This is another one of my online experiments. As long as it appears useful I am going to track the “significant issues” about the Cisco NAC Profiler raised by other analysts, journalists and vendors; continue to collect data and arguments; and strive to clearly separate fact, opinion and bias. The goal is to help readers better understand what the NAC Profiler CAN and Can NOT do for them in their own particular networks and organizations. If this “goes well” I will extend this idea to other products. You and the referenced authors are encouraged to comment and raise new issues and perspectives.
Issue 1: Standalone Profiler?
“The products actually do good things in a Cisco context, except that NAC Profiler requires the NAC Appliance. The discovery and reporting concept is important enough to stand by itself, and what good is NAC Appliance going to do for a printer or phone or physical security system anyway? Cisco screwed up the initial NAC release by requiring a complete network refresh, now Cisco introduces the NAC Profiler that requires the additional expense of a NAC Appliance infrastructure. They should unbundle the network profiler, and expose its ability to move up the stack to detect servers. (Source: Eric Ogden, Security Analyst, Ogren Group - original post).
CORRECTED FINDINGS: According to Cisco customers CAN purchase a standalone “profiler” from Great Bay Software and operate it without the Cisco NAC Appliance. What does this mean? (1) Cisco will NOT sell and support this system. (2) It will passively collect data from endpoints (i.e. type, location, and behavioral attributes) and data about endpoints from Netflow-enabled network devices (i.e., network mapping, an SNMP trap receiver/analyzer, passive network analysis, and an active inquiry) and store all data in a device inventory database. (3) It will NOT automatically block either unauthorized or misbehaving devices as these functions require integration with the NAC Appliance. (4) You will need hardware to run the Profiler Collectors which otherwise would be installed on the Cisco NAC Appliance.
Issue 2: It’s simply an OEM Product
“Since the NAC Profiler is just an OEM of the Great Bay software, users could choose to deploy it in isolation. I see this more as Cisco trying to make the NAC Appliance more functional, and struggling at it. (Source: Michelle Mclean, Product Marketing Manager, Consentry - original comment)
FINDINGS: Integration of the NAC Profiler with the NAC Appliance automates the detection and blocking of unauthorized and misbehaving non-authenticating devices. The two management interfaces are also integrated so both data sets are presented in a single interface on the NAC Manager. In the Cisco edition of the GBS software the Profiler collection engine is co-resident on the NAC Application Server eliminating separate collector servers. And finally, the customer enjoys Cisco support worldwide.
Issue 3. More Value Than NESSUS?
Would having the NAC Profiler by itself be interesting, meaningful, or valuable? Not if all it does is repeat what Nessus or other tool’s already do. But if it does a lot more (besides telling you a printer can’t do 802.1X authentication) then that might be interesting. (Source: Mitchell Ashley, CTO & GM, StillSecure - original post).
FINDINGS: NESSUS simply scans the endpoint as it is a vulnerability detection tool. In contrast, NAC Profiler scans the endpoint AND collects a lot of data about endpoint behavior through a combination of DHCP snooping, SNMP traps, Netflow data, and SPAN port monitoring. It’s mission is to detect aberrant behavior which can mean an attack is already underway. Read the Cisco NAC Profiler Installation and Configuration Guide for details.
Issue #4: Is NAC Profiler Effective?
“It’s an interesting feature but the big unknown is how accurate Profilers’ discovery and classification is. We have never tested Great Bays software so we can’t speak to its accuracy, having tested all manner of passive discovery devices over the years, we have found that the classifications were usually accurate but not 100%. Often not even 75% and sometimes less.” (Source: Mike Fratto, Network Computing - complete analysis)
FINDINGS: No behavioral-based security system is “100% accurate” as it looks at multiple data points and then estimates the likelihood a specific event is concurring with an assigned level of confidence (not certainty) - think about all the network and host intrusion prevention software deployed around the world. So Mike is simply raising an unresearched potential issue. Since Great Bay’s customers are enthusiastic about this product, GBS must be doing something right!
Mike, I recommend you discuss your concern with GBS and report what you learn. You owe them that courtesy after “casting a shadow” on their product.
No comments:
Post a Comment