Hi, I dont think NAC is so complex! Try www.consentry.com regards Orhan @ Oracle Corporation
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Oracle
Now we have now established that the cost of rolling out NAC is at least less than an Oracle ERP system rollout...
PacketFence
You might want to look at PacketFence:
http://www.packetfence.org
They released a new version of the "Zero Effort NAC" last week and it's getting easier and easier to deploy. See:
http://www.packetfence.org/dokuwiki/doku.php?id=announce_zen_1.7.1
For the full announcement.
NAC is too expensive
Problem is vendors like HP tempt you with a $2500 well reviewed box yet leave out the fact you have to buy client licenses regardless to the tune of $30,000. Too high for a SMB.
PaketFence not a solution for large shops
From their website:
PacketFence Mode
Which isolation method is best for you? PacketFence provides the following trapping mechanisms:* ARP * DHCP * VLAN (v1.7)
ARP will allow you to much more control over policy violations, but requires that PacketFence has a local interface to that network (must sit in front of the router). DHCP allows you to have one PacketFence system in a remote location controlling many, many networks (Router will Relay DHCP requests). The down side to this is you must replace your existing DHCP server with PacketFence, Static IPs can bypass isolation, and DHCP lease time will need to expire (50-100% of lease time) before host can be put in isolation. VLAN isolation is available in 1.7.
---------------
None of these modes will work for us (100 sites, 30,000+ nodes), and all of them have holes one can drive a truck through. Why implement NAC that is not really capable of securing access?
We have been looking at NAC for years, and the only solution that will work without client software, bottlenecking appliances, or holes is to fork-lift out all the edge switches and replace with NAC-capable gear.
So, we continue to wait and watch.
But there is a difference!
You wrap up your column by referring to Firewalls, IPS, and VPNs as technologies that businesses rely on. There is a huge difference between those successful technologies and NAC. They are all network security solutions. NAC is a hybrid host-network infrastructure play. It is doomed.
(yeah, yeah, VPN can e host-network as well. And it is a pain to manage. Wait until you add X.509 health certificates to that as Microsoft NAP does. Ouch!)
60000 nodes in 90 days
Sophos did it with the one of the largest customers in the world. Ask why Sophos deployments are 100% successful.
Tim Greene no expert
How come you don't read any Gartner NAC references?
Article is unclear
Increasingly and unfortunately, Tim's article are becoming a clutter of disjoin pieces of info/quotes. It seems he picks up a few word from what he hear from cold calling sales rep and mashes them up in an article. This is rather unfortunate for network world is a widely read site and quality of articles are going down.
comment is unclear
I think if you re-read the story, you'll see that Tim did not cold call any sales reps. He did talk to enterprise NAC customers and key industry analysts, however.
Post new comment