从作品的一个安全专家乔尔·斯奈德最近出演,他讨论的网络访问控制的状态的实时网络世界聊天的客人。足球竞猜app软件Snyder说,那些谁是反NAC根本不懂技术。他回答的技术问题,从与会者的转换包括为什么ACL是比的VLAN,NAC(管理)的肮脏阴暗的角落更好,为什么一些反NAC专家们完全搞错了。
从作品的一个安全专家乔尔·斯奈德最近出演,他讨论的网络访问控制的状态的实时网络世界聊天的客人。足球竞猜app软件Snyder says that Microsoft is emerging as one of the clear winners of NAC, but that Microsoft's technology is a foundation from which to build, not an end-all. He also says that those who are anti-NAC simply don't understand the technology. He answered a slew of technical questions from attendees including why ACLs are better than VLANs, the dirty dark corner of NAC (management) and the how and why of 802.1X. What follows is a full transcript.
Moderator-Keith:请欢迎安全专家乔尔·斯奈德,与咨询公司的高级合伙人作品一号从图森,亚利桑那州,和的构件Network World Lab Alliance。今天的聊天将重点放在有关NAC的事实和虚构,回答什么NAC产品能和不能做什么,包括与无线技术的缺点,插件和更多的整合问题。
Joel_Snyder:基思,这是伟大的,是这里!
主持人 - 朱莉:While waiting for Joel to type up answers to the first questions rolling in, here's a pre-submitted question: You just got back from Interop Labs with a lot of NAC testing. What are the most interesting things you learned?
Joel_Snyder:谢谢你的邀请!我会在对互操作实验室NAC资源网站的间距(http://www.opus1.com/nac/)。一群我们白皮书(约13of them), all of our device configurations, classes on NAC, and basically about 90 MB of stuff that we've gathered and learned about NAC. The really interesting thing we noticed is that things are finally beginning to converge. We rana nice little graphic(click on the "Click to see" diagram) in NWW last week talking about the family trees, and the key is that people seem to be willing to let Microsoft take a leading role in NAC. So we really focused on that: what comes built-in with XP SP3 and Vista? And then how do you extend things if you don't like what's built-in? We definitely had other policy decision points besides MS NPS---Cisco, Avenda Systems, Juniper, and Radiator, plus FreeRADIUS sort-of. Even on the client side, there are interesting things. For example, you can add more system health agents/verifiers, or you can go for other supplicants, or you can do non-Windows or pre-XPSP3 operating systems, or you can worry about other devices, like cameras and VoIP phones and printers. What we ended up with was about a dozen demonstrations, all showing what you need for a complete NAC solution. And it really focused on "let's start with Microsoft并从那里工作了。”远不止想有三个料仓就像我们在不在一起工作,过去所做的那样满足。[Editor's note: Also check outNetwork World's NAC Buyer's Guidewhich compares dozens of NAC products.]
布赖恩:I've been asked to investigate .1x for port-based authentication. I have reservations recommending this for production use because of the mixed clients on our 1,000-node LAN (Macs running 10.4 and 10.5, PCs with Windows 95 to Vista). I think support would turn into a nightmare, plus I don't know of anyone using .1x. What are your thoughts?
Joel_Snyder:我听你的。802.1Xis outstanding technology, but you do have to have client support. Macs 10.4/10.5 are no problem - it's all built-in. For Windows, though, you're going to be restricted to Win 2000 SP3 and later. Of course, the Juniper guys are going to say you should go with Odyssey, which has a unified experience and supports earlier Windows versions and is great stuff and I can vote for that as well. Support nightmare? Hard to say. I'm of the belief that once you work through the initial problems, you end up having lower support calls. It's going to depend on what your environment is. If you're talking an education market, that's one thing. If you're talking an enterprise, I think it's manageable.
通过the way, it's 802.1X, not 802.1x. Common mistake but if you use the upper-case version you'll have the l33t privilege of correcting some of your vendors, too.
fyatim:我们已经看到了NAC空间中的一些整合。你能否提供NAC市场上的更新和它的标题?
Joel_Snyder:Towards Microsoft, for sure. The key is that the desktop is EVERYTHING andMicrosoft is making the right noises关于标准性和开放性,使事物在全局中的工作。因此,我们已经看到微软和Trusted Computing Group(TCG) get together, and I think it's only a matter of time before we also see the other vendors like Cisco at least have a good accommodation of the Microsoft Network Access Protection (NAP) framework.
RalphSam2:I work for a large company. We have about 30K employees in 500 sites across North America. Management wants to see centralized NAC. All product evaluations are going badly. What is good for large site (more than 1,000 people) is not good for small sites (less than 10). What should we do?
Joel_Snyder:嗯,孩子,这是一个垒球。当然,你应该聘请作品一号,以帮助:-)不过说真的,我认为你需要后退一步,弄清它是什么,你关心你的NAC部署最多。你的访问控制这样做呢?对于端点安全?你必须缩小它是什么,你想,然后你可以放在一起,将工作根据您的要求的解决方案。我同意,没有一个通用的答案,但我认为,如果设计正确,你可以做到这一点。我们看到在Interop是从VLAN的移动能力(这肯定会在小型站点不工作)到访问控制列表(ACL),其工作和规模精美。如果你没有去沿着这条路走下去,我建议在这些方面的思考。很多小家伙都迷恋上的VLAN,这就是不按比例。
雪莉:你能说详细了解为什么您认为ACL是更好/比VLAN的网络访问控制扩展性更强?这在我看来,ACL可以得到非常大的,如果你的网络是不容易summarizable。你如何在它们之间选择?
