Like Mike Rothman says today, this has been the week of NAC, so I figure I would pile on as well. I am not an expert on NAC by any means, so forgive me and correct me where I need it. But in talking to Alan Shimel and his StillSecure crew this week and with all the bloggers putting out some great information, I have learned more about NAC this week than I have in the last year. BTW, a bunch of my blogging buddies and Richard Stiennon got together last night on the Security Roundtable Podcast (hasn’t been posted yet) to discuss NAC, so I am really excited about listening when it gets posted.
Anyway, to my gripe of the day.  I had a NAC vendor out today to discuss their product. They have gone totally with the inline strategy for their solution, and it seems like a good product. But it has weaknesses (obviously everyone of them have strengths and weaknesses). Some of what I saw was poor ongoing posture checking, so-so unmanaged-client checking, opening of ports to allow authentication, and no remediation after quarantining. And they partner with other vendors to do some of the stuff above. That’s not in-and-of-itself a problem, but I just didn’t like the way they threw it all together. To be fair, they had one feature that I REALLY liked, and that was the ability to do auditing and reporting on client file access without (so it seems) the need to turn on auditing on your servers (basically, they go to level 7 and report from there - if it works, it would be great to have because it means less CPU cycles, less disk space, and less configuration on servers - anyone else do this guys?).
I have looked at a few other vendors out there as well, and as I parenthetically said above, they all have weaknesses and strengths. Many times, it really depends on your infrastructure and what you need.  And it may take more than one vendor to get done what you need.  Though management starts sucking bad, right now this may be the only choice we have to get a complete solution (go see Alan’s point in his post about cobbling together a bunch of security vendors for a NAC solution - I hope he is right that this will start going away).Â
As a quick aside, I am going to compliment StillSecure, and it is not because Alan had me on his podcast (well, maybe a little bit). StillSecure’s Safe Access, thus far, seems to have the most complete solution out there (Alan, send the check to my personal address please). Now, back to our regularly scheduled program…
But one weakness or missing part or whatever you want to call it that I see across the board is the remediation of the vulnerabilities for the endpoint. What I mean by that is that I have not seen one of the NAC solutions that includes a remediation solution. They either partner with someone (which also seems to be going away somewhat), or they leave it up to the “discretion of the administrator.” So please answer this question for me, oh you Alan’s and Mitchell’s of the NAC world: wattup wit dat?
I mean, I just don’t get it. I am not speaking for the rest of the security managers out there, but I know that it just makes sense to me for someone who is going to offer quarantining to offer remediation as well. Is it because no one has made it that far? Is it because the market is not asking for it? Is it because there are options available, so you just don’t want to spend the dollars to do it?  And if you are going to partner with someone for it, INTEGRATE IT. Don’t make me manage another solution. Tie the dang things together, and make it work. Remember my busy security manager post? We need help! Give us a solution that works from A to Z. Not A to W, then BigFix can handle X,Y, and Z (now I’ve said my ABC’s, next time won’t you… sorry, too much Sesame Street - I have small children).
[As I was writing this, I wanted to make sure I wasn't smoking crack, so I looked closer at SafeAccess and noticed that it mentions tying together patch management with SafeAccess, and I think this happens through VAM, but I am not sure. I invite Alan or another StillSecure employee to clarify this.]
Vet
