NAC is a Feature not a Market…

MarketfeatureI’m picking on NAC in the title of this entry because it will drive
Alan Shimel ape-shit and NAC has become the most over-hyped hooplah
next to Britney’s hair shaving/rehab incident…besides, the pundits come a-flockin’ when the NAC blood is in the water…

Speaking of chumming for big fish, love ’em or hate ’em, Gartner’s Hype Cycles do a good job of allowing
one to visualize where and when a specific technology appears, lives
and dies
as a function of time, adoption rate and utility.

We’ve recently seen a lot of activity in the security space that I
would personally describe as natural evolution along the continuum,
but is often instead described by others as market "consolidation" due to

I’m not sure they are the same thing, but really, I don’t care to argue
that point.  It’s boring.  It think that anyone arguing either side is
probably right.  That means that Lindstrom would disagree with both. 

What I do want to do is summarize a couple of points regarding some of
this "evolution" because I use my blog as a virtual jot pad against which
I can measure my own consistency of thought and opinion.  That and the
chicks dig it.

Without my usual PhD Doctoral thesis brevity, here are just a few
network security technologies I reckon are already doomed to succeed as
features and not markets — those technologies that will, within the
next 24 months, be absorbed into other delivery mechanisms that
incorporate multiple technologies into a platform for virtualized
security service layers:

  1. Network Admission Control
  2. Network Access Control
  3. XML Security Gateways
  4. Web Application Firewalls
  5. NBAD for the purpose of DoS/DDoS
  6. Content Security Accelerators
  7. Network-based Vulnerability Assessment Toolsets
  8. Database Security Gateways
  9. Patch Management (Virtual or otherwise)
  10. Hypervisor-based virtual NIDS/NIPS tools
  11. Single Sign-on
  12. Intellectual Property Leakage/Extrusion Prevention

…there are lots more.  Components like gateway AV, FW, VPN, SSL
accelerators, IDS/IPS, etc. are already settling to the bottom of UTM
suites as table stakes.  Many other functions are moving to SaaS
models.  These are just the ones that occurred to me without much

Now, I’m not suggesting that Uncle Art is right and there will be no
stand-alone security vendors in three years, but I do think some of this
stuff is being absorbed into the bedrock that will form the next 5
years of evolutionary activity.

Of course, some folks will argue that all of the above will just all be
absorbed into the "network" (which means routers and switches.)  Switch
or multi-function device…doesn’t matter.  The "smoosh" is what I’m
after, not what color it is when it happens.

What’d I miss?


(Written from SFO Airport sitting @ Peet’s Coffee.  Drinking a two-shot extra large iced coffee)

  1. March 31st, 2007 at 05:59 | #1

    Come on Hoff, it takes more than this pansy ass shit to make me go ape shit. I figure worse comes to worse, we can always convert all of these NAC boxes to media centers. In the meantime we will just keep trying to sell "this feature" and count you among the "yea of little faith" who could not wait to shovel dirt on top of NAC at the first opportunity 😉

  2. March 31st, 2007 at 07:43 | #2

    Very funny. I think, however, that my comment rings true when you take into account that even StillSecure's own UNP aludes to NAC becoming "just another feature" in the virtualized stack of functions on a platform.
    The writing's clearly on the wall. NAC is the next IPS in the chainlinks of security component evolution.
    As far as counting me in as one of the "ye[a] of little faith," I'm not suggesting NAC isn't worthwhile; just the opposite. You seem to have forgotten the posts, podcasts and my belief in the concept of NAC…it's the execution that's lacking.
    I'm not shoveling dirt on NAC, I'm merely putting it in the right box — the impetus for this post was yours in which yet another NAC vendor supposedly bites the dust (Caymas.)
    You're welcome to count me with any group you like. In fact, you can add me to the UTM Media Center Enthusiasts Club if you like 😉
    By the way, besides getting bristly and defensive about NAC (I guess that part worked,) what do you think about the other catagories I mentioned?

  3. Pete
    March 31st, 2007 at 12:42 | #3

    I disagree.

  4. March 31st, 2007 at 17:41 | #4

    Hoff, I thought you were looking for bristly and defensive? The other categories? I don't know let me look at them. I personally think NAC will be built into networks as a feature, have for some time. That pretty much sums up our biz dev strategy.
    Speaking of podcasts, I really want to have you on one when you are sober. Any chance you will be available and sober any time soon 😉 Let me know.

  5. March 31st, 2007 at 20:07 | #5

    Are UTM's becoming a feature not a market . . .

    One good turn deserves another. So let me flip it on you Hoff. What am I talking about you ask? My bud Hoff was looking to yank my tail with a recent article wherein the esteemed wizard of Boxborough, lists

  6. March 31st, 2007 at 20:16 | #6

    Next time you both should turn downwind before starting to piss on each other. But I guess that would mean you would miss then too. lol

  7. crashtkd
    April 1st, 2007 at 13:05 | #7

    Nice one, but have to disagree slightly…
    I think from a monitoring and enforcement standpoint you're
    completely correct. None of that stuff will stay stand alone. But in
    3 areas (2 for sure, 1 maybe) the policy management/intelligence will
    reside somewhere else:
    1. NAC will overlap with endpoint management and (to a different
    degree) Identity Management/Authentication. This is the one I could
    be wrong on.
    2. Applications and databases will have a separate security plane,
    but many of the enforcement points will consolidate into the network
    as you describe. A bunch of the intelligence and analysis really
    can't be done on the network alone.
    3. We'll see the rise of a data/content security plane that extends
    from the desktop, to the network, to storage (leak prevention on
    steroids). Again, you can only solve part of the problem on the
    network- a bunch really needs to embed into other parts of the
    information lifecycle. That said, any leak prevention vendor relying
    on selling egress appliances is in for a rough ride.
    Of course, I'm biased. Can't let you network guys steal all the
    thunder and put me out of a job (I'm a data security type).

  1. No trackbacks yet.