I’m sensing good mood, optimism, and enthusiasm from the Connect leadership. I’m basing this on yesterday’s chapter leader meeting, and some impromptu hallway discussions with Connect Board members. I’ve also talked to some participants from each of the “progenitor” user groups I’ve encountered. (Over the last several years, I’ve been fortunate to meet a variety of folks involved in the user groups because of my time on the Encompass Board and various volunteer roles.)

So far, I’m getting a sense that the Connect leaders are eager to get busy, focusing the Board on governance while the SIGs and Chapters carry out the “work” of the user group. They’re sensing support from the various volunteer communities.

From HP, they’re hearing interest. Various elements of HP want to know how they can get involved, how they can help. One of the goals of combining the groups was to create one bigger voice to HP to get greater levels of interest and support, so this appears to be happening.

When I’ve spoken to those who aren’t familiar with the user group(s) at all, they seem to be somewhat to very interested. The questions all come back to two basic issues: How will the user group help me do my job better, and what would I have to do to take advantage of the user group’s offerings?

Among the user group old-timers, I was expecting some amount of worry and reluctance over possibilities like the loss of valued community feeling, the dilution of content, and the imposition of rules that damage the way various subgroups have operated comfortably and successfully. Indeed, there was some of that earlier in the process, but this week, I’ve sensed very little of that sort of concern. (Someone tell me if there’s more of it than I’ve realized.) Just about everyone this week has been expressing support, some with great enthusiasm and optimism.

I have heard a complaint or two. Their view was that problems they perceived in the earlier groups are carrying forward into the new group. Well, time will tell, but so far the Connect leadership has shown a willingness to make adjustments. There was an issue around chapter affiliation that I and other chapter leaders complained about. We made our case, and the leadership made some changes so we could come to agreement. That’s a good sign to me.

Best of luck Connect, and let’s see how things unfold!

It’s Wednesday at the HP Technology Forum & Expo 2008.

In the spirit of virtualization, I wasn’t physically present at my first scheduled session of the day. No, it wasn’t a case of oversleeping. As in past years, I followed my usual practice of booking myself solid in the scheduler ahead of time, and then I wait until the actual session time to decide how best to spend my time. Sometimes an offline discussion with another attendee or a passing speaker can give you some information that’s better than what you can find in a session. I’ve been fortunate enough to have a few such ad-hoc discussions so far this week.

But I’ve been to some very good sessions too. When a content team (the security team for me this year) accepts a session from a previously unknown speaker, there’s always that risk that the speaker won’t deliver a quality session, but the sessions I’ve been attending this year have ranged from good to excellent.

Remember my posting from yesterday, when I said a hands-on lab went bust? A happy ending is on the way. I had mentioned the situation to the speaker coordinator team (the three amigos, Robert, Robert, and Marion). They got in touch with the speaker and discussed it with him. Today, they told me the speaker was apologetic about the situation, and he offered to have me slip into one of his other scheduled sessions, or to just find him between sessions. Nice.

Speaking of non-session time, I got some good info at the expo. I spoke to some vendors who had some interesting, relevant stuff for me.

I’ll be returning to the office armed with good info.

Here’s my Tuesday report from the HP Technology Forum & Expo 2008.

General Session

First, I hit the general session. Randy Mott, Executive Vice President and Chief Information Officer of HP, started things off. He pointed out that there are more people in the IT field now than ever before, and that the amount of spending on old legacy systems is on the rise. He talked about HP’s efforts to consolidate data centers (and data stores and applications), and to shift a greater proportion of IT spending toward innovation over support. I thought it was interesting that he liked a shorter time frame for implementing grand projects, because he was concerned about what you might call MTBC — Mean Time Between CEOs (that’s my wording, not his). A shorter timeframe pushes one toward transformation instead of incremental improvement.

Ann Livermore, HP’s Executive Vice President of the Technology Solutions Group, was up next. She cited 3 challenges for CIOs: an information explosion, increasing demands on IT from CEOs, and an aging infrastructure. She pointed out that HP sells 1/3 of all servers, and that HP is shipping a new server every 12 seconds. She pointed out HP’s intention to “blade everything” — that is, as I understand it, to make everything you need in a data center available in a blade format.

Ann mentioned two major announcements, the Integrity NonStop NB50000c BladeSystem and the BTO Software for Change Management Automation.

In what later turned out to be a setup for later high-jinks, you might say, Ann announced that Mark Hurd wouldn’t be available for the Q&A portion after all. I later found out that some people left upon hearing that, because they wanted to hear Mark speak. Well, during the Q&A, he came out after all to “interrupt” Ann’s talk, and so did Intel CEO Paul Otellini. I guess it was supposed to be a happy “oh gosh you fooled us” surprise. But anyway, the two CEOs were there to point out the HP/Intel commitment to Itanium.

