the debate sits close to my heart. At the highest level, Dom is arguing that pre-connect or pre-admission checks are insufficient and Alan’s arguing, well, a bunch of stuff but essentially he gets mad whenever anyone says pre-admission isn’t enough.
So let me start by saying pre-admission, of whatever quality, isn’t enough – for a lot of customers. If it were all anybody wanted, we wouldn’t have well over 100 customers. (Now I have to tease my friends at Nevis and say “come on – not a SINGLE customer announcement all year? What’s up with that?”) Of course, pre-admission is enough for some, or Still Secure wouldn’t have any customers. (And actually, Alan, I couldn’t find any customer announcements for this year on the Still Secure site either.)
Clearly I agree with Dom’s overall premise that for many enterprises, pre-admission checks aren’t enough – they need post-admission control. And by post-admission, I don’t mean just running pre-admission checks over and over again, as a lot of people want to define it. I mean something very different – truly controlling what users can do after they’re admitted onto the LAN. This level of access control involves understanding who the user is and limiting the applications and resources that user can access based on role, location, time of day, and other aspects of who the user is.
This debate between Alan and Dom went down a few other paths
I’d like to touch on as well.
Dominic – next time you steal my line, at least give me my props! Probably all nine people reading this blog fight were at the New York event and heard me draw the analogy between doing vs. teaching to talk about being inline.
Both of you – you talk about architecture, debating inline vs. out of band, as if the customers are thinking that way from the start. They're not, and they shouldn't be. They're thinking about what business problems they’re trying to solve. When they lay out their requirements, and match it up against product features, only then will architecture trends start to emerge. It so happens that if they need to actually control what people can do on the LAN, they need an inline device. The customers who need identity-based control get it – they understand that to do that, the device actually has to first see and then be intelligent about doing enforcement on all the traffic going through it. But the discussion doesn’t start with architecture religion – it starts with the enterprise’s needs.
Alan – your questions on the quality of the switch miss the point. Switching’s commoditized, for one, and second, anyone looking at a secure switch cares first and foremost about the security capabilities. Cisco, for all its switch dominance, can’t hold a candle to us on security features in its switches. Certainly we have the enterprise-class features needed to sell or we wouldn't be successfully selling it, but a purchase driven by security does change the decision focus.
For the last two quarters in a row, we’ve sold more switches than appliances, and the way this quarter’s shaping up, it looks like that'll happen again. It’s never about rip and replace – we offer both appliances and switches so enterprises can choose the platform that suits them best. But let me tell you, it’s really nice when an enterprise can take advantage of an existing, and substantial, budget item already earmarked for a switch upgrade and use that money to also get security and identity-based control built right in. It's that kind of pragmatism that shows me this stuff ends up in the infrastructure.
Both of you – way overblown on the IPS thing. Maybe Nevis uses Snort, maybe not – but regardless, it’s not the point. Enterprises will still use separate IDS/IPS devices – no one should act like even best of NAC devices will change that. But I heartily believe that if you’re sitting inline anyway, seeing all the traffic coming from the user edge of the network, and you can build in some smarts to do anomaly detection and help pinpoint network problems, you’re providing good value. And keep in mind anomalies take a lot of forms. For one of our customers, the ConSentry algorithms tripped alerts on an application built in-house. It certainly wasn’t malware, but it showed them where a piece of the code was written badly and was sending people off to the Internet for data they had in house. Not IPS, clearly, but still useful.
Alan – your rant on ASICs seems off too. Of course we at Nevis and ConSentry would be proud of our custom silicon – it’s the secret sauce for doing what we do. Even if merchant silicon is improving, we’re still way ahead of what you can buy, and owning those goods is incredibly valuable. Line rate, 10 Gbps packet inspection, including full L7 so I can show you the filename a user just accessed over Windows or the URL they just clicked on – that’s truly where we get the customer “a-ha!” moments. And you just can’t get there with off-the-shelf silicon. Secret sauce is always worth crooning about, especially when it's actually why you win.
You’re right Alan – your blog is your domain, and you are master of that domain. But I have to admit – I’m pining a bit for the old days when you blogged on stuff beyond picking on your competitors and trumpeting about Still Secure products. And riding your coattails? Come on - he's engaging in a debate that you started.
And just for the record, I’m siding with Dom here, but I can assure you I’m not playing the Olivia Newton-John role. I'm afraid neither my figure nor my voice would cut it.
mmclean-at-ConSentry-dot-com
Alan is one of those kids that you sat next to in your AE (advanced education) middle school or high school classes that no one ever listened to. His parents bought him into the classes to make him feel important and this is exactly what his VC's are doing for him now. He likes to hear himself talk and makes these mafia NYC based comments as if people are really listening (just like high school). He tramples around adding lame slogans and images to these third grade blog wars in a annoying attempt to market his company and products. So what have I done? I've unsubscribed from his RSS feeds and podcasts so I can continue to absorb information that is worthwhile.
Posted by: Anonymous | August 07, 2007 at 04:58 AM
I have to take issue with the last comment. While I may disagree with what Alan says from time to time, I would never personally attack him. Michelle, you're right on the money with this post. Keep 'em coming.
Posted by: Anonymous | August 07, 2007 at 08:57 AM
To the first anon, you may not like Alan and his POV, but at least be brave enough not to hide behind the anon mask if you want to do some slamming. Otherwise you are nothing but a troll.
Michael
Posted by: Michael R. Farnum | August 07, 2007 at 07:53 PM
I am not sure where you get that Consentry has over a 100 customers when this year so far rumours are that you got only 3 customers.
Posted by: mike smith | August 25, 2007 at 12:32 PM