是NAC值得吗?在网络足球竞猜app软件世界的第一次聊天的对峙,安全专家乔尔·斯奈德和理查德·斯蒂农辩论的利弊。
足球竞猜app软件网络世界recently hosted our first chat face-off with two security experts who hold opposing views on the value of网络访问控制。在pro-NAC sidewas Joel Snyder (pictured, top) and on the con side, Richard Stiennon. Joel is a senior partner with作品一, a consulting firm in Tucson, AZ, and a member of Network World Lab Alliance. He has been working with networks and information security since 1981 and has penned several books. Stiennon is a security consultant, popular speaker and founder ofSeccom全球,有管理的安全服务提供商专注于统一威胁管理。他写的斯蒂农保安blog for Network World. What follows is a full, edited transcript of the event.
主持人 - 朱莉:我们已经准备好开始。欢迎来到我们的客人。
Richard_Stiennon: 你好!
Joel_Snyder:你好大家好!
主持人 - 朱莉:在我们开始对NAC的优点/缺点你的意见,让我们定义的技术。乔尔,什么是你的NAC的定义是什么?(理查德,乔尔的答复后,我们会要求你回答这个问题。)
Joel_Snyder:什么是我的NAC的定义是什么?......好吧,给我秒。
Richard_Stiennon: Time's up.
Joel_Snyder:NAC是用户为中心的,基于网络的,访问控制。NAC改变了我们如何做访问控制。这是在NAC的“交流”。而且它的网络访问控制。这就是“N”。随着NAC,你被允许这样做=你是谁+您的端点安全状态+如何你的行为。这“等号”不是一个静态的要么;它的F(),连续计算功能。这不是离散数学课;这是微积分。 Thus, What You Are Allowed To Do (ACCESS CONTROL) is continuously evaluated based on things that change, largely How You Behave.
简单来说,AC =验证[验证] + EPC [端点控制] + NBAD [网络行为异常检测。任何人谁做NAC有权决定这三个组成部分是非常重要的,以及如何重要。因此,你可以有NAC解决方案,这是100%的EPC和0%验证和0%NBAD。你可以有一些是100%验证和0%EPC和0%NBAD。你甚至可以有一些,其中AC = 0%,因为所有他们做的是得到一个报告。
If you look at Cisco's original product, andMicrosoft'soriginal product, they were all about EPC. There was 0% Auth, 0% NBAD, and even (in Microsoft's case) 0% AC. Everyone is allowed to pick whatever product solves whatever problem they have. Those guys were early adopters and solving an old problem: bad juju on corporate networks. They've moved on. And if they hadn't, that wouldn't be a problem either. We have multiple vendors not so everyone can compete for the same dollar, but so that different solutions to problems can exist. Products are not substitutable. Problems are not the same. All this is fine. NAC is a technology. Not a product. That's my definition. .
主持人 - 朱莉:理查德,你是什么NAC的定义是什么?
Richard_Stiennon:天哪。但我想我知道南京是复杂it would easier to define. Like: NAC is access control on steroids. It adds machine state, as in configuration, virus signatures, etc. to the access control equation. The concept was introduced by Cisco in 2003 as a solution to the problem created by MSBlaster: networks getting infected by laptops brought into work. Like other things on steroids NAC is prone to heart failure, internal bleeding, complications, and just plain ugly appearances.
主持人 - 朱莉: OK, second question: Joel, what do you see as the value of NAC? (Richard, after Joel replies we will ask for your response to this question.)
Joel_Snyder: Look, NAC is important for one key reason: it changes our focus. For years and years we've spent our time being focused on the perimeter. Then we started to look inside. But we have always been focused on IP addresses: poke hole in firewall for IP A to get to IP B on port C. The same is true with IPsec. Even though people have had the opportunity to do fine-grained VPN, no one does because the products make it a nightmare. Let's get some history in here.
