Tick. NAC? Doh!
Thomas Ptacek | May 15th, 2006 | Filed Under: Defenses, Industry Punditry
I like Mike Fratto, and not just because he gave my last product a glowing review in Secure Enterprise. I’m also paying a lot more attention lately to Dark Reading, a trade rag where the authors seem to have well-informed strong opinions.
Fratto writes about NAC this week. “What is the business case for NAC? Seriously, what is it?”. Here are four things he claims it isn’t, and a Matasano response:
Doesn’t really reduce helpdesk overhead. We agree. To this point we’ll inject a cynical (ie, true) addendum: most undetected desktop integrity problems do not incur direct costs. Or didn’t, before you deployed NAC.
Doesn’t quantifiably impact risk. We disagree. Fratto’s argument orbits around the assertion that enterprises haven’t quantified their own internal assets. So how can they assess risk? Easy: “internal asset value = huge”. How about “multiple percentage points of SG&A” to start with?
Compliance is overblown. We’re ambivalent. For large enterprises, HIPAA is notoriously toothless, and we hear reports of enterprises simply setting aside budget to pay fines (we’ve also worked with enterprises who take it seriously). SOX, on the other hand, really does command attention. Perhaps not for long. But we’ll also note that the PCAOB has been making these noises for over a year, with no real impact.
Doesn’t address the real cause of data leakage. We agree. Strongly. The NAC solution to data theft is message-ware and nothing more (NAC-in-a-box Product Manager: “gotta suppress deployment of Vontu, Vericept, and Reconnex!”) Infected desktops don’t steal credit card dossiers. People do.
With the (incessant) caveat that we are biased on this issue (our product is the anti-NAC), here is the Matasano Anti-NAC 3:
NAC boils the ocean. How do you evade a NAC deployment on a single floor in a campus? Unplug, walk upstairs, and plug in to the conference room jack.
“But you should have NAC deployed there too!”, says the Consentry SE. Exactly our point. Until you’ve dug up and forklifted out every distribution-layer switch you already had and replaced them with a shiny new NAC device, NAC does nothing to stop a determined attacker.
NAC is authorization-agnostic. The overwhelming majority of NAC installations will be used for exactly one thing: to ensure that laptops are up-to-date with patches and signatures. But enterprises are going to suffer greater losses due to data theft and incident response than they will to malware outbreaks in 2006.
Rothman has been saying this for weeks. But he calls “authorization” “NAC stage 2”, which is a lot like saying that the hydrogen economy is just “gas station, stage 2”. NAC is what it is. Devices are designed to address the 80% use-case well. If “stage 2” requires redeployment, and enterprises need “stage 2”, “stage 1” was a mistake.
NAC re-fights the last war. It completes the perimeter, and in this sense is the IT-sec equivalent of building a big wall around Mexico. Perimeters work (really) when they are tight and manageable, when policy is near black-and-white. It’s not an accident that they solved one problem nicely (the NYTimes being defaced every week) while failing badly at another (desktop security, a continuing debacle).
I mean, really: filters and antivirus. Add a bit of signature-based IPS just to keep things fun and unpredictable. If this was the answer, why haven’t smart enterprises done this on their own already?
dre
May 18th, 2006 5:32 pmfratto is just so scared of the costs of nac technology, he doesn’t see forward to the ideas behind nac.
ever thought about throttling vs. quarantine? you can get on my network if you are unpatched, but not at 10GbE. you can send mail from my mailserver, but not at >30Kpps. nac “products” don’t take this into account today, but they could if implemented a little differently.
nac as a solution is just another tool in the toolbox. it works better for some companies than hips/nips (and believe me, as a heterosexual male i’m down with hips and nips). and nac certainly does more than personal firewalls and rfc2827/3704 filtering, it’s almost an natural progression/extension to both concepts.
every vendor is pushing the “compliance” catch phrase, so nearly any “security” product these days is overblown. cisco purchased perfigo cleanmachines and spun it into the NAC appliance as Cisco Clean Access (CCA) which they say is a compliance product. people in the know realize this instant marketing scam to be what it is. but that doesn’t make the techonology bad (it just sets the pricepoint higher).
nac done right would look at all network elements (ip phones, printers, pdas) at the access layer (802.1x, vpn)… and put each device into a its appropriate bucket depending on it’s patch/firmware level(s) for itself and running applications.
the problem is that cisco sees nac as a network-wide GPO. i see nac as a perimeter-defense (like you said), and an important one at that.
rfc1958 (and others) state that “3.9 Be strict when sending and tolerant when receiving”. i think nac is a evolution of this paradigm for network design today.
i would rather spend a lot of time fixing applications, educating operating system and firmware vendors, etc. but let’s face it - operators need tools like nac to protect themselves in the interim.
nac can provide both protection and removal of threats. one attacker may be thwarted by nac, even if he/she happens to get access to the only one nac-enabled network/machine on the network. or he/she might be more easily tracked and discovered.
finally, to put us all at ease about the costs, some people http://www.nanog.org/mtg-0402/gauthier.html have implemented nac without spending tons of money.
csa is a good start. CSA-STARTER-K9 http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_data_sheet09186a00801eb725.html
costs about $2k including support (10 users + server).
nac is a bit more expensive, with a minimum of 100 users http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_data_sheet09186a00801eb725.html
but CCA-MGR-LT-K9 (the manager) + CCA-SVR-100-K9 (the server) costs just under $6k. if your routers, switches, asa firewalls, and vpn concentrators have code as recent at 2004 - you will get support for nac built-in. and it integrates well with eset and panda software AV solutions.
nips on the other hand - is seriously expensive and a huge bottleneck. you can put nac all over your network. you can only put a cisco ips 4215 on one fastethernet link, and it “might” keep up with your traffic. yes, snort-inline may be cheaper, but a cisco ips 4215 is going to set you back at least $5k. and tippingpoint isn’t any cheaper.
if you’re prioritizing infrastructure/operations projects for building security into the network, consider nac based on my counterpoints. we’re going to see a lot more of it in the future, and hopefully for the right reasons.
Joel Snyder
June 10th, 2006 1:34 pmHere’s another (mine, actually) column discussing some of the down sides of NAC. I think the jury’s out, but wanted to get some “devil’s advocate” positions out on the table early in order to push on a healthy debate.
Rather than sum it up, I’ll just post a pointer:
http://www.networkworld.com/columnists/2006/061206snyder.html
Leave a reply