You make my head hurt sometimes Richard! This is gonna be real quick and so I am sure there will be holes and even if there are not I am sure you will purposefully misinterpret things to create them! ;)

1. It is not a security solution at all. There is not a single aspect of any NAC product that protects the network from the malicious user.

Huh? The aspect of what becomes reputation services and therefore what gives you access to what resources is not a security concept? That is just the very top level of that really. Much more can be said...

2. It is not a zero-day protection. During the next outbreak NAC will do NOTHING to protect the network.

This really depends on what the agent is at the client-side. I think your narrow definition of NAC is really what is hanging you up here.

3. It introduces a new layer of technology whose PURPOSE is to block access to the network. Network admins spend most of their work week getting people ON the network. Introducing things that keep them OFF the network is not attractive.

Wrong. The purpose of NAC is to GIVE access to the right folks. It is just the front-line at the most basic level with enhancements up the chain as things go along. Hell, half the problem we have is pundits defining this thing ad nauseam the way they need to in order to either sell a solution or sell the anti-solution. Some of you have created the very worst of the confusion about NAC and of course the vendors have not helped renaming everything under the Sun to try and be a NACLY. Remember the little i everyone put on stuff? Now it is a little e? Same concept...

4. It is almost trivial to bypass NAC. All you need to do is corrupt the local agent.

First of all the evolutionary aspect of that space should include addressing the challenge of distributed peer review. Integration of things of that nature with beacon points on the network can begin to create a threat-state database that also involves NBAD/NIM..whatever the heck people want to call it that will allow certain more advanced agents to protect themselves and the network quicker.

5. It violates Stiennon's first law of network security: Thou shall NEVER trust the endpoint to report its own state.

First of all, when you quote one of your own laws you make me nervous! Lying endpoint is a serious challenge and as things progress that will be solved a number of ways. That does not mean that we simply stop moving forward while we wait for that magic to happen ya know? There are a number of ways again dealing with how the client can potentially be more secure based on advancing virtualization concepts, how peers around a client see it, how the flow-points see it, how the core sees it, and how the network as a whole sees the endpoint that will lead to enhanced network visibility that is not dependent solely on the endpoint. If we cannot figure out the endpoints and flowpoints at least contributing, how the heck do you expect us to scale as bandwidth and attack vectors explode? Core protection from a massively parallel unlimited bandwidth UTM?

Wait, are you selling some gigantic UTM box or something?

*grins*

I guess we should just stand to the side and hope right? Based on what I read here we should probably also remove all malware detection from endpoints right? Let the keyloggers and trojans just roam free correct? You don't care about that right because you know that is the Desktop Support guys issue? W T H?

Come on! Good grief man! I would swear that you are simply being obtuse on purpose. :)

*takes some Advil*

Yer killin me.

David

Click to read the article this is in response to.