January 16th, 2006
Enforcing conformity
I think that a lot of the trouble we cause for ourselves is from confusing reality with how we want things to be. One way of doing this is to over simplify. Vendors of IT solutions are the most guilty of this. Startups latch on to one idea and then view the world through a single pass filter that makes all problems look the same. Established vendors assume that their customers are loyal to them and have already deployed their products everywhere. Even upper level management view their shops in broad categories. “We are a Microsoft shop�, “We are an Oracle shop�.
In my experience every “Microsoft shop� has other equipment that is not Microsoft: network appliances, printers, servers, storage, you name it.
There is a utopian IT architecture. It looks like this:
-Every desktop is exactly the same. Any variation is an aberration.
-All routers run the same level of code.
-All mobile platforms are the same. End users don’t add things or customize things.
-If change is needed we will investigate and roll out changes in the next budget cycle.
It is in this utopian environment that Network Admission Control looks good. Only conforming devices are allowed on the network. Each laptop, server, desktop must have the same OS settings, firewall configuration and AV client with update at least at level x.
As crazy as this sounds it is exactly what the Ciscos and Microsofts of the world are proposing. They are selling conformity. Can’t roll out CNAC because you still have some non Cisco core routers? Well get rid f them!
The execution problems are almost insurmountable. But there is an even more fundamental problem. Conformity is anathema to security. While most organizations have managed to standardize on Windows for desktops and lap tops they still have a range of versions. Having Win2000, XP, and even 98 in the mix actually decreases the likelihood of a single worm or virus wiping you out. What if an update from you AV vendor crashes your AV client? By forcing conformity you reduce resiliency.
Luckily conformity is a utopian fantasy. It really does not exist anywhere. So why waste even a minute trying to deploy Network Admission Control?
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
