En Garde!

Tim Greene's column on the relationship between NAC and VoIP and Alan Shimel's blog response both took a fairly narrow view of how NAC can help protect VoIP systems. The perspective in both cases is limited to a more admission-focused definition of NAC.

Tim talks about how endpoint scans could catch an infected system and in turn prevent that system from infecting the VoIP systems. Alan responds saying NAC really can't do much to help VoIP at all and saying so just adds to the over-hyping of NAC.

I disagree with both, because they've overlooked a key way that NAC can extend protection to VoIP systems. If by NAC one means not just admission control but also network access control, and if that access control can include policies that limit which devices can communicate with which other devices, then NAC can help substantially in protecting VoIP systems.

Think about a system that first is able to identify VoIP components - either via MAC address whitelisting or via reverse DNS lookup and using device names. Then think about policies that say VoIP phones can communicate only with the call manager and vice versa. You take just that simple combination and you've already got fairly robust protection right out of the gate. A desktop spewing a worm won't infect a VoIP phone or the call manager, whether or not an endpoint scan catches that worm, because that endpoint is not a device that's authorized to communicate with either the VoIP phones or the call manager. Similarly, a desktop trying to launch a DoS attack on the call manager will fail, because again, that's not a device that's allowed to send traffic to the call manager. Emerging SPIT (spam over IP telephony) attacks would also fail, since direct communications from VoIP phone to VoIP phone would also be against policy and therefore blocked.

Then imagine extending those controls with specific protocol support - so the policy would say that only the SIP, H.323, or Cisco Skinny protocols should ever emanate from a device known to be a VoIP phone. Same with a call manager. Now any data-based attack, from any device, will not be able to take down the call manager or the VoIP phones.

So really, NAC can do much more than just accidentally help protect VoIP systems. It's all in how you define it - and defined as network access control, with strong post-admission capabilities, NAC can get you there.

--Michelle McLean
mmclean-at-consentry-dot-com

Fortunately or unfortunately, I have another job at ConSentry aside from blogging, so I don't get to do it as frequently as I'd like. But the discussion that started, for the umpteenth time, a few days back on where the value is in NAC is just too important to leave with mis-information. So I'm responding to Alan's (is that better, Alan? ;)) comments here in more detail.

Let's be clear about one thing first - yes, ConSentry is really strong in post-admission. No, that's not why I think post-admission is the key to doing access control right. Let's think about typical business problems today:

The offshore development office where you've got no oversight over your "employees"
The contractors who have to be on your LAN but should only go to certain servers
The medical devices, robots, printers, and VoIP phones that need protection but can't host an agent
The stored data with no app-level control, like the research docs the DuPont guy stole
The credit card data that you have to not only restrict access to but document that control

None of these is solved with pre-admission control - not one. It's all about limiting what people can do AFTER they're on the LAN.

Admission control has limited value. And in case I haven't been clear in my opinion here, let me just say that I think admission control has limited value. It's not worthless - it just doesn't buy you much. And I believe that for reasons well beyond the fact that I work at ConSentry.

To be clear, ConSentry "gets it" that you need pre-admission control as a piece of the overall security solution. We just don't think that delivering our own installed endpoint agent is what customers want. Let's look at the strategy:

For unmanaged machines, no installed agent - you don't own the device, you're not installing software on it. Enter the ConSentry dissolvable agent. And yes, Alan, we OEM it from Check Point. Looks at OS, looks at AV, checks for adware/malware/spyware, looks at Registry settings, etc. Way more than "do you have AV software installed?" which is where a lot of dissolvable agents stop.

For managed machines, you need a permanent agent. We're smoking something if we believe you'll buy one from ConSentry. If Cisco's not winning at that game, why the heck would we think we could? Enterprises don't want to install yet another agent just to do NAC. They'll wait for MS NAP or they'll get the latest Sygate/McAfee/Trend version - something that's ALREADY on their desktop will do it. The managed PC is the desktop team's problem, and they're going to use software that's already on the desktop for NAC. That's where I think Amrit and Stiennon are really coming from - why would you go through all that trouble and expense of installing new software on the PC just for NAC? The endpoint software guys know they need to get there - hence the Symantec acquisitions of Sygate and Altiris.

So ConSentry's strategy - go figure - is why fight the customer. We'll work with NAP and Sygate and McAfee and Trend and any of the endpoint guys our customers ask us to. We're already working with regional endpoint guys in Europe and Japan, too - we call this Universal Endpoint Interoperability. We excel at post-admission control, but we know you need endpoint checking too, so we'll leverage whatever you've already got on the desktop to do it. And we'll give you a dissolvable agent to check the desktops you don't own.

As for advocating for out of band vs. inline, it's like the old saying - if you can do, do. If you can't, teach. Now that's actually heretical in my book since both my parents were teachers, but seriously, if you have the horsepower to be inline, and you're focused on security, you sit inline - full stop. It's always more secure to be inline. Those who advocate out of band simply CAN'T sit inline.

Alan's right - it's all about identity-based control. But out-of-band approaches cannot provide identity-based control. Taking feeds from an IDS does not equate to identity-based control. VLANs and ACLs do not equate to identity-based control. What do you do for the simple case, say the CIO? She's an exec and she's in IT - she needs overlapping sets of permissions. Are you going to build a VLAN of one for her, and then for every other person with a unique set of access rights? It just doesn't work. Plus, all this VLAN and ACL stuff is happening at L3 and L4, and what you really need is L7 - really understanding the app involved and applying access rights with that parameter as well.

