23rd May 2012

You are here: Home / Blog / Opinion / Network Access Control looking like a flub

Network Access Control Looking Like a Flub

21st March 2008 By 5 Comments

While I am no expert on NAC I am deeply unimpressed by the whole technology. It looks like a whole bunch of trouble that is guaranteed to keep you up all night.

I see today that Lockdown Networks couldn’t get funding and are going out of business. This suggests to me that you should not go anywhere near NAC.

Notification

Lockdown Networks closes the door

If the Venture Capitalists think NAC is a bust, then the whole market space is looking like trouble.

I have looked briefly at NAC a couple of times and the software just looks very ugly. It adds layers and layers of software, wrapped around the Windows operating system. Years of experience of Windows suggest that this is not a good idea(tm).

I can accept that NAC for Windows XP might work, after all, the NAC people have have five years to work out the bugs. But with WinXP SP3 coming, and Microsoft not giving up on Vista and pushing out WinV SP1 I wouldn’t want to be looking after desktop and laptop fleet that had NAC. The NAC client software is sure to need updating.

As a network geek, it also need a lot of things to be available for it to work correctly. Indeed, it becomes a mission critical system as soon as you roll it out which is a distraction from the real business function.

Another concern as an outsider, is that the migration away from Windows to MAC and Linux looks to be gaining momentum and almost none of the NAC products work on these platforms.

View

NAC is an idea that has its place in ultra secure operations such as defense / military, but I don’t think it’s viable for real world applications.

This post is copyright of Thropos Ltd ©2008-2011 at Etherealmind.com - contact | email: greg.ferro@packetpushers.net - twitter: @etherealmind | All rights reserved
Filed Under: Opinion
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • http://www.speedapp.se Per HÂkansson

    Knowledge, visibility and simplicity, in this order, are my guide for all design, deployment and operation. NAC helps to improve visibility, but makes it more complex. But visibility has higher priority then simplicity and NAC is therefore, by my definition, a good tool. The question is, what visibility do NAC deliver? It’s not about network visibility; NAC gives visibility to the people working with hosts. NAC have been promoted through the network channels, thatís why I believe NAC have failed to expand. Letís see whatís happen when MS starts to push for NAP? What I have seen, NAP is not the best, but it will be presented to host people. I think this will increase all kinds of NAC/NAP knowledge and acceptance.

    As I have done both Ciscoís NAC framework and Clean Access installations in real networks, the effect is the same. As soon as we reach the point where we add a ‘block-filter’, the number of server and client machine not known are more then expected. The security in NAC, as I see it, are that the host people suddenly will see *all* machines on the network and they can start incorporate them in IT-policies. Network people already know itís more then the official numbers, by counting the great number of switch-port in use. But host people normally only ‘know’ the number by the SMS, AD-accounts, AV-tools . . which of course only show ‘known’ machines.

    NAC gives the possibility to ‘see’ everything connected on the network, which have never been easy before. Every customer I visit tells me that they have ‘good’ knowledge of their connected machines, but all my NAC installation proves thatís not true.

    I agree that the agent part is a pain, but that goes for all SW installed in any computer when the underlying OS is changed. But if the people working with the computers, not the network, handle NAC, I think it has a feature. Network people have to be involved, especially when NAC is deployed, but they should not be ëin chargeí of NAC.

    The problem I see is how to handle machines which should not be handle by NAC, like copy machines, IP managed air conditions, IP based keyboard/mouse/screen adapters . . . name it, you will have more then you ever believe and the number will grow. I have tried to combine NAC/802.1x/VLAN/MPLS to keep ‘strange’ machines out of NAC; it seems to work pretty well. But everything starts with deep knowledge in networking, system and applications. Knowledge is the key whatever technology used.

    Best Regards
    - Per HÂkansson
    SpeedApp AB
    CCIE 2446

    PS: Defense & military seems to be the people who have best control already, I think there are many other companies who needs NAC even more.

  • http://etherealmind.com Greg Ferro

    I disagree.

    It is mumbojumbo to assert that NAC improves everything. It makes hosts and networks more complex thus delivering negative outcomes for business.

    It stops users from adapting and adopting new ways of working, and thus causes companies to stagnate and ultimately fail. It is the ugliest face of security consulting gone too far.

    If NAC is a viable technology that has real meaning then it must be introduced as part of the OS, and not as some sort crufty add on.

    If you cannot see your network, hosts and servers with the tools we have today, then you are not using other technologies correctly.

    NAC is not the answer, its a failure to ask the right question.

  • http://www.speedapp.se Per HÂkansson

    I see your point, but I have not seen any good tool that actually finds as many machines as the NAC box. If I run Nessus, as an example, I still cant see everything, because the people who adds stuff to the network ‘hide’ them behind host FW’s and NAT box. They have put them there because they ‘need’ it, but they also know it’s against the IT-policy in the company and therefore some of the machines are hidden. The NAC can be fooled too, but it’s not that easy.

    NAC does not improve everything, but it will give the IT-department better knowledge of what machine they have connected to the network. This way they can start adding unknown machine to the security and IT policy used in the company.

  • http://etherealmind.com Greg Ferro

    The fact that people need to ‘hide’ something is the problem. People should want to approach IT to get support and help. In reality, IT security in big companies can be way out of control and prevent new services and processes.

    Everyone in a company should be able to find ways to improve business performance and outcomes. If the only way to do that is to ‘hide’, then that is what happens.

    The money spent on NAC should be spent on more servers, more skills, more people so that business units or projects do not feel that they have to these kind of things to get the job done.

    Again, is NAC is the answer, what was the question ?

  • Mike B

    Greg,
    We use Cisco CNR for DHCP and have custom coded some scripts for our own Homebrew NAC.

    Here is what happens.

    Every pc that comes into our shop has its HW specs, user and mac pounded into a database.

    When a PC powers up, it requests a DHCP lease- using CNR, we authenticate that request against the DB. If it is legit we allow the request to proceed. If its not legit, it sends an email and calls another custom script to kill the port via SNMP.

    We prevent static IP’s by using DHCP snooping combined with DAI on the switches.

    This gets us what NAC does without requiring software agents all over the place.

    Obviously, it’s much more complicated under the hood than what I’ve laid out in half a paragraph, but it gets you the general idea that folks are doing “rouge” device detection and mitigation, without buying into the NAC hype.

    Mike