John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

NAC is a Knack

by John Pescatore  |  August 21, 2009  |  7 Comments

From Merriam-Webster:

  • Main Entry: knack
  • Pronunciation: \ˈnak\
  • Function: noun
  • Etymology: Middle English knak
  • Date: 14th century

1 a : a clever trick or stratagem b : a clever way of doing something
2 : a special ready capacity that is hard to analyze or teach
3 archaic : an ingenious device; broadly : toyknickknack

synonyms see gift
Back in 2003, Gartner started writing about “Scan and block“:
.
Enterprise systems are being infected by personal and contractor systems that are not maintained by the enterprise, but which gain connections inside the LAN and that are missed by the Internet firewall. In addition, infected files and programs can be carried into the enterprise on CDs and other removable media. Enterprises need technologies that can scan managed and unmanaged PCs and laptops as they connect to the network via VPN, dial-up or an “on-site” LAN, and that can block the connection if there is a security exposure. The scan must encompass patch and antivirus signature levels, as well as other security-related system attributes.
Scan and block was a reaction to the tremendous damage done to corporate networks by the worms of 2001 and 2003.
.
That was followed by Cisco announcing Cisco Network Admission Control and Microsoft announcing Microsoft Network Access Protection, causing a good deal of confusion in the market. So, Gartner defined Network Access Control (NAC) as a process and an architecture for implementing three critical security functions, much broader than scan and block:
  1. Noticing whenever something connected to your network and determining if it was one of your devices or not, and if it was one of your users or not.
  2. Determing the security status of the device connecting to your network.
  3. Given (1) and (2) deciding what to do.
However, quite often NAC was overhyped and many early implementations just tried to drop in simple scan and block approaches which penalized users because IT hadn’t patched their systems. But over the past several years there have been a lot of success stories by enterprises who have taken phased approaches to NAC by first implementing (1) above to support guest networking and allowing unmanaged IT on the network. Once that is stable, turn on baselining – but still no quarantining. Once that is stable, start looking into (3) – what sort of network controls should be placed on vulnerable (missing patches) devices vs. dangerous (infected with malware) devices?
.
Turns out just implementing the first phase of NAC for guest networking gets you a lot of the capabilities needed to deal with problems like consumerization and more flexible business to business collaboration. We see many enterprises who say “NAC is too immature and complex, we aren’t doing it” saying “Oh, yes – we are actively looking at how to implement guest networking.” It is sort of like Tom Sawyer getting people to paint his aunt’s fence by making it look like fun!
.
Gartner estimated NAC spending was a little over $220M in 2008, more than 50% growth over 2007 in a tough economic year. Turns out a lot more businesses have a knack for NAC than you’d think.

7 Comments »

Category: Uncategorized     Tags:

7 responses so far ↓

  • 1 NAC is a Knack   August 21, 2009 at 7:59 am

    [...] NAC is a Knack [...]

  • 2 alan shimel   August 21, 2009 at 9:14 pm

    John – You make some excellent points on NAC. I especially like the distinction between vulnerable devices and dangerous devices. At the end of the day NAC is not black and white, there is plenty of gray! Though guest networking is still the main driving force, I think we are going to see the versatility of NAC lead to even more application for it. I have written more about this article on my blog at: http://www.stillsecureafteralltheseyears.com/ashimmy/2009/08/knock-nac-knack-for-nac-who-gives-a-nac.html

  • 3 Twitter Trackbacks for NAC is a Knack [gartner.com] on Topsy.com   August 21, 2009 at 9:31 pm

    [...] NAC is a Knack blogs.gartner.com/john_pescatore/2009/08/21/nac-is-a-knack – view page – cached [...]

  • 4 Anne Price   August 22, 2009 at 3:56 pm

    John, i agree with Alan that you make some excellent points. We here at Trusted Computing Group are seeing a big uptake in implementations of our open architecture for network security, and we see lots of interest in new uses for TNC and NAC – SCADA networks and physical security integration being two of those. Lots of our members are selling lots of stuff that provides various “NAC” and network security benefits.

  • 5 Stiennon   August 31, 2009 at 11:25 pm

    Well I see the vendors like your take on NAC. So NAC is all about guest networks??? Tut Systems figured that out in the 90′s. It was a critical feature needed for hotel networks so they could offer Internet access. Most organizations figured out a decade ago that the network drops in the conference rooms should just have access to the Internet, not the internal network.
    If I were a CIO I would be very leery of a new layer of technology that is very expensive and takes three phases of “stabilization” to implement.

    Of course you have to do access control. You must control *who* does what on your network. But the concept of *what* connects to your network is flawed since *what* (IP-MAC address, OS, DAT file) can be easily spoofed.

  • 6 John Pescatore   September 1, 2009 at 7:48 am

    Lots of stuff was “figured out in the 90s” that doesn’t work in todays environment. Heck, on Novell networks we used to check for AV and not let you on Netware if AV wasn’t on and current – but none of those approaches worked after IP stacks became built in and Internet connectivity became the norm.

    Actually, many (if not most) enterprises had wide open ports in conference rooms and even worse in printer rooms where many, many contractors would connect and much bad stuff would happen.

    There are many ways to implement NAC that aren’t all that expensive, especially compared to alternatives.

    All the “who” stuff can be spoofed/bypassed just as easily as the “what” stuff – in the real world, all the “who” stuff has been in place for years and has had obvious problems. You have to make sure you don’t join the “cult of the impossible problem” – the goal is to solve business problems, not to have elegant security solutions that don’t meet business needs.

    NAC works and as the world has changed where IT has less control over the hardware and software users can use, it is a requirement. This is why just about every University (not big spenders on security) has implemented NAC for several years now – enterprise networks are actually looking a lot more like University networks these days.

  • 7 Another NAC Vendor Goes Under: The Difference Between What Investors Want and What Enterprises Use   September 3, 2009 at 8:31 am

    [...] World reported this week that switch/NAC vendor Consentry was closing its doors. My recent post on NAC triggered some debate about NAC – does Consentry’s exit mean that NAC is a failure? That [...]

Leave a Comment