Then SSL VPN came around and needed a hook, and the hook that caught was "per-user policy." All that blabbing about policy on firewalls was no good without tools, and suddenly the SSL VPN guys had it. We could put people into groups and focus on the USER for our security policy - which is as God intended it. Not the IP address, but the person.[注:参见VPNs: Six burning questions]
NAC正在采取这种USER-FOCUS,并把它纳入网络世界。它是做用户为中心的基于网络的访问控制的工具。这是NAC是什么,以及为什么它如此令人兴奋。而且,当然,“用户”,实际上是“用户人”和“他们正在使用的设备,”自从到网络家伙像我这样的用户和笔记本电脑/台式机是同一个实体的总和。NAC让我们采取的安全,我们以前无法做到这一点。这就是为什么NAC是有价值的。
主持人 - 朱莉: Richard, what do you think is the value of NAC and what would you say in response to Joel's answer to this question?
Richard_Stiennon: Ewww, hold on while I clear my palate. I am a network guy too but I do not want to go places I have not gone before. I agree that NAC changes focus. It changes it away from security and networking and towards infrastructure and desktops. At a detriment to overall security.
主持人 - 朱莉: Joel, do you have a rebuttal to Richard's response?
Joel_Snyder: You'd have to explain the detriment part to me, because I don't get it. (He opens the door wide...)
Richard_Stiennon:OK,看看这种方式。我们是在越来越大的威胁的时代。我们有中国黑客在我们的网络,有业内人士窃取ID和信用卡,bots和DDoS威胁。而对于在这一切的剧烈变革的某种原因,厂商如思科,微软等希望我们停止一切与实现其特定品牌的机器和网络之间的结合。NAC是不是在所有安全解决方案。
Joel_Snyder: Are you making a zero-sum game argument here? That if we spend time on NAC, then we're not spending time on Chinese hackers? Because I don't think that the statement that NAC is not security is really defensible, honestly.
Richard_Stiennon: You bet. Most of the CIOs I know, not only have no extra budget this year but are being asked to reduce their spend.
Joel_Snyder:访问控制是我们的安全做了根本的东西之一。
Richard_Stiennon:我们更好地进入我们的定义;我有没有问题,用户访问控制。我有与端点访问控制的问题手。
Joel_Snyder: You're implying that NAC is a net cost. I believe that it can be a net savings.
Richard_Stiennon: I believe NAC is a net cost *and* something that reduces value of the network to the enterprise.
Joel_Snyder: Well, I don't want to get into this "agree to disagree" nonsense, but ... no, it isn't, and no, it doesn't. :-)
主持人 - 朱莉:理查德,如果NAC是不是答案,答案是什么,以执行端点安全和其他政策?(乔尔,理查德的答复后,我们会要求你回答这个问题。)
Richard_Stiennon:哦,我们* *在abo血型ut end point enforcement?
Joel_Snyder:嗯,朱莉。
Richard_Stiennon: I thought Symantec, Microsoft, BigFix had addressed that. I am a network guy. I don't deal with end points except that I have to use one. That is for the help desk guys.
Joel_Snyder:通过MBlaster存在的定义,赛门铁克,微软,以及BigFix可以没有固定它。
Richard_Stiennon: So for end point enforcement I would suggest talking to patch management companies. MSBlaster was essentially a zero day [exploit] for most enterprises. If they had had NAC fully deployed they still would have gotten hit.
Joel_Snyder:当然,补丁管理等公司BigFix的,Lumension(老PATCHLINK),它们是一些NAC部署的重要组成部分。那些需要端点安全。并非所有的NAC部署要求端点安全。(见上面的定义...)
Richard_Stiennon:所以,我们要做NAC需要多个供应商的产品协同工作?
Joel_Snyder: To do networking, you need multiple vendors' products to work together. Again, NAC isn't a product. It's a technology, like dynamic routing.
Richard_Stiennon: For networking, you get them to work together using a nice understandable protocol like TCP/IP. What is the NAC standard these vendors follow to make sure they work together?
