Much is being made of a presentation at Black Hat by Ofir Arkin of Insightix. In that session, Arkin "raised questions" about the ability of Network Access Control technologies to do what they say they can do. Without the benefit of having actually seen the presentation, my sense of it is that the paradigm of NAC itself was questioned. And rightly so, because one version of that paradigm may be broken.
Defending the Network
Nearly all of the language around IT security (especially Network security) still lives in the middle ages; in the days of castles and moats and walls (made of fire, inevitably) and defense. Network security is a constant battle, a daily walk of siege mentality. One problem: the business guys keep demanding that the walls have holes in them. This problem led Jim Allchin of Microsoft to use the more than awkward phrase, "semi-permeable firewall" back in 2002.
Network access control (especially as it exists in the Cisco and Microsoft product sets) is still wrestling with this metaphor of a "semi-permeable" firewall. They're trying to come to terms with the idea that *context* is really the key to network health and security. Context, in turn, demands understanding the role that any given individual or device is playing in the network. And understanding roles leads one *firmly* into the land of identity. The real issue with NAC is the missing steps of context and role.
Vendors that *are* working on the context and role problem (vendors like Identity Engines, Trusted Network Technologies, ConSentry and Forescout) are beginning to find a marketplace awakening to a post-medieval paradigm. Lessened in importance are the castle walls, moats and forces of defense, while knowing who someone is, what they want to do and whether or not they have the right to do it is being elevated. Innovative NAC vendors are now beginning to tip-toe into a new paradigm that operates on that old John Cougar Mellencamp ditty - "When the Walls Come Tumbling Down."
Postscript: I debated going with the Pink Floyd, "Another Brick in the Wall" ending, but thought Mellencamp more appropriate. I'd be interested in hearing your thoughts.