Joel_Snyder:Good question and thanks! The deal with VLANs that I don't like is that we have already burned them in most networks. We're using them for other things, and making changes to the VLAN infrastructure is hard unless you have a green-field network, which no one does. However, with ACLs, you can push onto the EXISTING VLAN structure and not have to screw with it. This also solves the hand-waving problem of getting people to jump around VLANs as they go into and out of quarantine, which (as a Mac user) I really feel for. Very true that the ACLs can get ugly, but I am thinking that you aren't going for total control at the port level, but broad swaths of control. If you want LOTS of ACLs, then you need to go with specialized hardware: Consentry, Nevis, and I think that HP is talking that talk as well. I'm really bullish on ACLs now that Interop's Labs helped prove that they work. We're talking about anterior cruciate ligaments here, right?
Tom2342:由于微软的NAP客户端本身并不端点数据,其他一些厂商的NAC客户提供量附近的任何地方提供的,你为什么要在所有管它?
Joel_Snyder:哥们。NAP客户端只是一个基础。你不只是做的一切,微软表示,对不对?他们提供了一个伟大的基地和您建立在此基础之上,以满足您的需求。如果你是一个小网站,你坚持使用他们。但如果你有赛门铁克,那么你层上,使用NAP SHA / SHV顶部的SEP11。如果您有迈克菲,同样的协议。Sophos的,同样的协议。我们在实验室中进行测试Avenda和蓝岭以及所有坐在NAP的顶部。你与微软启动的原因是他们更了解自己的O / S比别人,这样会最大限度的能力进行互操作。 And then you take your preferred end-point security partner and put it on top using the SHA/SHV model. It is totally clean and totally extensible.
主持人 - 朱莉Pre-submitted question: TCG/TNC just announced IF-MAP What's that all about and what do you think of it?[Editor's note: TCG's NAC scheme is called Trusted Network Connect (TNC)].
Joel_Snyder:IF-MAP非常酷。我们很幸运,因为TCG给了我们先行访问NDA下,我们能够在同一时刻,它宣布获得一张白纸出来就可以了。谈论勺子!总之,IF-MAP是所有具有结构化的方式来存储,关联和检索的身份,访问控制,以及对网络上的用户和设备安全状态信息。有关IF-MAP很酷的事情是,它不只是为NAC,虽然这是第一步。这是一种方式,最终汇集到一起,只是已经完全私有的或过去甚至未可行的政策和状态信息的整个世界。
I am totally stoked about IF-MAP because I think that this has been one of the main things missing from standards-based NAC and it closes a huge hole. I hope that we get great adoption. The TNC guys seem to have about a half-dozen vendors all already including IF-MAP in their products that they were demoing in their booth at Interop. Aruba, ArcSight, Juniper, Lumeta, nSolutions, Infoblox were all doing the demos.
RandyJ:我期待实现NAC明年我们的校园。我们是一家无线校园与一些有线。我刚才讲了很多不同的厂商。什么是前两家公司你会推荐,为什么?
Joel_Snyder:嗯,这取决于,one is buying you lunch? Honestly, though, I can't answer that very easily without knowing exactly what you're trying to accomplish. The obvious answer is Bradford, because they understand and do education better than anyone else (in my testing, anyway). They are built around education issues, so that's going to be well suited. From there, it's hard to say. I'd look to see what other partners you have good relationships with and see if they can meet your needs. In other words, if you're an Enterasys shop, go talk to them. Foundry, etc.
狮子座:你能对NAC微软和思科之间的关系,现在评论和项目它的未来?真正的合作和分工?或碰撞提前?
Joel_Snyder:Hard to say. There are a lot of personalities involved. I'd say that right now we've got two titans who are hard-pressed to cooperate trying to figure out a modus vivendi. Even if there is a lot of joy together, it is inevitable that Microsoft and Cisco will have different interests in the long run. I don't see a big collision, because Microsoft's primary interest is in the desktop and Cisco has no intention of competing there. Things like NPS might go by the wayside as Cisco readies new versions of their NAC management solution and completely re-architects ACS and the CCA stuff. What I personally see is that Cisco owns 74% of the switch market and Microsoft owns 95% (or more) of the desktop market and that's not going to change too much in the long run. So I would look to Cisco for leadership in the areas that they are strong: switching, wiring closets, etc., and Microsoft for leadership in the areas that they are absolutely top in: desktop. Having either cross into the other's territory seems like danger.
WillBean11:The title of the chat is 'fact and fiction,' so what are some of the 'fictions' surrounding NAC that we should be aware of?
Joel_Snyder:Oh, good question. What are the top myths about NAC? How about that it's all about end-point security? We have some luminaries on our own staff who seem confused about that. NAC is about ACCESS CONTROL and NETWORKs, and USER FOCUS. That's the biggest confusion. Another one: that a NAC product solves your needs. I haven't seen a network larger than 100 devices where a single vendor solution answered all problems. Let me see if I can think up more as we go along...
主持人 - 朱莉:我想你指的是丰富的斯蒂农在他的斯蒂农保安博客。他把它称为:“甚至不要打扰在网络准入控制投资" where he did a big NAC attack. Got any response?
Joel_Snyder:I think that Rich is a pretty bright guy, but a lot of his thinking about NAC is colored by a bit of tunnel-vision about what NAC is good for. He's really focusing on the end-point security stuff, and his comments in that area are pretty solid. But he's very lost when it comes to the big picture, because he's not thinking of NAC except through this very narrow view. If you really step back and understand what NAC is all about, then you see that Rich is focusing on about 1/4 of the solution. I don't think that he's intentionally misleading anyone; he just has a definition of NAC which is really restrictive and not at all in concert with what the rest of the NAC world believes in.
Ricky:你有什么处理的非Windows机器的建议,或“非OS”设备共 - 例如IP电话,相机,医疗设备等?