Network Access Control Looking Like a Flub
March 21, 2008 by Greg Ferro · 5 Comments
While I am no expert on NAC I am deeply unimpressed by the whole technology. It looks like a whole bunch of trouble that is guaranteed to keep you up all night.
I see today that Lockdown Networks couldn’t get funding and are going out of business. This suggests to me that you should not go anywhere near NAC.
Notification
Lockdown Networks closes the door
If the Venture Capitalists think NAC is a bust, then the whole market space is looking like trouble.
I have looked briefly at NAC a couple of times and the software just looks very ugly. It adds layers and layers of software, wrapped around the Windows operating system. Years of experience of Windows suggest that this is not a good idea™.
I can accept that NAC for Windows XP might work, after all, the NAC people have have five years to work out the bugs. But with WinXP SP3 coming, and Microsoft not giving up on Vista and pushing out WinV SP1 I wouldn’t want to be looking after desktop and laptop fleet that had NAC. The NAC client software is sure to need updating.
As a network geek, it also need a lot of things to be available for it to work correctly. Indeed, it becomes a mission critical system as soon as you roll it out which is a distraction from the real business function.
Another concern as an outsider, is that the migration away from Windows to MAC and Linux looks to be gaining momentum and almost none of the NAC products work on these platforms.
View
NAC is an idea that has its place in ultra secure operations such as defense / military, but I don’t think it’s viable for real world applications.
Please rate this post:
Why Rate Posts?
(No Ratings Yet)
Loading ...
Knowledge, visibility and simplicity, in this order, are my guide for all design, deployment and operation. NAC helps to improve visibility, but makes it more complex. But visibility has higher priority then simplicity and NAC is therefore, by my definition, a good tool. The question is, what visibility do NAC deliver? It’s not about network visibility; NAC gives visibility to the people working with hosts. NAC have been promoted through the network channels, that’s why I believe NAC have failed to expand. Let’s see what’s happen when MS starts to push for NAP? What I have seen, NAP is not the best, but it will be presented to host people. I think this will increase all kinds of NAC/NAP knowledge and acceptance.
As I have done both Cisco’s NAC framework and Clean Access installations in real networks, the effect is the same. As soon as we reach the point where we add a ‘block-filter’, the number of server and client machine not known are more then expected. The security in NAC, as I see it, are that the host people suddenly will see *all* machines on the network and they can start incorporate them in IT-policies. Network people already know it’s more then the official numbers, by counting the great number of switch-port in use. But host people normally only ‘know’ the number by the SMS, AD-accounts, AV-tools . . which of course only show ‘known’ machines.
NAC gives the possibility to ‘see’ everything connected on the network, which have never been easy before. Every customer I visit tells me that they have ‘good’ knowledge of their connected machines, but all my NAC installation proves that’s not true.
I agree that the agent part is a pain, but that goes for all SW installed in any computer when the underlying OS is changed. But if the people working with the computers, not the network, handle NAC, I think it has a feature. Network people have to be involved, especially when NAC is deployed, but they should not be ‘in charge’ of NAC.
The problem I see is how to handle machines which should not be handle by NAC, like copy machines, IP managed air conditions, IP based keyboard/mouse/screen adapters … name it, you will have more then you ever believe and the number will grow. I have tried to combine NAC/802.1x/VLAN/MPLS to keep ‘strange’ machines out of NAC; it seems to work pretty well. But everything starts with deep knowledge in networking, system and applications. Knowledge is the key whatever technology used.
Best Regards
– Per Håkansson
SpeedApp AB
CCIE 2446
PS: Defense & military seems to be the people who have best control already, I think there are many other companies who needs NAC even more.
I disagree.
It is mumbojumbo to assert that NAC improves everything. It makes hosts and networks more complex thus delivering negative outcomes for business.
It stops users from adapting and adopting new ways of working, and thus causes companies to stagnate and ultimately fail. It is the ugliest face of security consulting gone too far.
If NAC is a viable technology that has real meaning then it must be introduced as part of the OS, and not as some sort crufty add on.
If you cannot see your network, hosts and servers with the tools we have today, then you are not using other technologies correctly.
NAC is not the answer, its a failure to ask the right question.
I see your point, but I have not seen any good tool that actually finds as many machines as the NAC box. If I run Nessus, as an example, I still cant see everything, because the people who adds stuff to the network ‘hide’ them behind host FW’s and NAT box. They have put them there because they ‘need’ it, but they also know it’s against the IT-policy in the company and therefore some of the machines are hidden. The NAC can be fooled too, but it’s not that easy.
NAC does not improve everything, but it will give the IT-department better knowledge of what machine they have connected to the network. This way they can start adding unknown machine to the security and IT policy used in the company.
The fact that people need to ‘hide’ something is the problem. People should want to approach IT to get support and help. In reality, IT security in big companies can be way out of control and prevent new services and processes.
Everyone in a company should be able to find ways to improve business performance and outcomes. If the only way to do that is to ‘hide’, then that is what happens.
The money spent on NAC should be spent on more servers, more skills, more people so that business units or projects do not feel that they have to these kind of things to get the job done.
Again, is NAC is the answer, what was the question ?
Greg,
We use Cisco CNR for DHCP and have custom coded some scripts for our own Homebrew NAC.
Here is what happens.
Every pc that comes into our shop has its HW specs, user and mac pounded into a database.
When a PC powers up, it requests a DHCP lease– using CNR, we authenticate that request against the DB. If it is legit we allow the request to proceed. If its not legit, it sends an email and calls another custom script to kill the port via SNMP.
We prevent static IP’s by using DHCP snooping combined with DAI on the switches.
This gets us what NAC does without requiring software agents all over the place.
Obviously, it’s much more complicated under the hood than what I’ve laid out in half a paragraph, but it gets you the general idea that folks are doing “rouge” device detection and mitigation, without buying into the NAC hype.
Mike