Network World recently hosted our first chat face-off with two security experts who hold opposing views on the value of network access control. On the pro-NAC side was Joel Snyder (pictured, top) and on the con side, Richard Stiennon. Joel is a senior partner with Opus One, a consulting firm in Tucson, AZ, and a member of Network World Lab Alliance. He has been working with networks and information security since 1981 and has penned several books. Stiennon is a security consultant, popular speaker and founder of Seccom Global, a managed security service provider focused on unified threat management. He writes the Stiennon on Security blog for Network World. What follows is a full, edited transcript of the event.

Moderator-Julie: We are ready to begin. Welcome to our guests.

Richard_Stiennon: Hello!

Joel_Snyder: Hiya everyone!

Moderator-Julie: Before we start with your opinions on the pros/cons of NAC, let's define the technology. Joel, what is your definition of NAC? (Richard, after Joel replies we will ask for your response to this question.)

Joel_Snyder: What's my definition of NAC? ... OK, give me a sec.

Richard_Stiennon: Time's up.

Joel_Snyder: NAC is User-Focused, Network Based, Access Control. NAC changes how we do access control. That's the "AC" in NAC. And it's NETWORK Access Control. That's the "N". With NAC, What You Are Allowed To Do = Who You Are + Your Endpoint Security Status + How You Behave. That "equals sign" is not a static either; it's f(), a continuously evaluated function. This is not discrete math; it's calculus. Thus, What You Are Allowed To Do (ACCESS CONTROL) is continuously evaluated based on things that change, largely How You Behave.

In simpler terms, AC = Auth [Authentication] + EPC [End Point Control] + NBAD [Network Behavior Anomaly Detection]. Anyone who does NAC has to decide which of these three components is important, and how important. Thus, you can have NAC solutions which are 100% EPC and 0% Auth and 0% NBAD. You can have some which are 100% Auth and 0% EPC and 0% NBAD. And you can even have some where AC = 0%, because all they're doing is getting a report.

If you look at Cisco's original product, and Microsoft's original product, they were all about EPC. There was 0% Auth, 0% NBAD, and even (in Microsoft's case) 0% AC. Everyone is allowed to pick whatever product solves whatever problem they have. Those guys were early adopters and solving an old problem: bad juju on corporate networks. They've moved on. And if they hadn't, that wouldn't be a problem either. We have multiple vendors not so everyone can compete for the same dollar, but so that different solutions to problems can exist. Products are not substitutable. Problems are not the same. All this is fine. NAC is a technology. Not a product. That's my definition. .

Moderator-Julie: Richard, What is your definition of NAC?

Richard_Stiennon: Sheesh. I knew NAC was complicated but I thought it would easier to define. Like: NAC is access control on steroids. It adds machine state, as in configuration, virus signatures, etc. to the access control equation. The concept was introduced by Cisco in 2003 as a solution to the problem created by MSBlaster: networks getting infected by laptops brought into work. Like other things on steroids NAC is prone to heart failure, internal bleeding, complications, and just plain ugly appearances.

Moderator-Julie: OK, second question: Joel, what do you see as the value of NAC? (Richard, after Joel replies we will ask for your response to this question.)

Joel_Snyder: Look, NAC is important for one key reason: it changes our focus. For years and years we've spent our time being focused on the perimeter. Then we started to look inside. But we have always been focused on IP addresses: poke hole in firewall for IP A to get to IP B on port C. The same is true with IPsec. Even though people have had the opportunity to do fine-grained VPN, no one does because the products make it a nightmare. Let's get some history in here.

Then SSL VPN came around and needed a hook, and the hook that caught was "per-user policy." All that blabbing about policy on firewalls was no good without tools, and suddenly the SSL VPN guys had it. We could put people into groups and focus on the USER for our security policy - which is as God intended it. Not the IP address, but the person. [Note: See also VPNs: Six burning questions]

NAC is taking this kind of USER-FOCUS and bringing it into the world of the network. It is a tool for doing USER-FOCUSED NETWORK-BASED ACCESS CONTROLS. That's what NAC is, and why its so exciting. And, of course, the "user" is actually the sum of "the user person" and "the device they're using," since to a network guy like me the user and the laptop/desktop are the same entity. NAC lets us take security where we couldn't do it before. That's why NAC is valuable. 

Moderator-Julie: Richard, what do you think is the value of NAC and what would you say in response to Joel's answer to this question?

Richard_Stiennon: Ewww, hold on while I clear my palate. I am a network guy too but I do not want to go places I have not gone before. I agree that NAC changes focus. It changes it away from security and networking and towards infrastructure and desktops. At a detriment to overall security.

Moderator-Julie: Joel, do you have a rebuttal to Richard's response?

Joel_Snyder: You'd have to explain the detriment part to me, because I don't get it. (He opens the door wide...)

Richard_Stiennon: OK, look at it this way. We are in an era of greater and greater threats. We have Chinese hackers in our networks, insiders stealing IDs and credit cards, bots and DDoS threats. And for some reason during all of this violent change vendors such as Cisco, Microsoft, etc. want us to stop everything and implement their particular brand of binding between machines and networks. NAC is not a security solution at all.

Joel_Snyder: Are you making a zero-sum game argument here? That if we spend time on NAC, then we're not spending time on Chinese hackers? Because I don't think that the statement that NAC is not security is really defensible, honestly.

Richard_Stiennon: You bet. Most of the CIOs I know, not only have no extra budget this year but are being asked to reduce their spend.

Joel_Snyder: Access Control is one of the fundamental things we do for security.

Richard_Stiennon: We better get into our definitions; I have NO PROBLEM with user access control. I have LOTS of problems with end point access control.

Joel_Snyder: You're implying that NAC is a net cost. I believe that it can be a net savings.

Richard_Stiennon: I believe NAC is a net cost *and* something that reduces value of the network to the enterprise.

Joel_Snyder: Well, I don't want to get into this "agree to disagree" nonsense, but ... no, it isn't, and no, it doesn't. :-)

Whitepapers

• Advancing the Economics of Networking
• Enterprise Data Center Network Reference Architecture
• Implementing HA at the Enterprise Data Center Edge to Connect to a Large Number of Branch Offices
• File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper

View more SECURITY whitepapers

Webcasts

• PoE Plus: Impact on the PoE Market
• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports