One of the hottest trends in networking this year is the full scale emergence of Network Access Control, more commonly referred to by its acronym NAC.
Though Cisco originally coined the term NAC, nearly every networking vendor claims to have some type of NAC solution today. Microsoft is also working on a NAC solution called NAP (Network Access Protection).
Sitting at the crossroads of the various NAC approaches is security vendor
StillSecure. The six-year-old company provides NACs that work with competing architectures, including Cisco’s NAC as well
as Trusted Computing’s Trusted Network Connect (TNC), the standard Juniper Networks and others are pushing.
Despite a patchwork of standards in the industry, StillSecure’s CTO Mitchell Ashley believes that the time for NAC is now. He chatted with Internetnews.com recently about why.
Q: What is biggest myth out there about what NAC is or isn’t?
One of the biggest myths about NAC is that everyone claims their product
does NAC. It’s the hot space in security and networking and a lot of
vendors are attracted to that and try and position their product as being
NAC.
Fundamentally NAC is about a couple of things. Number one is taking some
type of policy and enforcing it on any device that connects to the network.
Then, while they are on the network, [it’s about] making sure they don’t do any damage to the network.
So there are security and compliance aspects to it. There is also a control aspect, of being able to take people on and off the network.
NAC is so broad because there are so many vendor technologies that encompass
the scope of NAC. Switch vendors, endpoint vendors, operating system vendors
access technologies — all those things fold together into an overall NAC
ecosystem. They all have to work together for a full NAC solution to work.
So what happens in the marketplace is vendors approach it as ‘I have a NAC
capability’ and they present it as a NAC solution when really it’s just a
part of a solution.
Q: At the Black Hat security conference this past August a security researcher alleged that DHCP based approaches to NAC are insecure. Is he right?
DHCP [Dynamic Host Configuration Protocol, a protocol for assigning dynamic IP addresses to devices on a network] is a very viable option for deploying NAC especially today.
I think that everyone recognizes that 802.1x [a standard for port-based security] is the most secure way to deploy NAC, since with port level authentication you can literally control from the moment they connect to the port.
The problem is that most networks aren’t 802.1x capable yet.
Q: What are your biggest technology challenges as CTO of StillSecure?
The next best option is DHCP
Most users aren’t going to know what to do or the workaround or
flaws in DHCP. It’s a great strategy for starting out.
Q: Some argue that since there is no one big unifying standard for NAC it’s not yet time to deploy. In this your opinion too?
We are a supporter of standards; we are a supporter of industry standards
like TNC.
We also recognize that vendors are going to create proprietary architectures, [such as] Cisco and Microsoft.
Our position is that, rather than making a bet on which one will be the
winner, we work with existing standards today like 802.1x and with
proprietary solutions.
I think what I’m most taken by is the speed of change in the security market
place. There is heightened awareness around security, many new initiatives
and also the visibility of security all the way up to the boardroom.
When we started in 2000 security was still a backroom function.
It started to slip out into the network and system administration world
because more and more people had to start performing security functions.
Another thing which isn’t what we expected is the pace at which security is
being embedded into the network. I think we’ll see in the future that more
and more security is put onto the switch and embedded into the router and
into the fabric of the network. There still will be standalone appliances
and applications but I think we’ll see more of those things happening as
adjunct processors to the switch or as code living on the switch.
Q: StillSecure is a relatively small vendor. How can you compete against Cisco and Juniper with their large, established channels?
The large vendors are juggernauts and clearly they have massive power and
are a force in the industry. What we can do best is continue to demonstrate
that we can solve network security problems today.
Customers are asking: Should I wait another 18 months until Cisco and Microsoft play well together, until NAC is fully baked, or until more TNC vendors show compatibility?
I think a lot of enterprises don’t want to wait. They want to do something
now and they are looking for solutions.
The best thing we can do is to continue to demonstrate that you can do NAC
now without serious overhaul and also lead a path toward new standards and
new industry initiatives.
Q: Is the time for NAC now or in five years?
Customers are telling me it’s time now; they are looking for solutions today. We have very few situations where we are being interviewed for someone’s plans in five years.
