RealTime IT News

Mitchell Ashley, CTO, StillSecure

Ashley Mitchell One of the hottest trends in networking this year is the full scale emergence of Network Access Control, more commonly referred to by its acronym NAC.

Though Cisco originally coined the term NAC, nearly every networking vendor claims to have some type of NAC solution today. Microsoft is also working on a NAC solution called NAP (Network Access Protection).

Sitting at the crossroads of the various NAC approaches is security vendor StillSecure. The six-year-old company provides NACs that work with competing architectures, including Cisco's NAC as well as Trusted Computing's Trusted Network Connect (TNC), the standard Juniper Networks and others are pushing.

Despite a patchwork of standards in the industry, StillSecure's CTO Mitchell Ashley believes that the time for NAC is now. He chatted with Internetnews.com recently about why.

Q: What is biggest myth out there about what NAC is or isn't?

One of the biggest myths about NAC is that everyone claims their product does NAC. It's the hot space in security and networking and a lot of vendors are attracted to that and try and position their product as being NAC.

Fundamentally NAC is about a couple of things. Number one is taking some type of policy and enforcing it on any device that connects to the network. Then, while they are on the network, [it's about] making sure they don't do any damage to the network.

So there are security and compliance aspects to it. There is also a control aspect, of being able to take people on and off the network.

NAC is so broad because there are so many vendor technologies that encompass the scope of NAC. Switch vendors, endpoint vendors, operating system vendors access technologies -- all those things fold together into an overall NAC ecosystem. They all have to work together for a full NAC solution to work.

So what happens in the marketplace is vendors approach it as 'I have a NAC capability' and they present it as a NAC solution when really it's just a part of a solution.

Q: At the Black Hat security conference this past August a security researcher alleged  that DHCP based approaches to NAC are insecure. Is he right?

DHCP [Dynamic Host Configuration Protocol, a protocol for assigning dynamic IP addresses to devices on a network] is a very viable option for deploying NAC especially today.

I think that everyone recognizes that 802.1x [a standard for port-based security] is the most secure way to deploy NAC, since with port level authentication you can literally control from the moment they connect to the port.

The problem is that most networks aren't 802.1x capable yet.

The next best option is DHCP . There are some ways to get around DHCP. But I think that what most people are concerned with is not just keeping the hacker out. They are more concerned about a Blaster type scenario where someone is away from the network and yet still need security patching.

Most users aren't going to know what to do or the workaround or flaws in DHCP. It's a great strategy for starting out.

Q: Some argue that since there is no one big unifying standard for NAC it's not yet time to deploy. In this your opinion too?

We are a supporter of standards; we are a supporter of industry standards like TNC.

We also recognize that vendors are going to create proprietary architectures, [such as] Cisco and Microsoft.

Our position is that, rather than making a bet on which one will be the winner, we work with existing standards today like 802.1x and with proprietary solutions.

Q: What are your biggest technology challenges as CTO of StillSecure?

I think what I'm most taken by is the speed of change in the security market place. There is heightened awareness around security, many new initiatives and also the visibility of security all the way up to the boardroom.

When we started in 2000 security was still a backroom function.

It started to slip out into the network and system administration world because more and more people had to start performing security functions.

Another thing which isn't what we expected is the pace at which security is being embedded into the network. I think we'll see in the future that more and more security is put onto the switch and embedded into the router and into the fabric of the network. There still will be standalone appliances and applications but I think we'll see more of those things happening as adjunct processors to the switch or as code living on the switch.

Q: StillSecure is a relatively small vendor. How can you compete against Cisco and Juniper with their large, established channels?

The large vendors are juggernauts and clearly they have massive power and are a force in the industry. What we can do best is continue to demonstrate that we can solve network security problems today.

Customers are asking: Should I wait another 18 months until Cisco and Microsoft play well together, until NAC is fully baked, or until more TNC vendors show compatibility?

I think a lot of enterprises don't want to wait. They want to do something now and they are looking for solutions.

The best thing we can do is to continue to demonstrate that you can do NAC now without serious overhaul and also lead a path toward new standards and new industry initiatives.

Q: Is the time for NAC now or in five years?

Customers are telling me it's time now; they are looking for solutions today. We have very few situations where we are being interviewed for someone's plans in five years.