Thursday, August 30, 2007

The Great NAC Robbery

From Dark Reading's "News Feed" (aka industry press release feed) comes a purported success story about an intermediate school district in Texas that has implemented Mirage Networks' NAC. Reading stuff like this makes me ill. There are several components of this scenario that are offensive to my sensibilities and common sense in general.

First, K-12 schools have very real, very unique security challenges. (I speak from experience. My early work with firewalls, content management, security monitoring, incident response, forensics, and working with law enforcement all came from working for a school district for the latter half of the 1990's.) But rogue devices (the problem that NAC should be positioned to solve) shouldn't be one of them, at least not a big one. Simple network design and segmentation should cut down on accidental cross-over from student/library/commons networks, and then physical supervision (you know, teachers, librarians, parapros, etc.) can be used to cut down on students intentionally plugging in laptops in classrooms or offices.

Secondly, NAC is the wrong fix for Sasser. Patching a 4-year old vulnerability is the right fix. If your patch cycle is over 4 years, then you have no patch cycle, and with or without NAC, you've lost. Using NAC to 'ban' all of your unpatched workstations from the internal network may save your unpatched servers, but kicking out legitimate users on internal machines is still an overall loser for IT. Functionally and politically, this can't be sustained.

Thirdly, school money is taxpayer money. School administrators - especially facilities and IT folks - hate to be reminded of it, but it's true. This is a nice win for the account manager at Mirage that pulled it off. K-12's can be tricky to sell into, and they typically have tight budgets with limited or no dedicated spending for security. An ISD like Round Rock will actually encompass several local school districts, and RRISD itself consists of over 40 schools, plus admin offices and bus garages. At that size, there's pretty much no way this wasn't at least a 6-figure expenditure. And for what? A temporary fix for a problem that could've been solved with $20K of server hardware and WSUS? If I lived in Round Rock, TX, you can be sure I'd be at the next board meeting asking questions.

1 comment:

Doug said...

I agree, it sounds like a big win for the sales person but money better spent on other things.

On a sort of related note, do you have a suggestion (besides NAC) for pinpointing a rogue access point on a lan from the wired side? I worked on an issue recently where someone plugged in a (non-rogue) access point wrong after an office move, and suddenly we had unwanted DHCP traffic that caused some issues.

It was actually found by wardriving the remote sites, but I wondered if there was another way. If we had better management software for our network hardware that would have helped, and of course moving to segmented VLANs is high on the to do list. Filtering DHCP was one thing that came to mind, but that is more of a workaround. Setting up the switches to only allow approved MAC addresses was another thought, but the hassle factor is pretty high.