Joel_Snyder: NAC standards are a separate issue, really completely orthogonal to whether or not NAC is useful. I agree we need better standards, we need better compliance to standards.
Richard_Stiennon: So you must have a case where interoperability is NOT needed, like an all Cisco solution?
Joel_Snyder:在号在Interop的贸易博览会上iLabs,我们一起度过了十几个供应商,所有的演奏。你没有得到,我认为,南汽的观点和技术的一个点。这不是一个产品。我可以放在一起 - 并有 - 一个NAC解决方案,包括多厂商互操作性。
Richard_Stiennon:我同意,它正在变成一种宗教,这让我一个无神论者。
Joel_Snyder: Every NAC solution has interoperability. 75% of enterprises have Cisco. So NAC has to work with that. And 99.99% of enterprises have Windows. So NAC has to work with that. But interoperability, again, is deflecting us from the main question, which is: is it useful or not?
Richard_Stiennon: So NAC is a way to enforce the duopoly of Cisco-Microsoft? Your question presupposes that NAC is WORTH it.
Joel_Snyder:看,互操作性是一个给定的。它已经证明,没有思科的帮助。让我们到技术的有用之举,而不是TCG / TNC是否有他们的共同行动。
Richard_Stiennon:那么,什么是NAC的用处。这不是威胁防护效果显着。
Joel_Snyder: Nothing is obvious. NAC is as I defined it is User-focused. Network-based. Access-control. It's useful because we've never had that before.
Richard_Stiennon: SO why do we need end points!!!??? User access control has been around since day one.
Joel_Snyder:没有,用户访问控制也没有。是的,当然我们有认证。看看有多少人在局域网中的802.1X。不太多。为什么?好了,客户吸。这得到了修复。人们害怕,因为分析公司告诉他们要。而且,最重要的是,我们不得不去管理它没有真正的工具。
Richard_Stiennon: I was configuring RADIUS 14 years ago. It is needed and works.
Joel_Snyder: RADIUS doesn't mean we know who's on the other end of a hole in the wall.
Richard_Stiennon: So NAC is the answer to problems with deploying access control?
Joel_Snyder: Authentication by itself is interesting, but not interesting enough to make the pain of 802.1X worth taking on. Everyone knows that a new technology has a pain and a benefit/pleasure. If the pain is greater than the benefit, then it won't be absorbed. It's that simple. NAC lets us bring together a bunch of disparate pieces (802.1X, user-focused policy, end-point security, IDS/NBAD) and integrate them. That's what was missing. That's what's available today. That's where we are going. That's why NAC is interesting. That's why people are excited.
Richard_Stiennon: Let's talk about NAC's pain.
Joel_Snyder: Why do you keep deflecting from the question of whether it's useful? Pain. Interoperability. Let's stick to one topic.
Richard_Stiennon: I knew you were hot on Microsoft NAP, Joel, so I took some time to look at it. I am horrified. Look at all those components! A 2008 server to run System Health Validators, System Health Agents on SP3 and above machines, for IPSec you need an additional Health Registration Authority on presumably another Win08 machine (the same as your CA?), and an IPsec Relying Party EC on each desktop and server. (I am not even sure what those are but there are separate ones for wireless and wired access.)
So, when setting up an IPSec connection there is a server that issues a health certificate (x.509)? Is that before or after Phase 1? Phase 2? Is the certificate revoked after every session? What happens if the SHA determines the endpoint is no longer in compliance? Does it tear down the IPSec tunnel? Is the certificate revoked? How do all these things talk to each other? What protocols/ports do they use? I would not want to deploy something like this without paying a consulting firm millions of dollars. Scary stuff. .
Joel_Snyder: I'm not sure how to answer that. How about: "I don't think you're getting the point of NAP?" No one is particularly interested in NAP in IKE v1. What NAP makes interesting is the ability to have a STANDARD architecture for how end-point compliance will interact with the network and the PDP.
