Comments on: Snyder and Stiennon Debate NAC; ANA Makes Guest Appearance http://www.seanconvery.com/weblog/2008/07/30/snyder-and-stiennon-debate-nac-ana-makes-guest-appearance/ Ruminations on Identity Management for Networks Wed, 07 Jan 2009 05:15:50 +0000 http://wordpress.org/?v=2.6 By: chijioke obiekezie http://www.seanconvery.com/weblog/2008/07/30/snyder-and-stiennon-debate-nac-ana-makes-guest-appearance/#comment-47283 chijioke obiekezie Sat, 18 Oct 2008 10:01:28 +0000 http://www.seanconvery.com/weblog/?p=129#comment-47283 I am presently carrying out a research on NAC boundaries because it seems to comprise a lot. would be glad if you can throw more light on the peculiarities of NAC detailing it's authentication process and cryptography technique involved. thanks Chijioke MSc student Wireless network(QMUL) I am presently carrying out a research on NAC boundaries because it seems to comprise a lot.

would be glad if you can throw more light on the peculiarities of NAC detailing it’s authentication process and cryptography technique involved.

thanks

Chijioke
MSc student
Wireless network(QMUL)

]]> By: Sean http://www.seanconvery.com/weblog/2008/07/30/snyder-and-stiennon-debate-nac-ana-makes-guest-appearance/#comment-47183 Sean Fri, 08 Aug 2008 17:02:23 +0000 http://www.seanconvery.com/weblog/?p=129#comment-47183 Hi Bozidar, Thanks for the pointers, I read your post. I agree NAC has been tough to implement. That's why I've spent the last couple years focusing on establishing the identity controls that provide meaningful audit and compliance actions rather than looking at only the health of the machine (typically the focus of NAC). I think machine health is actually the least important factor in a network identity decision because there are so many controls already on the endpoint to enforce this. This is the core focus of the ANA paper and why I think a small number of roles in a network coupled with comprehensive authentication is an enormous benefit to most organizations. I'd love your feedback. Thanks, Sean Hi Bozidar,

Thanks for the pointers, I read your post. I agree NAC has been tough to implement. That’s why I’ve spent the last couple years focusing on establishing the identity controls that provide meaningful audit and compliance actions rather than looking at only the health of the machine (typically the focus of NAC). I think machine health is actually the least important factor in a network identity decision because there are so many controls already on the endpoint to enforce this. This is the core focus of the ANA paper and why I think a small number of roles in a network coupled with comprehensive authentication is an enormous benefit to most organizations. I’d love your feedback.

Thanks,

Sean

]]> By: Bozidar Spirovski http://www.seanconvery.com/weblog/2008/07/30/snyder-and-stiennon-debate-nac-ana-makes-guest-appearance/#comment-47178 Bozidar Spirovski Wed, 06 Aug 2008 12:25:22 +0000 http://www.seanconvery.com/weblog/?p=129#comment-47178 The debate of the detail level of NAC controls is entirely moot. Naturally, in large organizations both IT and auditors recommend a lesser number of groups with different privileges, since it is much easier to control and manage the infrastructure. But the main point that the article misses is the actual success of implementing a NAC infrastructure - it is still a solution laced with problems and difficulties. And this fact is actually the main driver to minimize the number of profiles - the less profiles, the easier to debug and recover from issues I did a series of interviews on the topic within a company, from CEO down to NetAdmin. You can read the conclusions here http://www.shortinfosec.net/2008/06/network-access-control-solution-with.html Bozidar Spirovski http://www.shortinfosec.net The debate of the detail level of NAC controls is entirely moot. Naturally, in large organizations both IT and auditors recommend a lesser number of groups with different privileges, since it is much easier to control and manage the infrastructure.

But the main point that the article misses is the actual success of implementing a NAC infrastructure - it is still a solution laced with problems and difficulties. And this fact is actually the main driver to minimize the number of profiles - the less profiles, the easier to debug and recover from issues

I did a series of interviews on the topic within a company, from CEO down to NetAdmin. You can read the conclusions here
http://www.shortinfosec.net/2008/06/network-access-control-solution-with.html

Bozidar Spirovski
http://www.shortinfosec.net

]]>