Today I had a personal conference call with representatives from Nevis Networks. The purpose of the call was to find out what the Nevis Networks NAC solution offered, as compared to other NAC solutions.
In my opinion, the NAC Maketspace is truly in a “mess” right now with vendors making all sorts of claims and the end users (like myself) are really scratching our heads, trying to make “heads or tails” of it.
The Nevis Networks NAC solution is unique, for one reason, because their offering is only INLINE. The advantage to that is that they can truly do something about that malicious traffic.
One of the problems with NAC solutions today is that “Briefcase Bypass”. That means that partners & guests need to be allowed into the network. Because of this, everything becomes a threat. And, because of that, you need ubiquitous security, or security everywhere. Thus, security has to be IN the NETWORK, NOT at the endpoints.
The solution presented by many companies (Microsoft and Cisco included) is perimeter security. Perimeter security cannot do all that is needed because it isn’t “in the network”.
Here were my notes on the various options currently in use today:
- Desktop – security in “userland” doesn’t help (AV, AS, HIPS) – in fact those apps can even become the hole
- Zone security – chunks of security – like securing a submarine – that doesnt work & its not “identity aware” – ISS &
- Tippingpoint or Checkpoint or Juniper firewalls
- Network Admission Control – preconnect to the network (let you on the VLAN or not), doesn’t consistently know your identity, just checks you, then puts you on the network – doesn’t know what bad stuff you might be doing – has a bot on his PC just awaken?
Plus, what do you do about legitimate users that are malicious? They pass all the checks but still have malicious intent?
To me, and to Nevis, IDENTITY is really the key – you need to know and be able to verify who is who. You aren’t trying to stop devices or MACs, or IPs, you are trying to stop users or roles (make up of users).
Nevis predicts that Microsoft will be the biggest winner in the NAC/NAP market. As people upgrade to the new Windows platforms, NAP will be the big winner. Nevis extends NAP in to the network & protect non-NAP devices.
The Nevis appliance runs inline between switches that you don’t want to rip out. The further you are from the threat, the more you allow the threat to spread. The appliance gives them the visibility that they have never had before – it knows about all the REAL USERS, besides just IP and MAC address.
You don’t want end users to be blocked with no reason why. Nevis provides feedback to the end user and they are notified by a custom message with a reason why. Not any other NAC vendors that are doing that.
Nevis customer GEHA has documented its entire NAC deployment project with an unbiased technical blog at www.bumpinthewire.com.
I really like the Nevis security lifecycle:
Nevis has a ton of whitepapers on their website covering a variety of NAC topics. I hope you will check them out.
In conclusion, I would say that while Cisco and Microsoft get all the NAC press, there are a ton of other, very valid, and even more complete NAC options out there that network admins, like us, should check out before opting to just “go with Cisco” or “go with Microsoft”.
What do you think? What has been your NAC experience? Have you checked out anyone besides Microsoft & Cisco?