Richard_Stiennon: Then how do you check someone's machine state when they are VPNing in?
Joel_Snyder:在SSL VPN的家伙不得不为五年一个大战略。
Richard_Stiennon:你刚才说的标准是不NAC的价值讨论的一部分。
Joel_Snyder: You're the one who brought up NAP. I'm still trying to keep us on topic of usefulness. Look, it's a technology. Many enterprises use it, but how they use it and where they use it varies depending on what problem they want to solve. As I see it, your vision of NAC is like you coming in and saying that Dynamic Routing is no good because RIP doesn't scale. Well, you'd be wrong on both counts: for some people who don't need scale, RIP is fine. And RIP is not dynamic routing, just as asking end points if they're infected is not NAC.
Richard_Stiennon:OK,让我们某些情况下,讨论实用性。
Joel_Snyder: OK. The Blue Ridge guys sent me a list of 11 of them yesterday :-)
Richard_Stiennon: Please mention ONE that is not EDU or MIL.
Joel_Snyder: What's the problem with EDU and MIL?
Richard_Stiennon: Having a product that addresses education and military needs does not an enterprise market make. That is niche.
Joel_Snyder:这是一个frickin'巨大的利基。但是,好吧,让我们下车即到。
Richard_Stiennon:对于那些地址它烨。
Joel_Snyder: OK, so here's a simple example, an organization that provides IT services to a BUNCH of small sub-organizations.
Richard_Stiennon: A MSSP [managed security service provider]?
Joel_Snyder不 - 让我们说这是在美国的大国之一,它是一个半外包的IT部门。每个子部门,如参议院,众议院等,是一个交战派系。事实上,每个参议员是在相互战争。在这种特殊情况下,我们解决的问题是,每名参议员/代表/职员需要的是无论身在何处,他们在首都“的局域网上”。
Richard_Stiennon: Great application for network segmentation. VLANs within the network VDOMs at the IP layer.
Joel_Snyder:没有,VLAN不能正常工作。在这种情况下,没有规模。但是VLAN的会工作,如果不是数百人。在任何情况下,这并不重要。什么是关键的是,网络用户放心,他们没有被连接到网络上的错误部分。NAC帮助。我们让他们身份验证,即指定一个组,该组隐含的ACL。
Richard_Stiennon: 不好了!不是的ACL!你是吓到我了。你用什么来执行,管理,登录这些ACL?
Joel_Snyder:你看,你要不断的话题或不?我们在这里谈论的用处。不是产品,他们购买,使其工作。
Richard_Stiennon:这是有用的,但应与网络,不与主机代理和一个单独的服务器来解决。它多少钱???
Joel_Snyder: There was a need. The need was met. We used "NAC technology" to do it. In this case, there was no host agent. Turns out that, surprise, surprise, these guys use Windows and Microsoft seems to have given away what they needed. I don't know the total cost. Remember, it was a state legislature. Got hidden in the budget with the Blackhawk helicopters and private jets. But I can put it this way. No one needed to get authority to spend money, because it wasn't a lot.
Richard_Stiennon: So, are you saying that it is good to use existing deployments of technology to accomplish your goals?
主持人 - 朱莉: We have a number of questions in the queue from attendees, so we are going to move on to answering as many as we can in the time remaining.
lucas_burke:在高等教育的用户可以经常补充,他们希望网络的任何设备。您不具有企业级控制的奢侈品。对我来说,NAC解决了很多问题,在一次 - 样,跟踪我的网络上被盗的设备,执行病毒的标准,关停非法无线AP等理查德:是有一个更好的办法做到这一点比NAC?我很乐意听到它。
Richard_Stiennon: I have a huge problem with the laissez faire network admin at higher education. Any protocol, any action is allowed. By deploying NAC you can have absolute control over someone with a misconfigured laptop/server but you refuse to put in the controls needed to stop them from hacking! Or otherwise abusing your system. Within most universities the health systems have already moved over to secure environments. The rest of the organization should look at that as well.
