I saw Tim Greene's column this morning entitled "Sophos NAC client adapts to virtual environments" and was curious to see if Sophos had taken a similar tact to what we did here at StillSecure in securing multiple virtual machines on the same physical machine. After reading the article though I have to say that Richard Jacobs, CTO of Sophos fed Tim Greene a line of bull.
First of all lets start with the obvious. Sophos whole solution around virtual environments and NAC is nothing more than vaporware! Here is how the article leaves off in discussing this "solution" that Jacobs talks about, "Jacobs says the company doesn’t have a name yet for this enforcement agent, nor does it have a date when it will become available as a product. Stay tuned." So what exactly are we talking about?
Beyond that though, a closer examination of what Jacobs says is the obstacle in providing NAC to virtual environments is bull. Jacobs says the problem is "that in virtual environments, a physical machine that hosts virtual machines already has access to the network". Therefore according to Jacobs, "The switch port that the host machine connects to cannot be used as a NAC policy enforcement point because the host machine’s status would determine the NAC policy for itself and for all the virtual machines running on it." He continues with, "That single policy would then have to apply to all the virtual machines running on the host, regardless of the status of the individual virtual machines, he says. A non-compliant virtual machine that tries to come onto the network could change the NAC status of the host, and enforcing that new status would block all the other virtual machines, even if they are compliant."
Maybe what Jacobs should have said was that if your NAC is so limited that it will only work by allowing one device on per port with no ability to distinguish devices, OSs, etc beyond that rudimentary one-to-one equation, you are stuck waiting for Sophos to develop something that may work, who knows when. But there is a better way!
What about if you have the ability to distinguish access to the network based upon MAC address? My understanding is that each virtual OS in a virtual environment will have its own unique MAC address. So if you are going to assign policy, test and quarantine based upon multiple factors such as IP, domain, MAC address, netbios, etc, you do have the capability to test and allow one OS, while denying another OS, all while they are running on the same physical machine. In fact that is just what we do with Safe Access!
I have seen it in action here at our offices in Colorado myself. If you log on with a Macintosh you get checked as a Mac and are allowed on or not depending if you passed the assigned policy test. When you fire up Windows on that Mac, you are tested again and can be denied access, while your Mac is allowed on. Vice versa, you can get on the network with your Window virtual OS, even though your Mac OS was denied, all mind you while you are running on a Macintosh physical box.
The moral of the story is don't underestimate that someone else has a better mousetrap than you do. Also, if you are going to go spout off thinking everyone is as limited as you are, at least have the goods and don't be pushing vaporware!
First of all lets start with the obvious. Sophos whole solution around virtual environments and NAC is nothing more than vaporware! Here is how the article leaves off in discussing this "solution" that Jacobs talks about, "Jacobs says the company doesn’t have a name yet for this enforcement agent, nor does it have a date when it will become available as a product. Stay tuned." So what exactly are we talking about?
Beyond that though, a closer examination of what Jacobs says is the obstacle in providing NAC to virtual environments is bull. Jacobs says the problem is "that in virtual environments, a physical machine that hosts virtual machines already has access to the network". Therefore according to Jacobs, "The switch port that the host machine connects to cannot be used as a NAC policy enforcement point because the host machine’s status would determine the NAC policy for itself and for all the virtual machines running on it." He continues with, "That single policy would then have to apply to all the virtual machines running on the host, regardless of the status of the individual virtual machines, he says. A non-compliant virtual machine that tries to come onto the network could change the NAC status of the host, and enforcing that new status would block all the other virtual machines, even if they are compliant."
Maybe what Jacobs should have said was that if your NAC is so limited that it will only work by allowing one device on per port with no ability to distinguish devices, OSs, etc beyond that rudimentary one-to-one equation, you are stuck waiting for Sophos to develop something that may work, who knows when. But there is a better way!
What about if you have the ability to distinguish access to the network based upon MAC address? My understanding is that each virtual OS in a virtual environment will have its own unique MAC address. So if you are going to assign policy, test and quarantine based upon multiple factors such as IP, domain, MAC address, netbios, etc, you do have the capability to test and allow one OS, while denying another OS, all while they are running on the same physical machine. In fact that is just what we do with Safe Access!
I have seen it in action here at our offices in Colorado myself. If you log on with a Macintosh you get checked as a Mac and are allowed on or not depending if you passed the assigned policy test. When you fire up Windows on that Mac, you are tested again and can be denied access, while your Mac is allowed on. Vice versa, you can get on the network with your Window virtual OS, even though your Mac OS was denied, all mind you while you are running on a Macintosh physical box.
The moral of the story is don't underestimate that someone else has a better mousetrap than you do. Also, if you are going to go spout off thinking everyone is as limited as you are, at least have the goods and don't be pushing vaporware!