Hands-On Labs

Hands-on labs are great. Attendees love them. You get to sit down and actually work with some technology, with someone there to help you do it. I usually don’t have the time or the resources to do the same back at the office, not with the equipment available in the labs. A good lab gives you a feel for something that a stand-up talk can’t always do.

My first hands-on lab was a bust, however. I showed up, and the woman who was badging people in said the speaker wanted to cancel the session. I went in, finding out I was the only attendee. The speaker wasn’t ready, or more to the point the setup apparently wasn’t what he was expecting. He suggested coming back 20 minutes later. I did, but I was then told there was nobody there. Oh well.

I attended a good hands-on lab on VDI (Virtual Desktop Infrastructure). This is a very intriguing technology for me, so I was glad to have a chance to sit down and mess with it. It’s aimed squarely at some problems we’ve got back at the office. I’ve now got some practical information in hand.

Speaking of VDI, I attended a break-out session on the subject too. Very informative! I’ll be looking for this one when I receive my proceedings DVD arrives from Connect. (Connect members will receive a DVD.)

Chapter Leader Meeting

Speaking of Connect, we had the chapter leader meeting today. I was there as the leader of ESILUG in the Washington DC area. There must have been 2-3 dozen people in attendance, representing erstwhile chapters of Encompass, ITUG, and HP-Interex EMEA from around the world. Connect President Nina Buik talked about plans and futures for Connect chapters. Director Steve Davidek walked us through some feedback exercises on what chapters value and need from Connect. This was a constructive session. I look forward to what the future holds for Connect chapters.

I’m writing from the Connections Cafe at the HP Technology Forum & Expo 2008.

As usual for my first day on site, I ran into a number of people I know from past events. Getting some in-person time with known IT colleagues from around the world is one of the big benefits I derive from attending. Actually, getting some in-person time with attendees I haven’t met is good too, but it’s good to “Connect” with the old gang too.

Today, I took advantage of the pre-conference seminar program. These are the day-long presentations by topic experts that let you take a deep dive into a topic. The program brought back some popular speakers from past years and introduced some new speakers. The feedback forms provided by attendees help the user group seminar team improve next year’s program.

The early feedback from the speakers was that the attendees were engaged and interactive. Speakers love that kind of stuff.

At lunch, several people noted, and I agreed, that the food was actually very good. There was variety and it was tasty. I particularly enjoyed the mango cheesecake, myself.

This was the opening night for the vendor expo too. The food was good and the drinks were free. Oh yeah, the vendors were there in force too. I like to see a win-win trade show — vendors getting traffic and attendees getting info. There were indeed plenty of people milling about the booths, so this looked like some good trade show time to me.

The expo reception also marked the official launch of Connect. Brad Harwell, HP liaison, thanked the exhibitors for participating in the trade show, and moving on to Connect, he thanked the user group leaders for their efforts in creating Connect. He presented a plaque to my buddy Nina Buik, President of Connect, in much-deserved recognition of her leadership.

Nina led everyone in a toast to the new Connect organization, and unveiled the new logo.

So here we are at the close of day 1. I’m still not adjusted to the time zone shift, my feet are sore, and I’ve run into lots of colleagues from past conferences. Yup, it’s conference time!

If you see me on site, tell me about the coolest thing you’ve heard all day, whether it was useful information, a great one-liner, or whatever. See you around.

Next week, at the HP Technology Forum & Expo 2008, I’ll be blogging from on site along with my colleague Richard Buckle.

We’ll be writing about the presentations we attend, the user group activities, the exhibits, and whatever else catches our attention while we’re there.

Speaking of user group activities, the conference includes SIG meetings (Encompass SIGs as well as ITUG SIGs), the CONNECT Chapter Leader Meeting, and on Thursday afternoon, the session entitled “Meet CONNECT, Your Independent HP Business Technology Community.” Registered attendees can find these sessions in the Session Scheduler: select the Type tab and pick User Group Meeting.

The HP Technology Forum & Expo 2008 marks the debut of CONNECT, the merged international user group consisting of Encompass, HP-Interex EMEA, and ITUG.

Several colleagues and I have been lamenting the state of vendor tech support these days. In an era of ITIL, COBIT, MOF, and the Help Desk Institute, why has good tech support gotten so rare?

I’ll offer a few real-world examples, using fictionalized company names.

Not understanding the problem. “Initrode” used to have great tech support. When I was a consultant, I helped a customer set up Initrode’s products. Initrode’s tech support was helpful and speedy. They had one of my favorite tech support organizations at the time. A couple of years later at another job, I brought in Initrode’s products, partially on the strength of their tech support. First-tier support was getting harder to deal with, mostly because they never captured the problem very well. The second tier was still okay, at first, but over time they were less and less able to understand a problem that didn’t match their scripts. Eventually, the party line seemed to be “It’s not our fault or our problem. Now, what’s your question?”

