John PescatoreToday blog post is provided by Lawrence Orans:
Random thoughts on 802.1X from the RSA Conference
This morning, for the fifth consecutive year, I moderated a panel on network access control (NAC) at the RSA conference. The attendance for this session wasn’t standing-room-only, like it was five years ago, but we still had well over 100 people in attendance and it was a very engaged audience.
Four panelists addressed the topic of “Best Practices for NAC”. One panelist was a security director for a large bank that had implemented an appliance-based NAC solution. Another panelist was a security director for a multinational engineering/design firm that had implemented a small, but growing, 802.1X solution for wired and wireless access. Product representatives from Cisco and Microsoft completed the other two spots on the panel.
As moderator, I asked a few questions to stimulate discussion, and then I opened up the floor to questions from the attendees. What struck me was that about half of the audience questions were related to 802.1X. People asked questions about choosing EAP methods, handling exceptions (non-802.1X-capable endpoints), and troubleshooting failed authentications.
The good news is that people are asking intelligent questions about 802.1X in wired environments. The bad news is that almost 9 years after the standard has been ratified, people need to ask these questions. My main takeaway from today’s session is that our industry still needs to step up and provide solutions that ease the deployment and the manageability of 802.1X. That belief was strongly reinforced later in the day, as I struggled with configuring the 802.1X settings on my Windows laptop in order to gain access to the RSA secure wireless LAN. Fortunately, the RSA Conference provides a nine-page manual, complete with screen shots, to help people like me negotiate the process. Now, I have a better appreciation for the challenges faced by those folks asking 802.1X questions this morning. – Lawrence Orans
Pescatore comment – I’ve been covering WLAN security for years, and the supplicant and EAP complexity and interoperability issues have been the major pain in the neck for years. Cisco and Microsoft took years to finally make it a bit easier for Windows/Cisco centric environments – but they took so long that the increase in market share of the Apples and Arubas and others means an increasingly heterogeneous environment with the same old problems.
Category: Uncategorized Tags:
5 responses so far ↓
1 What We’re Reading, Week of 3/8 « VPN Haus March 12, 2010 at 12:45 pm
[...] Week of 3/8 By vpnhaus Leave a Comment Categories: Highlights Gartner Blog… Lawrence Orans Guest Post: NAC Panel at RSA Conference Lawrence Orans shares some highlights from a panel outlining the best practices for NAC that he [...]
2 Hassan March 16, 2010 at 12:36 am
I am glad that you saw the 802.1x interest picking up. In our environment, its the only thing I can see keeping us out of vendor lock-in. But at the same token, as more systems standards based solutions become available, we need you to push adoption if a standard to get the most information we can out of the new visibility we have with a full 802.1x implementation. Namely… the industry needs IF-MAP. All of these devices that authenticate need a way to be tracked (long-term) and status changes information needs to be shared with all of the security infrastructure (firewalls, switches, security event/info management systems, etc). Thanks Lawrence for pushing NAC vendors and customers to adopt standards, now push the next phase, total security visibility with IF-MAP.
3 Hassan March 16, 2010 at 12:53 am
btw… when is the next version of the Magic Quadrant for NAC coming out? Considering the latest break-up of Aruba and Bradford Networks, do you expect Bradford to move down and Aruba to disappear? What about TippingPoint, how do you think the new HP acquisition of 3Com/TippingPoint will affect its NAC product considering that HP dumped its own NAC product to more closely work with Microsoft’s?
4 Hassan March 16, 2010 at 1:40 am
I’ll keep you up to date on my NAC efforts here: http://samurai-and-ninja.blogspot.com/2010/03/excited-about-nac.html
5 John Pescatore March 16, 2010 at 7:42 am
Thanks for the comments, Hassan. I blogged back in early February on NAC standards – see http://blogs.gartner.com/john_pescatore/2010/02/08/nac-on-the-standards-track/
We will be having future NAC research notes that will address other standards areas, but I’m less bullish on IF-MAP. Not that it isn’t a good idea, but directory enabled networking was a good idea all those years ago and never turned into anything meaningful. There are semantic areas where standards never seem to really become meaningful, and I think this is one of the them. We will dig into that a bit later this year.
We have started the process for updating the NAC magic quadrant and I think we have it planned for late 2Q or early 3Q this year for publication.
Leave a Comment