Identity-based control is knowing all sorts of info about the user - name, addresses, location, role, group memberships - and mapping that to all sorts of info about what's happening at that moment - what server are you going to, what app are you running, what time of day is it - and applying policy to control access based on that entire universe of info.

I was an analyst and journalist for nine years, and as Rothman says, the instinct for skepticism simply doesn't get out of your blood. I didn't check my brain at the door in favor of a fresh batch of Kool-Aid when I joined ConSentry. I believe what I believe about the need for post-admission control not because it's all I have to hawk but because customers constantly affirm they need it. I'm fortunate to get a fair bit of time with customers, and many of them were trying to do this stuff with ACLs and VLANs, and it just wasn't working.

I'll readily admit to the "selective reality" problem, where given what your product's good at, you end up in front of customers with problems you can solve instead of those who can't use your technology. But that said, all you need to do is read the news today about what's getting companies into trouble and it's crystal clear it's all about controlling users after they're on the LAN. I believe that through and through, regardless of what ConSentry makes.

--Michelle McLean

mmclean-at-consentry-dot-com

Art Wittman's recent column in Network Computing on how "Security Drives Everything" highlights some of the findings in the latest NAC survey from the Network Computing/Current Analysis collaboration. Art comments that the healthcare industry, at least as embodied by Kaiser Permanente, has not embraced NAC because NAC can't help secure its medical devices.

Then Amrit, Shimel, and Stiennon are once again getting all worked up about the value of NAC. Amrit and Stiennon are boxing it into a corner saying it buys you minimal security and Shimel, understandably, is arguing the other side.

I have to say, I end up agreeing more with Amrit and Stiennon on this one - the way most NAC is positioned, especially Cisco's NAC and CCA/NAC Appliance, there isn't much value. Checking the integrity of a machine before admitting it, and verifying the user as authenticated, just doesn't buy you much. Is it a good best practice, and should it help define the access policy for your users? Yes. Does it set the bar for security? Far from it. That's why the Kaiser guy says NAC isn't for him - in that form, it can't support one of his most critical issues, which is to protect the medical devices on his LAN.

To meet Stiennon's Venn diagram take on what security should encompass, it must provide far more than pre-admission control. The big risk to organizations is what users can do after they're on the LAN, so network ACCESS control, in the broadest sense of what you should be allowed to access on the LAN, is key for businesses to protect their data.

It's also how the Kaiser guy can get his medical devices protected. Agent-based NAC won't help him at all. Instead, he needs a way to place that device into a "medical device" role and control what devices it can receive from and send to and what protocols it can run. That's how he can protect a CT scan machine from getting hit by a virus or other attack and protect against the machine or its port from being co-opted and used for evil.

IT needs to be thinking about network access control in its broadest form, and that really means having full control over all your users and devices, the whole time they're on the LAN.

Related to this broader definition, Rothman comments on Art's column and makes the point that too many IT folks see security as an after thought rather than fundamental to their business. He argues that to do things right, IT has to "talk business to the business people." Part of the challenge there is that the security products have to let IT implement controls using business logic. When all you have are VLANs and ACLs, it makes it pretty tough for IT to talk business.

Instead, they need tools that let them map those business policies much more intelligently into network enforcement practices. They also need infrastructure that embeds the security directly, rather than forcing IT to bolt on new features or use old dogs like VLANs and ACLs to perform new tricks like identity-based control. We talk about embedded security as Secure Switching - the ability to control every user and secure every port on the LAN. Whether it's an appliance, which is pragmatic for organizations not doing a switch refresh, or whether it's a secure switch if a company is upgrading their switches, the key is to have control capabilities embedded directly in the infrastructure.

That way, you're getting far more than NAC - which at the end of the day should simply be a feature on a switch. And you're not stuck with security as an after-thought - it's enabled in the infrastructure, supported by the tools to apply business logic so IT can finally talk business to the business people.

--Michelle McLean
mmclean-at-consentry-dot-com

Last week, Cisco had an announcement about an updated Supervisor 32 engine for its 6500 line of Catalyst switches. Understandably, this news fell under the radar of most security blogs and reports, but it's worth highlighting. The heart of this new Sup engine is the Programmable Intelligence Services Accelerator, promising L7 packet inspection and enforcement, and the focus is on getting this kind of intelligence in the wiring closet, as a blade in 6500s deployed at the LAN edge.

It's exciting to see Cisco drive this message around the need for security in the wiring closet, and for ConSentry, the timing couldn't be better. We rolled out our Secure Switching news today, and it's great to be in such good company as we drive that message. Of course, the Cisco module isn't out quite yet, and it'll max out at 2 Gbps, but we definitely get a boost from the Cisco messaging that this is the way IT should be building LANs. And it clearly broadens the message well beyond the well-worn Network Access Control path.

We also decided to have a little fun with our news and how we explain the impact on the wiring closet. If you get a second, check out our take on what this all means for enterprise networks.

--Michelle McLean
mmclean-at-consentry-dot-com