Like Mike Rothman says today, this has been the week of NAC, so I figure I would pile on as well. I am not an expert on NAC by any means, so forgive me and correct me where I need it. But in talking to Alan Shimel and his StillSecure crew this week and with all the bloggers putting out some great information, I have learned more about NAC this week than I have in the last year. BTW, a bunch of my blogging buddies and Richard Stiennon got together last night on the Security Roundtable Podcast (hasn’t been posted yet) to discuss NAC, so I am really excited about listening when it gets posted.
Anyway, to my gripe of the day.  I had a NAC vendor out today to discuss their product. They have gone totally with the inline strategy for their solution, and it seems like a good product. But it has weaknesses (obviously everyone of them have strengths and weaknesses). Some of what I saw was poor ongoing posture checking, so-so unmanaged-client checking, opening of ports to allow authentication, and no remediation after quarantining. And they partner with other vendors to do some of the stuff above. That’s not in-and-of-itself a problem, but I just didn’t like the way they threw it all together. To be fair, they had one feature that I REALLY liked, and that was the ability to do auditing and reporting on client file access without (so it seems) the need to turn on auditing on your servers (basically, they go to level 7 and report from there – if it works, it would be great to have because it means less CPU cycles, less disk space, and less configuration on servers – anyone else do this guys?).
I have looked at a few other vendors out there as well, and as I parenthetically said above, they all have weaknesses and strengths. Many times, it really depends on your infrastructure and what you need.  And it may take more than one vendor to get done what you need.  Though management starts sucking bad, right now this may be the only choice we have to get a complete solution (go see Alan’s point in his post about cobbling together a bunch of security vendors for a NAC solution - I hope he is right that this will start going away).Â
As a quick aside, I am going to compliment StillSecure, and it is not because Alan had me on his podcast (well, maybe a little bit). StillSecure’s Safe Access, thus far, seems to have the most complete solution out there (Alan, send the check to my personal address please). Now, back to our regularly scheduled program…
But one weakness or missing part or whatever you want to call it that I see across the board is the remediation of the vulnerabilities for the endpoint. What I mean by that is that I have not seen one of the NAC solutions that includes a remediation solution. They either partner with someone (which also seems to be going away somewhat), or they leave it up to the “discretion of the administrator.” So please answer this question for me, oh you Alan’s and Mitchell’s of the NAC world: wattup wit dat?
I mean, I just don’t get it. I am not speaking for the rest of the security managers out there, but I know that it just makes sense to me for someone who is going to offer quarantining to offer remediation as well. Is it because no one has made it that far? Is it because the market is not asking for it? Is it because there are options available, so you just don’t want to spend the dollars to do it?  And if you are going to partner with someone for it, INTEGRATE IT. Don’t make me manage another solution. Tie the dang things together, and make it work. Remember my busy security manager post? We need help! Give us a solution that works from A to Z. Not A to W, then BigFix can handle X,Y, and Z (now I’ve said my ABC’s, next time won’t you… sorry, too much Sesame Street – I have small children).
[As I was writing this, I wanted to make sure I wasn't smoking crack, so I looked closer at SafeAccess and noticed that it mentions tying together patch management with SafeAccess, and I think this happens through VAM, but I am not sure. I invite Alan or another StillSecure employee to clarify this.]
Vet
I think remediation is a pretty tall order in terms of technology and producing it within a NAC solution. The partnering route is probably a good idea (as long as the integration really dioes work) because it leaves the patching experts to do their thing and the NAC experts to do their thing. That is not to say that perhaps we might see some consolidation of some sort in that area (i.e. patch management company acquiring a NAC company or a NAC company OEMing a patch tool). There are some great solutions on either front so it would be hard to justify writing a new tool from scratch to complement the other.
Michael – sorry if this is a long one and I will fully respond on my blog. First of all thanks for the kind words about StillSecure and I. We think SafeAccess is a great product and one of the most full featured in the NAC market. I of course would be interested in who you spoke to today but understand you not naming names. On the remediation front, I agree with you. Self-remediation frankly stinks and is not a great solution for non-IT users. Currently Safe Access itself has a full set of API’s that allow it to work with many 3rd party patch managers including Citadel Hercules, Big Fix, MS SMS, etc. However, we are looking at some very interesting alternatives as well. That is as much as I can go into here, but suffice to say we agree with you and are doing something about it. BTW, the integration with patching is pretty tight in Safe Access.