Seriously, this really wasn't a thread about NAC. It's a great soundbite to get people chatting (arguing) but there's a bit more to it than that. I didn't really mean to offend those NAC-Addicts out there.
My last post was the exploration of security functions and their status (or even migration/transformation) as either a market or feature included in a larger set of features. Alan Shimel responded to my comments; specifically regarding my opinion that NAC is now rapidly becoming a feature and won't be a competitive market for much longer.
Always the quick wit, Alan suggested that UTM was a "technology" that is going to become a feature much like my description of NAC's fate. Besides the fact that UTM isn't a technology but rather a consolidation of lots of other technologies that won't stand alone, I found a completely orthogonal statement that Alan made to cause my head to spin as a security practitioner.
My reaction stems from the repeated belief that there should be separation of delivery between the network plumbing, the security service layers and ultimately the application(s) that run across them. Note well that I'm not suggesting that common instrumentation, telemetry and disposition shouldn't be collaboratively shared, but their delivery and execution ought to be discrete. Best tool for the job.
Of course, this very contention is the source of much of the disagreement between me and many others who believe that security will just become absorbed into the "network." It seems now that Alan is suggesting that the model of combining all three is going to be something in high demand (at least in the SME/SMB) -- much in the same way Cisco does:
The day is rapidly coming when people will ask why would they buy a box that all it does is a bunch of security stuff. If it is going to live on the network, why would the network stuff not be on there too or the security stuff on the network box.
Firstly, multi-function devices that blend security and other features on the "network" aren't exactly new.
That's what the Cisco ISR platform is becoming now what with the whole Branch Office battle waging, and back in '99 (the first thing that pops into my mind) a bunch of my customers bought and deployed WhistleJet multi-function servers which had DHCP, print server, email server, web server, file server, and security functions such as a firewall/NAT baked in.
But that's neither here nor there, because the thing I'm really, really interested in Alan's decidedly non-security focused approach to prioritizing utility over security, given that he works for a security company, that is.
I'm all for bang for the buck, but I'm really surprised that he would make a statement like this within the context of a security discussion.
That is what Mitchell has been talking about in terms of what we are doing and we are going to go public Monday. Check back then to see the first small step in the leap of UTM's becoming a feature of Unified Network Platforms.
Virtualization is a wonderful thing. It's also got some major shortcomings. The notion that just because you *can* run everything under the sun on a platform doesn't always mean that you *should* and often it means you very much get what you pay for. This is what I meant when I quoted Lee Iacocca when he said "People want economy and they will pay any price to get it."
How many times have you tried to consolidate all those multi-function devices (PDA, phone, portable media player, camera, etc.) down into one device. Never works out, does it? Ultimately you get fed up with inconsistent quality levels, you buy the next megapixel camera that comes out with image stabilization. Then you get the new video iPod, then...
Alan's basically agreed with me on my original point discussing features vs. markets and the UTM vs. UNP thing is merely a handwaving marketing exercise. Move on folks, nothing to see here.
'nuff said.
/Hoff
(Written sitting in front of my TV watching Bill Maher drinking a Latte)