fratto is just so scared of the costs of nac technology, he doesn't see forward to the ideas behind nac.
ever thought about throttling vs. quarantine? you can get on my network if you are unpatched, but not at 10GbE. you can send mail from my mailserver, but not at >30Kpps. nac "products" don't take this into account today, but they could if implemented a little differently.
nac as a solution is just another tool in the toolbox. it works better for some companies than hips/nips (and believe me, as a heterosexual male i'm down with hips and nips). and nac certainly does more than personal firewalls and rfc2827/3704 filtering, it's almost an natural progression/extension to both concepts.
every vendor is pushing the "compliance" catch phrase, so nearly any "security" product these days is overblown. cisco purchased perfigo cleanmachines and spun it into the NAC appliance as Cisco Clean Access (CCA) which they say is a compliance product. people in the know realize this instant marketing scam to be what it is. but that doesn't make the techonology bad (it just sets the pricepoint higher).
nac done right would look at all network elements (ip phones, printers, pdas) at the access layer (802.1x, vpn)... and put each device into a its appropriate bucket depending on it's patch/firmware level(s) for itself and running applications.
the problem is that cisco sees nac as a network-wide GPO. i see nac as a perimeter-defense (like you said), and an important one at that.
rfc1958 (and others) state that "3.9 Be strict when sending and tolerant when receiving". i think nac is a evolution of this paradigm for network design today.
i would rather spend a lot of time fixing applications, educating operating system and firmware vendors, etc. but let's face it - operators need tools like nac to protect themselves in the interim.
nac can provide both protection and removal of threats. one attacker may be thwarted by nac, even if he/she happens to get access to the only one nac-enabled network/machine on the network. or he/she might be more easily tracked and discovered.
nac is a bit more expensive, with a minimum of 100 users http://www.cisco.com/en/US/products/sw/secursw/... but CCA-MGR-LT-K9 (the manager) + CCA-SVR-100-K9 (the server) costs just under $6k. if your routers, switches, asa firewalls, and vpn concentrators have code as recent at 2004 - you will get support for nac built-in. and it integrates well with eset and panda software AV solutions.
nips on the other hand - is seriously expensive and a huge bottleneck. you can put nac all over your network. you can only put a cisco ips 4215 on one fastethernet link, and it "might" keep up with your traffic. yes, snort-inline may be cheaper, but a cisco ips 4215 is going to set you back at least $5k. and tippingpoint isn't any cheaper.
if you're prioritizing infrastructure/operations projects for building security into the network, consider nac based on my counterpoints. we're going to see a lot more of it in the future, and hopefully for the right reasons.
Joel Snyder
· 3 years ago
Here's another (mine, actually) column discussing some of the down sides of NAC. I think the jury's out, but wanted to get some "devil's advocate" positions out on the table early in order to push on a healthy debate.
All Comments
ever thought about throttling vs. quarantine? you can get on my network if you are unpatched, but not at 10GbE. you can send mail from my mailserver, but not at >30Kpps. nac "products" don't take this into account today, but they could if implemented a little differently.
nac as a solution is just another tool in the toolbox. it works better for some companies than hips/nips (and believe me, as a heterosexual male i'm down with hips and nips). and nac certainly does more than personal firewalls and rfc2827/3704 filtering, it's almost an natural progression/extension to both concepts.
every vendor is pushing the "compliance" catch phrase, so nearly any "security" product these days is overblown. cisco purchased perfigo cleanmachines and spun it into the NAC appliance as Cisco Clean Access (CCA) which they say is a compliance product. people in the know realize this instant marketing scam to be what it is. but that doesn't make the techonology bad (it just sets the pricepoint higher).
nac done right would look at all network elements (ip phones, printers, pdas) at the access layer (802.1x, vpn)... and put each device into a its appropriate bucket depending on it's patch/firmware level(s) for itself and running applications.
the problem is that cisco sees nac as a network-wide GPO. i see nac as a perimeter-defense (like you said), and an important one at that.
rfc1958 (and others) state that "3.9 Be strict when sending and tolerant when receiving". i think nac is a evolution of this paradigm for network design today.
i would rather spend a lot of time fixing applications, educating operating system and firmware vendors, etc. but let's face it - operators need tools like nac to protect themselves in the interim.
nac can provide both protection and removal of threats. one attacker may be thwarted by nac, even if he/she happens to get access to the only one nac-enabled network/machine on the network. or he/she might be more easily tracked and discovered.
finally, to put us all at ease about the costs, some people http://www.nanog.org/mtg-0402/gauthier.html have implemented nac without spending tons of money.
csa is a good start. CSA-STARTER-K9 http://www.cisco.com/en/US/products/sw/secursw/...
costs about $2k including support (10 users + server).
nac is a bit more expensive, with a minimum of 100 users http://www.cisco.com/en/US/products/sw/secursw/...
but CCA-MGR-LT-K9 (the manager) + CCA-SVR-100-K9 (the server) costs just under $6k. if your routers, switches, asa firewalls, and vpn concentrators have code as recent at 2004 - you will get support for nac built-in. and it integrates well with eset and panda software AV solutions.
nips on the other hand - is seriously expensive and a huge bottleneck. you can put nac all over your network. you can only put a cisco ips 4215 on one fastethernet link, and it "might" keep up with your traffic. yes, snort-inline may be cheaper, but a cisco ips 4215 is going to set you back at least $5k. and tippingpoint isn't any cheaper.
if you're prioritizing infrastructure/operations projects for building security into the network, consider nac based on my counterpoints. we're going to see a lot more of it in the future, and hopefully for the right reasons.
Rather than sum it up, I'll just post a pointer:
http://www.networkworld.com/columnists/2006/061...