I guess maybe if you sell to the .edu crowd a lot, after a while you start thinking that all of your users are juvenile.  As a result you start thinking in terms of your product protecting against adolescents who are not smart, mature or capable enough of taking care of themselves.  You start thinking of yourself and the people who use your product as the grown ups, here to be the custodians of these addled brained users of the network. Or so it seems reading Gord Boyce's advertorial in Enterprise Networks and Servers titled "Are your users smarter than a 5th grader". 

You know what I mean by advertorial right? A piece in a magazine or e-zine that comes across looking like a real piece of journalism and is really a thinly veiled advertisement for your company's products.  Some people say my blog could be put in the same boat. If that is how you feel, so be it, I am not going to waste time arguing about it with you.

Gord's gist seems to be that users need parenting and that security and network administrators can administer the proper discipline or love in one of two personas.  You can be the Beaver's mom, Mrs. Cleaver or you can be Nurse Diesel (from High Anxiety for those too young to remember).  Frankly I find this view of network users arrogant and condescending.  For most enterprises their users are not some ill behaved child exhibiting bad manners.  They are legitimate users who have to access the network in order to get their work done.  And here is a lesson for all of you who subscribe to the "parenting approach" to network security, if those same users we are trying to discipline or raise into responsible adults don't get on the network and do their work, you may not have a paycheck!  So spare us the analogies to children accessing the network unless you are selling to schools.  Its time we treat our network users and legitimate guests as the adults they are. Adults who we are counting on to do their work and make our companies profitable and put food on our tables.

This same "teach the kids to mind their manners" approach to NAC is what has caused too many to think of NAC as being all about the quarantine.  It is not and should not be.  Quarantine should be something you do as a last resort. If someone has a legitimate right to be on the network, it should be the job of the NAC product to make sure they are on securely, in compliance and safely.  If they are deficient in some configuration lets get it fixed.  They should be allowed to go where they are allowed to go, not more or not less.  But I think we can spare the user the finger wagging and lectures. 

Unlike Gord, I actually think that time can be better spent in social engineering of NAC. Educating your network users is key.  The more time you spend making them understand why rules are in place and what they can do to help and make everyone more successful, the better off you are going to be.  I think the technology of NAC is only one piece of entire solution.  Security awareness and education are also key.  Also, unlike Gord I don't think that agentless NAC is the only way to test devices.  Especially if like Gord's product, all you are using to do so is nMap and an old version of Nessus (btw, Gord do you include the source code with your use of those open source products?). I think to truly test the full spectrum of devices accessing the network you need a combination of agentless, agent and web delivered testing options. You need a purpose built NAC testing engine.  If you want to provide continuous monitoring, you need to do more than recycling your failed IDS technology.

Here is the bottom line for me. If you think the people accessing your network are like the Beaver and Wally, Gord's product may be just what you are looking for. If you have adults trying to do business and make you and your company succeed perhaps another NAC solution might be best for you.