丹尼我相信我们必须关注“端点安全”s the primary traditional goal of NAC. Allowing clean access to the network. I have investigated several NAC solutions, and it appears there aren't viable ones without a true agent. Some may be perishable. I do take some exception to the comment from Joel before as I don't see how "interoperability is a given" if a particular NAC solution uses switches as the enforcement point with proprietary protocols (see a few little guys names Cisco, Nortel and Juniper to name some).
Joel_Snyder: Danny: I'm OK with you wanting to focus on endpoint security for yourself. As I wrote above, whatever it is you need to solve is your problem to solve, and if you want to concentrate on end-point security, that simply says what you want to concentrate on when you evaluate products. Having a good idea of what you want to do ahead of time will massively save you time. Actually, though, Juniper and Cisco for sure will work with standards-based RADIUS attributes. So when I say "interoperability is a given," I mean that it is a given because we proved it at Interop. See,http://www.opus1.com/nacfor our results. (I didn't mention Nortel because they didn't play, so I don't know if they will work within standards)
phreno: Richard: Some NAC products offer behavioral policy enforcement. I can get identity, endpoint checks, and behavioral policy enforcement that stops botnets, DDoS attacks, etc. that do find a way onto the network. What other technology offers that?
Richard_Stiennon:好问题。这就是IPS / AV产业y is heading. Allow an infected end point to connect, but do not allow it to harm me. Filter out attacks at the edge. The capability you refer to in some "NAC solutions" is what they call post admission control. That is good but the action should be to drop packets, not end point connections.
chuck: One of the issues at my firm is the worry that vendors and contractors will plug into some LAN jack at one of hundreds of locations and spread malware onto the network. How do you solve this issue (affordably) when you have so many locations and you need to be able to check all that traffic?
Joel_Snyder: Chuck: What I usually call "guest access" is one of the huge drivers for people to look into NAC. Remember, also, that by my definition if you ONLY want to solve guest access, that's OK too.
Richard_Stiennon: Simple to do to. Just authenticate against the network!
Joel_Snyder:这里有两个子主题。其中之一是,客人需要在里面,另一个是,客人需要到外面。如果客人在外面去的话,你有很多的方便选择。其中之一是,你可以权威性了合法用户,谁不正确的认证或不是MAC OUI名单(认为VoIP电话,打印机)获取防火墙之外或在DSL一次性倾倒线。
If the guests go on the inside, then it's harder. You might want to differentiate here between guests and contractors that need internal access. But you can put a pile of CHEAP access controls on the switches you already have by simply recognizing them and doing a captive portal authentication. You can pay Cisco money for something like CCA [Cisco Clean Access, but the product is now called Cisco NAC Appliance], or go open source with similar solutions that only get in the way of the guests.
lucas_burke: Richard: networks and desktops aside, from an information security perspective - does NAC lower overall risk?
Richard_Stiennon: I believe NAC does nothing to reduce overall risk. It does not counter the malicious (or stupid) user. It does not stop a hacker from riding in on an authenticated machine, it does not counter zero-day worms. It is not actually a strong authentication solution at all, so you still have to layer that in.
Joel_Snyder:我可以从周六晚间直播在这里引用?简...
Richard_Stiennon: You ignorant sl*t?
Joel_Snyder:我们只是说,“我不同意。”如果你能反驳断言,它不降低风险,那么我会要求相反。
Richard_Stiennon: OK, Joel what would you do to prevent an end user from doing a DDoS against the Domain Controller? Or sniff the wire and steal accounts and get into the Oracle database?
Joel_Snyder: "It depends."
Richard_Stiennon: Will NAC be your answer?
Joel_Snyder:其一是,域控制器应凭借自身的技术进行保护,包括一些抗拒绝服务技术的防火墙。
Richard_Stiennon: So you still need to layer security in? Even after spending big bucks on this NAC stuff? Why not just do the security and move on?
