The Secret Origin of NACBy Rich
Once upon a time, an evil virus struck the land. But the people were prepared, and they stopped the virus before too many became sick… or so they thought. The virus really learned to hide, finding a home among wayward travelers outside the gates of the city. Weeks later these travelers returned home and unknowingly infected the cities. And weeks after that the next wave of travelers came to the cities, and more were infected. And then some scientists said, “Enough! No more will we let our cities become infected by these travelers. Now is the time to protect ourselves from the threats within!” The scientists created a new defense, called NAC, which would check the health of anyone before entering the city, and all was good. But NAC was new, and the first versions didn’t work as well as everyone would have liked. Then, two famous alchemists decided that they should control NAC. Rather than providing it to the people to use, they decided to tell everyone they would provide it. Eventually. And maybe it wouldn’t work quite as expected, but it would be good because it would be big. And then other alchemists decided that the people wanted NAC, but didn’t know what NAC was, so they removed the old labels from their elixirs and put on new NAC labels. And the people were confused. And they waited.
(Apologies for starting so many sentences with ‘and’, but you’ll get over it.)
I was listening to Alan and Mitchell’s StillSecure podcast the other day and, as usual, the subject of NAC came up. For those of you who don’t know, NAC stands for Network Admission Control or Network Access Control, depending on who you talk with. The technology was originally developed to provide pre-connect health checks when guests or mobile employees plugged into the office network. Alan was ranting on the dilution of the term, and as much as it pains me I have to agree with him.
When the SQL Slammer virus hit, most companies were well defended by blocking the port on their firewalls. Those companies then found themselves infected over the following weeks in waves, as mobile employees and contractors started coming back and plugging into the wall, behind the firewall. The concept of NAC was to prevent internal infections from systems physically connecting behind perimeter defenses. A computer would plug in and would then be scanned, or checked using an agent, before it was given an IP address or other network access. If the system wasn’t up to snuff, it could be quarantined off on a network segment outside the firewall (perhaps to download the missing security software), or simply denied access.
It’s a great idea, but like all great ideas a combination of big fish and bottom feeders wanted in. “NAC” kept getting expanded and integrated with everything from 802.1x for port-based authentication (only letting a computer get a usable IP address after a user is approved- a pretty good idea) to all sorts of real-time monitoring, quarantining, VLAN weirdness, and kitchen sinks. It’s a market that Cisco and Microsoft decided they want to control, and early on they started making waves without providing much in terms of functional product. It was a way for Cisco to get their endpoint agents onto desktops and to push clients to upgrade their networking hardware, since parts of their NAC don’t work if they aren’t built into the switch.
I like NAC, and if I had more than 6 computers on my network it’s the kind of thing I’d look at more closely. But I’d keep myself focused on the basics- protecting my network from malicious guest and mobile systems. I’d want a mix of agent and agentless (for managed and unmanged systems) and keep focused on pre- and post- connection health checks. I wouldn’t wait for the big vendors, knowing that in the long term they’ll own it all anyway, even if they have to buy it. Yes, Cisco has stuff now, but I hear it’s pretty complex to deploy.
NAC, like much of network security, will eventually be built into the network fabric. At best, we’ll have a separate security control plane for separation of duties. This is a hell of a long way out and not something that should affect your buying decisions today.
I’ll be the first to admit I have a lot more depth in data and application security than netsec, but I’ve watched for years as a great idea (NAC) has been pummeled by the market. I even did an interview on it over at SearchSecurity. It reminds me a lot of Data Loss Prevention/Content Monitoring and Protection (DLP/CMP). A good technology that provides immediate value, which quickly becomes far more confusing than needed as all sorts of people want in on the action.
If you want to protect yourself from potentially malicious systems plugging into your network (including remote access) take a look at NAC. If you want all the other bells and whistles you see running around out there you can look at them too, just don’t call them NAC.