Why I’m a NAC nonbeliever
I was recently speaking at a conference, and the subject of network access control (NAC) came up. At the time I gave a rather glib answer that ‘it’s not the network that you wish to control access to, but the data and services that wrap it’. That’s been my position for some time, but it’s probably worth unpacking some of the detail around this.
The heart of the issue here is where do we achieve policy enforcement points (PEPs)? The issue can therefore be recast in terms of entitlements services. It almost always makes more sense to put PEPs within applications or application infrastructure, but there will be times when these are old and brittle. In this case does it make more sense to have the PEP close to the service (network based entitlements services) or close to the client (NAC)?
Then comes along the question of posture – NAC advocates that infected clients shouldn’t be allowed to connect to any services (except perhaps disinfection), but this assumes that infection can be reliably detected, which is at odds with the efficacy of most AV etc. (especially against targeted attacks). To steal a quote from the conference ‘just because I’m standing straight doesn’t mean I don’t have pancreatic cancer’. I covered many of the underlying issues in more detail in my discussion of why trust != management.
What about unauthorised devices? This raises some interesting follow up questions, like why should I care about unauthorised devices, and if I do why am I in the business of running a network that makes me care about this stuff? The heart of these questions lies in where perimeters are drawn. If I choose to run a client network that has all sorts of sensitive data flowing across it, and provides unfettered access to services containing data that I care about then I certainly should care about the network itself. If however I reperimiterize around core data assets, and connect client machines to public networks then the concept of unauthorised machines evaporates. If I have unauthorised devices appearing on my data centre network then I have a physical security problem rather than an information security problem.
So… I think this leaves NAC as an unsuccessful legacy of outdated network management practices. Or did I miss something?
Filed under: security | 2 Comments
Tags: entitlements, nac, reperimiterisation, reperimiterization, security
Subscribe
Recent Comments
Tim Coote on Ross Anderson RIP iain on Skiing in Espace Killy (Val… Chris Swan on Getting more from a British Ga… Murray Cowell on Getting more from a British Ga… JL on AI MacGuffin 
Pinboard.in bookmarks- Commission proposes youth mobility between EU and UK
- DEA fuels moral panic over ADHD meds to justify its failed drug war
- Meta.ai Oh My!
- Looking for AI use-cases — Benedict Evans
- the biggest threat facing your team
- Why has Hugh Grant settled his phone hacking claim against the Sun?
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
- AI isn't useless. But is it worth it?
- Pluralistic: The true post-cyberpunk hero is a noir forensic accountant
- Subaru battery drain due to missing 3G network
Chris Swan's Weblog 
The other issue to consider is how we get from A (no holistic methodology in place to control the movement of data) to B (well-defined global policies incorporating a high degree of visibility into data relationships and consistently enforced by policy enforcement points). In my opinion, this is a central question in the evolution of identity management (which to my mind is a higher-tier but related issue to which clients get to connect to the network and what they are authorized to do once they are connected). Is there a way for all the existing siloed logic to be transformed through an abstraction layer, or does it effectively become marooned over time as we move to a horizontal transfer of identity information and binding of metadata to identity state using standardized protocols? Incumbent vendors are clearly going to have a preference for the more incremental approach, but they are going to have to pick up the pace here.
Chris,
Having dealt with the inability to implement a nac solution due to the complexity in having related and dependent network components be anything but static during the implementation, I will wholeheartedly agree with you that putting the intelligence inside the network pipes is not the way to go. Along with your other blog entries speaking of reperimeterization (US spelling of a word not in the dictionary by habit :-) I think it makes complete sense to target the efforts as close to the points of which you are trying to protect. let the network in general run free, as long as you can control the significant systems in terms of identity-based access control and sanitary bytes reaching those points. Products are just making their way to the market that provide solutions in this realm, and there will be a whole cycle of methodologies and approaches before we reach a unified way to do this. and by then of course, there will be new challenges and problems to face, which is why we all will have gainful employment for years to come….