Monday is NAC Day at Interop. This day-long mini-conference at Interop Las Vegas dives deep into all things network access control. The event is an opportunity for networking professionals to get a solid technical understanding of this maturing network security technology. SearchNetworking.com spoke with NAC Day chairman Joel Snyder and got a preview of what attendees can expect to get out of the event. Snyder is a senior partner at...
the Tuscon, Ariz.-based consulting firm Opus One.
For those who have never before been to NAC Day at Interop Las Vegas, could you describe generally what it is like? What do attendees typically learn about network security from the event?
Joel Snyder: NAC Day is all about NAC technology and the issues we have in deploying NAC in modern networks. I don't like "high level" talks; I'm a real technologist, so we spend most of our time digging deep into the technology. The day is divided into a number of large sections, but the key drivers for the content are:
1. What is NAC, really, deep down, at the technology and networking level?
2. What is it like to deploy NAC, and how do I have successful deployments?
I don't want to reproduce what people can get off the Internet and out of other people's white papers, so I like to dive into the various issues that I have seen both in deploying NAC and in talking to people who have chosen not to deploy NAC for one reason or another.
Also, after lunch, we have a panel of vendor tech people who will help give their experiences from the field.
Describe how the agenda for this year's NAC Day differs from last year's event.
Snyder: The big changes are in the area of standards-based technology. Generally, the major vendors have started to oscillate toward a common idea of how to do NAC and why to do NAC, and this has colored all of the material. Someone who has been to NAC Day before probably will not get a whole day's worth of new material out of this, but someone who has never been should find it great.
What are some of the major misunderstandings about network access control?
Snyder: People haven't come to a common definition of NAC, which means that there are many different ways to apply this technology. What people don't understand well is how to deal with the dark corners of NAC deployments -- how to handle things like VoIP phones and old switches and printers and so on. The goal of NAC Day is to try and get people to a common definition, and when we have a good base to work from, we can dive into all of these hard topics -- like where to put NAC -- and come up with a nice solution set.
How are enterprises using network access control these days, and how has it changed over the years?
Snyder: Well, this is a very new technology, so it's hard to really come up with an answer to this question that doesn't sound silly. But, in general, early NAC adopters were responding to some particular pain point, such as guest access or a need to support a particular audit requirement.
Now that these first requirements have been met, we are seeing a different set of enterprises look to NAC based on a broader set of requirements. They are not diving into a single solution to their problem but doing NAC as part of a broader assessment of security in their networks.
What's your overall assessment of the NAC market today? Are vendors going in wildly different directions with this network security technology, or are they all generally running in the same direction?
Snyder: Well, a combination of both. Vendors are consolidating, as is always the case in a new market with a lot of froth. And while there are a lot of vendors that are going down the TCG-like [nonprofit standards body Trusted Computing Group] NAC path, there are still some that have very different ideas on how to do NAC. This can range from small vendors like Napera, which is taking a hardware approach, to folks like Forescout, which is going with a very detection-oriented way to handle NAC. The nice thing about this diversity of deployment is that if you don't like a TCG-style NAC approach, there is probably an alternative view of NAC that will help you out.
What are some of the most common mistakes you see in a network access control implementation, and how can they be avoided?
Snyder: The biggest mistake I see is people going for NAC because it's a buzzword and not because they have a defined requirement. Because this is a technology and not a simple point solution product, there are lots of reasons why you might want to put NAC into your network. But you have to explicitly give that reason, not just, "Oh, well, we saw a presentation and thought it would be a good idea." If you can't state your requirement for NAC in a few simple declarative sentences, then this technology is really not for you.