tag:blogger.com,1999:blog-4088979.post1715170899574042202..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: NAC Is Fighting the Last WarRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4088979.post-5925043717153738582006-12-24T13:14:00.000-05:002006-12-24T13:14:00.000-05:00This comment has been removed by a blog administrator.Dustinhttps://www.blogger.com/profile/16977991069783462576noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-86193471162917783332006-12-22T17:23:00.000-05:002006-12-22T17:23:00.000-05:00So, I think RS is somewhat correct and I also agre...So, I think RS is somewhat correct and I also agree with you (Richard) and Chris to an extent - the chief value proposition now is control (access or application) and viruses/worms are no longer the primary driver. Part of the confusion comes from some of the mixed marketing messages from Cisco in the past. I will comment specifically on Cisco since I am more familiar with their approach. There has been a struggle between the NAC framework and the NAC appliances, and it looks like the NAC appliances (formerly Perfigo) are the new direction - and it is because of the control aspect. The CCA (Cisco Clean Access) appliances can enforce security policies such as where you can and cannot go and what network resources you can and cannot access - both in-band or out-of-band (requires 802.1x). As with most solutions, there are caveats depending on the mode, but it is a workable (not perfect) solution today for wired or wireless control of vendors,contractors, internal staff, etc. I agree that there are still some things that are very difficult to prevent (namely malicious internal users with the proper credentials that decide they want to do something bad), but that's where I think defense in depth has to be present. Also, I always recommend customers go a step further and implement HIPS in the form of CSA (yes, I am biased because that is what I have used with good results. I am sure that someone can propose several alternate solutions that do similar things - I am open to learning new tricks if you want to share examples). Having that last step of host protection often makes all the difference in the world and stops the attacks at the last point of defense - the host. Cisco pitches CSA in the overall NAC story but does not require it - so it really depends on who is telling the story (doesn't it always?) The bottom line in my opinion is that there needs to be more consistency in the story and host defense above and beyond the access control offered by NAC. Once you get onto the endpoint, then you can start with the host-based application control - as long as you account for vulnerabilities in the host agent deployment scheme. Richard, you had another interesting post where you mentioned the differences between trusted and trustworthy systems - and I think that is why you need host-level defense and something to validate that host-level defense and be there if it fails (or violates policy ).Anonymoushttps://www.blogger.com/profile/11917928589828106054noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-44426458149107679582006-12-22T00:30:00.000-05:002006-12-22T00:30:00.000-05:00I think endpoint security policy enforcement is le...I think endpoint security policy enforcement is less about AV deployment and more about control.<br /><br />In far-flung enterprises it can be difficult, almost impossible, to control what devices are accessing the LAN, causing perimeter erosion (and a strong perimeter is still important, no matter what the Jericho Forum thinks). Rogue wireless, unmanaged Internet connections, and unauthorized systems make this a challenge.<br /><br />802.1x goes part of the way to controlling LAN access, but it really authenticates people, not systems. <br /><br />IPSec domain isolation is fantastic for control, but has other drawbacks (difficult to support outside of Windows environments, encapsulation breaks QoS, network monitoring).<br /><br />I see endpoint security policy enforcement as a means to improve control, until something better comes along.<br /><br />- ChrisAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-84888949294000051092006-12-21T23:41:00.000-05:002006-12-21T23:41:00.000-05:00Two NAC-related pieces which you may also find int...Two NAC-related pieces which you may also find interesting are:<br /><a href="http://www.networkworld.com/columnists/2006/061206snyder.html">The pros and cons of NAC</a> and <a href="http://www.darkreading.com/document.asp?doc_id=107200">Analysis: Network Access Control</a>Anonymousnoreply@blogger.com