Joel_Snyder:其实,那防火墙应该已经安装在大约10年前。
Richard_Stiennon: Not at EDU it isn't.
Joel_Snyder: NAC isn't solving the problem of a DoS against a DC.
Richard_Stiennon:或者恶意用户做任何事情,或如注射感染网络上的任何不必要的行动!
Joel_Snyder: A malicious user might think twice about doing something if they knew that they were being positively identified every time they sat on the network. Actually, NAC helps a lot with infections.
Richard_Stiennon:嘿,那不是我的,你的NAC只是没有看到我的机器上MSBlaster2009的副本。
Joel_Snyder: Because NAC includes the continuously evaluated function of end-point compliance and end-point behavior, NAC gives us the tools to knock someone off who is misbehaving.
Richard_Stiennon:主机AV帮助了很多与感染。我只花了几百万就可以了。你的意思是我需要别的东西,使主机AV工作?那是怎么回事?
Joel_Snyder: Without NAC we don't have those tools, or we are reduced to using proprietary products to solve point problems. Yes, you need enforcement. That's the "AC" in NAC.
Richard_Stiennon: I already have those products. Why do I need Microsoft everywhere to enforce them?
Joel_Snyder: Every NAC deployment I've looked at, and everyone I've heard about, has a surprise factor.
Richard_Stiennon: mmm?
Joel_Snyder: The surprise is how UNcompliant PCs are with the host AV. Talk to the most Microsoft-savvy IT departments in the world. They'll tell you they were astonished at how low their compliance level was. And how hard it is to get it up.
Richard_Stiennon:那么,为什么不防范与一些活跃的网络技术这些机器?
Mike88: This question is for both Joel and Richard: My company is currently evaluating a solution to control user access and ensure machines are compliant before connecting to our network. My current anti-virus vendor is capable of delivering integrated NAC functionality that would solve these problems. Do you think that combining anti-virus and NAC is a good strategy?
Joel_Snyder: Mike88: I think that if you like EPC (end-point compliance) as part of your NAC solution, then having it integrated into NAC is a great way to simplify your deployment. If your A/V vendor will give you NAC for cheap or for free, take them up on it.
Richard_Stiennon: You have to answer a few questions. Do you have separate networking and desktop departments? Or are they same person. Don't forget Mike88, that by blocking access based on config you are going to have tons of new support calls. As Joel pointed out most machines are *not* compliant. Is it worth that pain?
Joel_Snyder:NAC并不意味着阻塞。你可以做的报告,一些企业已经完成。
Richard_Stiennon:这意味着隔离和固定不?否则,你到底我们在这里做?
Joel_Snyder:这是一个明智的第一步。这取决于你如何大画面的把你的头。认证,检疫等,不一定都是自动化的。对于一些企业来说,与在门口警棍矮胖的家伙是“身份验证”。NAC是一个解决方案,而不是产品。获取纹身在你的头上。NAC是一种技术。把那其他的脸颊。
Richard_Stiennon:NAC是一个问题,而不是解决方案。
xyz:理查德 - 访问控制的部分原因是资源分配后的身份验证和授权成功。我们如何从没有大规模的ACL管理网络层面实现这一目标?
Richard_Stiennon: Great question xyz. You need centralized IAM (identify and access management); tons of great solutions out there. Gartner has a whole conference coming on IAM. I would shy away from NAC too.
Joel_Snyder:在这里我要跳了。肖恩Convery刚刚写了一篇关于NAC的论文。(他不希望把它NAC,他称之为认证的网络架构 - ANA)。不管怎样,他使的一点是,你不需要有超细粒度访问控制列表,以取得风险大幅缩减。
Richard_Stiennon:*我*点是,你需要去细粒度的访问控制,以确保您的企业。
Joel_Snyder: Fine-grained is a spectrum. Aren't you the guy who just advocated VLANs? I'm saying that if you have coarse control, even go/no-go, that's a reduction in risk.
