April 25, 2008 | Comments: (0)
One Fewer Excuse for Deploying Policy (aka NAC)
While most network staff give a nod to the general idea of policy-based networking, there have been a number of hurdles to its adoption, not the least of which is a need to understand the current state of the endpoints on the network.
Without knowing what is happening with the endpoints, it's virtually impossible to know the implications of implementing policies. Answers to questions like, "How many non-compliant systems do we have?" "What kinds of non-Windows endpoints do we have?" and "What kinds of non-compliance issues are the most prevalent?" are exceedingly difficult to gather manually.
Enter Great Bay Software's Beacon Endpoint Profiler.
The Beacon (as I reported after testing it in February 2007) scans your network and profiles the endpoints, giving you a clear picture of the environment you're actually facing.
Great Bay hasn't been resting since then, and is announcing at Interop their new capabilities -- in concert with their announcement of their expanded relationship with Juniper -- to handle up to 100,000 endpoints with a single Beacon.
This capability to scan networks this large is a clear indication of the progress that policy-based network deployments are making. During my conversation with Great Bay President Steve Pettit yesterday, we discussed the progress that many enterprises are making in moving their pilot systems into enterprise-wide deployments, and the advantages to those enterprises who use automated tools in the planning and design process.
The return on investment for these kinds of tools is exceptional. For example, gathering information on 50,000 endpoints manually is unimaginable. Using an automated system to collect the information and provide reports specifically targeted at the implications for policy deployment is the clear answer.
As it becomes clearer that the role of the infrastructure is not simply to pass traffic, but rather to protect both itself from attack and the endpoints from each other, deployment of policy-based infrastructures is a requirement. Tools like the Beacon Endpoint Profiler are keys to making this transition as friction-free as possible for end users.
After all, their productivity is the purpose of IT.
Posted by Stephen Hultquist on April 25, 2008 09:13 AM
April 02, 2008 | Comments: (0)
Managing Switches for Policy-Based Networking
My recent blog post about Lockdown Networks demise seems to have struck a chord. I've heard from a few enterprise users and product vendors as a result, and NetClarity recently disclosed their patented approach for connecting to switches in existing infrastructures.
The point is this: it's not about access control. It's about actually designing an infrastructure that complies with policies that help you protect your infrastructure and key assets to the extent possible.
This takes work. It takes thinking about your network infrastructure, considering possible design changes to enable enforcement, creating the policies that reflect your requirements, and then deploying policy management solutions that enforce the policies.
It's not complex, but it is challenging. It takes a focus on what you want to allow and what you want to deny. Even if you don't deploy a policy enforcement solution, you should be determining what your policies are. Otherwise, you are living in a fantasy world regarding how your network is designed and what is happening on it.
What are your policies? What are you doing to enforce them?
Posted by Stephen Hultquist on April 2, 2008 12:29 PM
March 27, 2008 | Comments: (0)
In a comment to my recent blog entry regarding Lockdown Networks' departure from the marketplace, "Brian" takes issue with my comments about standards always win in the end.
While it's clear that you need to take the time to consider which standards to support (whether de facto or de jure), it is equally clear that over any reasonable stretch of time, communications systems will consolidate around standards. Using Brian's example, even though ISDN never caught on in residential lines in the US, it became ubiquitous in many countries around the world, and still delivers last mile PRIs in many locales in the US.
The comments I made about standards in the context of policy-based network security are vitally important for organizations recognizing their needs for that security. To adopt proprietary, closed systems at the current level of maturity of the emerging standards is unwise.
Where the standards exist, engage technology that uses them. Where they don't, focus on those solutions from companies committed to the emerging standards or accept the probability that your approach will be relatively short-lived.
After all, standards benefit customers primarily, by providing greater choice. Companies who create products in competition with standards are broadcasting their disinterest in competing on a level playing field and their preference for using installed-base as their primary benefit.
I've been around long enough to remember when, "No one [got] fired for buying IBM." The company name has changed a few times over the years, but that unfortunate idea is still around.
Isn't it better to solve the long-term problem with effective, standards-based solutions than to play it safe with a closed, proprietary system that relies on the herd mentality?
Posted by Stephen Hultquist on March 27, 2008 09:07 PM
March 25, 2008 | Comments: (0)
A NAC for policy enforcement: Lockdown Networks, RIP
About three years ago, I was one of a core group of network engineers sitting at the Interop Hotstage facility working through the details of policy-based networking and the Interop Lab that we were designing to demonstrate it. There were a number of players in the marketplace, and it was clear that the technology was reaching a tipping point. In the intervening years, "NAC" (for Network Access Control) became a classic hyped technology, with dozens of companies creating products for the market, a number of established companies relabeling their existing products, and the confusion of multiple semi-compatible standards efforts.
Last week, yet another sign of the maturing of the market appeared when one of those companies involved in that early Interop demonstration announced that it was ceasing operations. Lockdown Networks is no more.
Although Lockdown Networks is not the first company to depart the market, it is perhaps one of the more widely deployed to do so. In Lockdown's announcement, the company cited "overall economic trends and slower than predicted adoption of Network Access Control (NAC) technology" for its failure to secure additional investment capital. However, its announcement was grist for industry insiders to expand the conversation surrounding the NAC and policy-based product marketplace.
And I think there is validity to their postulations.
If there are any key lessons that we can learn from the past waves of network-related technology, the first two are these:
1. Standards win
2. In-line devices collapse into the infrastructure
Although the marketplace is still far from consolidated, products from a broad range of providers including Cisco and Microsoft (whom we will be reviewing in the not-too-distant future), Enterasys, McAfee, Symantec, and Trend Micro (click the link to see our comparative roundup), and ConSentry (reviewed in February) demonstrate that companies already deeply involved in enterprise infrastructure understand the necessity of policy enforcement to protect that infrastructure from both rampant malware and the ever-present threat of data breaches.
You ignore policy enforcement at your own peril. Ignoring the risk will make you more vulnerable. Trying to implement without design won't work, either.
The focus of your decisions around policy implementation are directly related to the granularity of your policies, the importance of your information infrastructure, and the critical nature of your data. Only you can decide.
Given that, though, focusing on infrastructure-centric solutions to policy enforcement makes the most sense. Whether in your switches, endpoint security agents, or the systems that manage these and other network components, using policy management that integrates with the components that see the traffic and client characteristics makes the most sense, don't you think?
Posted by Stephen Hultquist on March 25, 2008 10:18 AM
TOP STORIES
ADDITIONAL RESOURCES
- Virtualization: A Step by Step Approach to Success
- Dialing up Agility with Business Transformation
- 5 Things You Need to Know About Storage Virtualization
- Is your smaller organization ready for High Availability?
- Is system maintenance doing more harm than good?
- Virtual Test Lab Automation: Manage development infrastructure
