Posted June 30th, 2006 I really like the current capabilities and promise of NAC. I do, however, have a problem with the abbreviation, specifically, the “A” in NAC. Which do people mean when they say NAC: “network admission control” or “network access control”? To me, there are big differences between the two.
NAC as Network Access Control
If you have an identity background, when you hear NAC, you think, “Oh, this is web access control for the network.” If that’s the case, then NAC needs to have some features that mirror WAC. For example:
• Identifying the user is key.
• There needs to be a centralized policy store that describes access control.
• There needs to be a fine level of granularity of those policies.
• There needs to be some modicum of single sign-on.
• There’s going to be some form of the proxy versus plug-in fight.
User authentication has always been a part of web access control, and network access control should be no different. WAC vendors have all sorts of mechanisms to authenticate the user either directly or through other authentication providers. NAC vendors do, but, I conjecture, not in the same way. There are two flavors here: explicit and implicit. Explicit NAC authentication involves the end-user in an authentication event. Forcing the user to authenticate to RADIUS is a form of this. Implicit authentication uses authenticated credentials from something higher in the stack (like the operating system) and not involving the end-user in an extra authentication event. Continue reading "NAC stands for what? Part 1"...
Posted June 12th, 2006 That question was asked by a guard at Department of Homeland Security’s headquarters. Bruce DeCell, a retired New York City police officer, presented identification. What he actually presented and was accepted as valid ID is quite amazing. You have to read this Washington Times article to believe it.
Clearly, Mr. DeCell’s name was matched against the list of vetted guests for the day. Other than his name, clearly no other component of his ID was even remotely examined. This isn’t much different than the “check the name game” that the TSA has us go through at airports.
It seems pretty simple to me, if you are going to ask for identification, at the very least you ought to examine the entire piece of identification: not just the name, not just the picture.
Further, if people are checking credentials, they need trustworthy systems to validate those credentials.
At least DHS did one thing well, after (poorly) being authenticated, Mr. DeCell was escorted constantly. You can come in, but I am going to watch every move you make.
Posted June 12th, 2006 Phil has released his fourth Identity Fallacy – Identity is Monolithic. After reading it, I could almost hear the choir of meta and virtual directory companies rise up in praise. This what they have been really been talking about all these years, but often times lacked the distance from the problem to express it out so clearly.
To continue his train of thought, if I may, although identity is not monolithic, our perception is our identity is monolithic. There is one me. I may have many contexts in which I work, live, play, and shop, but at the bottom of it, that is still me. This mindset is getting people out there in trouble.
You keep track of your various bits out there. You do not have all that data on your computer or phone, but you have a bunch of it. Applications like Keychain on the Mac help aid your memory by providing pointers to other bits of you. You keep track of things that aren’t immediately recognizable as you, such as your characters in MMORPGs and your alter ego on MySpace where profess to be a lot more interesting than you really are. (See Mark’s musings on that one.) Continue reading "You are the best virtual directory on the market"...
|
|
what others say