Richard_Stiennon: We agree.
Joel_Snyder:你必须使用你这样的人克里斯·霍夫或皮特Lindstrom的揣摩出边际美元的花费是值得的风险略有减少。和NAC可以容纳所有这些,甚至同时进行。
Richard_Stiennon:我只是讨厌那些“不走” NAC意味着你正在拉开序幕网络。
Joel_Snyder:我们“不走”所有的时间在无线。这是NAC。认证与802.1X(隐藏在WPA)。如果不这样做,没有网络。
Richard_Stiennon:将NAC定义泡沫正在这里展开。
Joel_Snyder: AC = auth + EPC + NBAD. Same definition. But 0% EPC. Everything is consistent.
Richard_Stiennon:哪里是在政策????这是访问控制最关键的功能。政策方针,政策。
丹尼理查德:有你刚才做了一个有趣的评论,用户访问控制与端点接入控制。你能否解释一下?具体如何将基于用户的访问控制有助于防止感染的计算机被网络上的?尤其是考虑到移动“用户”谁可以登录从进出LAN的各个端点?
Richard_Stiennon: Actually I don't care about infected machines. If a user authenticates you care about what group they are in and what privileges to grant them. Their machine is another issue. Just filter out the bad stuff.
丹尼: Joel: how well do you see mobile device OS, MACs, Linux being accommodated for in NAC technologies?
Joel_Snyder: Danny: "not well." Let me elaborate. Obviously, the main concern is the main deployment issue, which is Windows systems. So naturally, they are being handled better than anything else. Also, since EPC is not 0% for anyone following Rich's strategy of NAC, people are more concerned about EPC and EPS in general with Windows than they are with Treos and BlackBerry's (not that this is correct, but we can only fight the last war, right?).
所以我有更好的支持非Windows设备的(这是真正的问题),希望和有需求的,它会来的。在纯粹的认证某种意义上说,他们已经很好的支持。
Richard_Stiennon: Here is my problem with NAC:
1。It is not a security solution at all. There is not a single aspect of any NAC product that protects the network from the malicious user.
2。It is not a zero-day protection. During the next outbreak NAC will do NOTHING to protect the network.
3。It introduces a new layer of technology whose PURPOSE is to block access to the network. Network admins spend most of their work week getting people ON the network. Introducing things that keep them OFF the network is not attractive.
4.这几乎是微不足道的旁路NAC。所有你需要做的是腐败的当地代理商。
五。It violates Stiennon's first law of network security: Thou shall NEVER trust the endpoint to report its own state.
主持人 - 朱莉: We are out of time now. We have several more questions that we will forward onto Joel and Richard to answer in their blogs.
Joel_Snyder:我是反博客。没有一个,抱歉。不过我确实有电子邮件......您可以通过键入“乔尔·斯奈德”,然后点击查找“手气不错”到谷歌。
主持人 - 朱莉: The transcript for this chat will be available within 24 hours onm.banksfrench.com而且在m.banksfrench.com/chat/的归档部分和微软子网(www.microsoftsubnet.com) and Cisco Subnet (www.ciscosubnet.com). Also please join us for our upcoming chats. All are at 2 - 3 p.m. ET at//m.banksfrench.com/chat/
周三,7月30日 - 实现广域网加速与吉姆·梅茨勒
周二,八月19-- Facebook的:朋友还是敌人?随着科特莫纳什
Richard_Stiennon再见一切,非常感谢你。
Joel_Snyder: Bye bye. Keep it safe. Or something.
Also see these recent chat transcripts
Network Access Control: fact and fiction with Joel Snyder
Crimeware: understanding new attacks and defenses, with authors Markus Jakobsson and Zulfikar Ramzan
Counterfeit network gear: how to detect it and protect yourself with Mike Sheldon
LAN switch security: What hackers know about your switches with Christopher Paggen