Does Your NAC Deployment Work In A Virtual World?
NAC seems
to cycle between red hot and long droughts of disinterest. I think it suffers
serious issues, but the one that piques my interest the most is virtualization.
NAC is in danger of being irrelevant in a virtual world.
Think about it:
- Server virtualization blurs
segmentation models. What happens when all of the backend server resources are VMs?
First, it means you have to worry about VLANs and subnets all over again.
Second, advanced server tools like VMWare’s VMotion will mean servers are
highly dynamic and can be quickly relocated to anywhere in the datacenter.
But more importantly, it means that you need NAC inside your physical
servers. Imagine you have two VMs located on the same physical server that
can’t communicate as per your access control policy. I’ve already come
across one client deploying virtual NAC appliances on servers to limit
machine connections based on endpoint status.
- Client virtualization
proliferates MAC addresses and blurs endpoints. Running a hypervisor on a
desktop or laptop allows multiple OSes to run simultaneously, each with
its own virtual MAC address. How do you quarantine the physical machine
and still allow compliant guest VMs to connect? How do you prevent a
compliant VM from transferring data to a non-compliant VM on the same
desktop? You can by restricting IP addresses, installing NAC agents within
each VM, or forcing VPN access — but these present significant granularity
and cost tradeoffs, respectively. - Application virtualization
hides setting and blurs endpoint status. Application virtualization will change the way
companies distribute apps to endpoints. But isolating an app in its
environment can create an air gap between the OS and the application. If
you use NAC to scan application settings and not just the basic system
attributes like AV signatures, firewalls, and Windows update, then this
can prove to be a problem. For example, you will not be able to determine
a NAC policy that requires your Internet browser settings be set to medium
or higher.
Bottom
line: I think 2008 will see a significant culling of the NAC market and top-tier
vendors will be those that handle virtual endpoints efficiently. I’d love to
hear your thoughts. Has anyone attempted to marry NAC with a virtual
infrastructure?