Alright I will take the bait. I am a sucker for a good troll. :-) Alan Shimel, chief blogger for NAC provider StillSecure, came away from RSA pretty upbeat about the prospects for NAC. His likening me to the Grinch refers to my frequent cries of protest that NAC is worthless. I guess he is afraid that I will ruin the Christmas morning pay off that the NAC vendors hope for.

First the background: NAC of course was a concept invented by Cisco's marketing department in 2003 to counter a problem caused by RPC Decom based worms such as MSBlaster. Even organizations with great firewalls and desktop security were getting damaged by infected laptops brought into work. The concept was simple: have the network inspect those laptops to see if they were properly configured with software updates and virus signature updates before letting them on the network. That is Network Admission Control, and as Shimel points out it is rather hard to accomplish. Most of the NAC players changed their approach and marketing so that "Admission Control" morphed to "Access Control". Don't get me wrong, I have been a huge proponent of user access control ever since being exposed to Enterasys Networks' concept of identity based networking. You have to restrict an end user's access to applications, data, and portions of the network to protect yourself against the insider threat.

Like Shimel at RSA I met with a bunch of so-called NAC vendors. There was at least one there that was downright depressed. You could tell they where the next LockDown. I won't mention which vendor because I would hate to be accused of hurrying their demise. I then met with the firm that my buddies at Gartner use as an example of NAC getting traction. (Sorry Alan, it was not StillSecure.) After spending a year in the UTM space which is already pushing $500 million/year by one measurement, it was like putting on magnifying spectacles to evaluate their business: 40 employees, a few tens of $millions in revenue and a whole lot of excitement about the education market.

NAC was created to solve the problem of users bringing infected laptops on to the network. And that is why there is no large market for NAC. For every type of organization, other than higher-ed, technologies are already being deployed that solve the problem. To wit: patch control, desktop protection, and internal network segmentation.

I am sorry Alan, NAC is not a viable business model for a vendor and for the enterprise it is added complexity and cost that reduces network access while doing nothing for enhanced security. Not a security solution? How can I say that? Easy:

1. NAC does nothing to stop the malicious user with a clean computer from having their way with your network.

2. A zero-day infection will infect properly configured machines with up-todate signatures.

3. NAC violates Stiennon's first and only rule of network security "Thou shall not trust an end point to report its own state." Just as IP address and MAC addresses are spoofed regularly by hackers, machine state can be spoofed.

NAC is a great enforcement tool when you have a body of users that descend on your network every semester with out of date machines from multiple vendors, with multiple OS's and you can deny them access until they are up to snuff. That is the only place that model works. And even at Universities I believe they will eventually figure out that it would be a lot simpler to manage network security effectively than to worry about desktop configuration all the time.

Put it this way: Can you secure your network without NAC? Yes. Does NAC in anyway reduce your overall costs? No. Does NAC tie you down to one vendor's eco-system? Yes, if you go down the Cisco, Juniper, or Microsoft route. Does NAC make you more secure? No.

Then why would you invest in NAC?