The version kiss-off. One time, an Initrode tech support person asked the dreaded version question. “What version are you running?” Once upon a time, that was just normal information-gathering. Now, however, the version question had become the prelude to a kiss-off. I reported my version precisely, confident that we were up to date. They wouldn’t help me because, they told me, I wasn’t up to date. Huh? When did the new version come out? Yesterday. I hadn’t received an announcement about the new version or a warning that I was about to slip to “unsupported version” status. Not their problem. “But let me tell you my problem, because maybe it’s relevant in the new version too.” Nope, sorry.

Acquisition blues. “Yoyodyne,” an ISP, had a phenomenal tech support team. The first-tier people had basic literacy in DNS and routing. They could conduct quick status checks and they were empowered to make certain changes for you. Some problems were handled on your first call to tech support in the space of a few minutes. If the problem escalated, the second tier would be fully briefed on what had transpired so far. They were also very knowledgeable. They gave you useful tips. Then Yoyodyne got bought. Before long, the new company got rid of Yoyodyne’s “extra” tech support people. Quality plummeted. The phone menu system required lots of guesswork. The customer support web interface changed regularly in confusing ways. Old interfaces remained online and let you submit things, but they were bit buckets. I had at least four ID-like numbers, but none of them worked for online logins. Second-tier support under the new company was often less competent or less empowered than the first tier under the old company. You had to start from scratch with each new person on a given case. The company was so heavily stovepiped that tech support couldn’t take any direct service actions on your behalf, but you weren’t allowed to call the people who could.

Plain incompetence. I used “LesterCorp” as a home user, not as a business customer. LesterCorp sold PC security software. I ran into what was certainly a bug in their software. The on-line knowledge base acknowledged the problem, but the advice seemed totally irrelevant. I followed it anyway, but the behavior remained. I contacted tech support. They assured me that their latest patch would fix the problem. It didn’t. Then, they swore I had to open up inbound access to port 443 on my computer for this to work. I tried and tried to get them to understand I wasn’t trying to grant inbound access to my computer. They didn’t get it. I called again later and got someone else. This next person insisted I had to open up the usual Windows ports (135, 139, 445) for inbound access, because “the Internet can’t work without them.” I argued with the guy but he was so thoroughly clueless and sure of himself that I just gave up. I called another time. This next person had me open a command prompt. Without any other explanation or warning he said, “I want you to type the following command: f-o-r-m-a-t space c-colon.”

What has happened to vendor tech support? Run-arounds, poor communication, and minimal competence have become the norm. I still get good tech support from a couple of vendors, but they’re the pleasant exceptions. The art and science of good tech support are disappearing, even though the industry seems chock full of best practices for a service desk function.

In what may seem like a whiplash-inducing change of subject, this topic brings to mind one of the reasons I like the HP Technology Forum and Expo and user group involvement. Participants get it. They know what good tech support looks like. Now if only we could collectively find a way to raise the bar for vendor tech support.

P.S. to TV and movie trivia buffs: Did you recognize my references?

Each year, I take the 2008 HP Worldwide User Advocacy Survey. The survey runs through June 26.

The survey’s introductory page says it takes about 10-15 minutes. That was about my experience, if I try to factor out the usual workday interruptions. (I am in “IT” after all … Interrupt Time.)

For the questions about my organization, yet again I had to take the “little old us” options. I’ve got three strikes against me in surveys like these. I work for a non-profit (strike one) from the SMB space (strike two), and our work generally falls into the “Other” category (strike three). Big vendors rarely and barely notice organizations like ours. The Urban Institute is not going to make HP rich.

In fact, our off-the-radar status accounted for a good portion of the feedback I provided in the survey about our interactions with HP. If it weren’t for my user group involvement, I’d never meet anyone from HP face to face. It’s often hard for us to get HP’s attention, yet we like the HP products we use and we depend on them heavily. But at least I get to toss in our $0.02 on the annual survey.

Recently, we wanted to purchase some ProLiants and storage that wouldn’t have our usual configuration. We wanted to get some pre-sales assistance to make sure we were getting a sane and complete configuration. Where do we go? We never know. We sorta kinda have an HP SMB rep we can contact, but in our experience HP’s SMB reps are more interested in taking an order than getting us some help. We have occasionally found some knowledgeable presales assistance, but this wasn’t one of those times.

We tried going to an official HP reseller. The guy we spoke to was worried that we’d take his sage advice then run off to some “Parts R Us” place. The quote that undercut him was from HP itself, by about 20-25%. We had to go with the lower quote. We hated doing that to the reseller, but we couldn’t justify that sort of premium internally. Once we went with HP, each little tweak to the quote meant another delay of a week or so before we’d get the updated quote. And then when the systems finally arrived, we discovered that this wasn’t a complete configuration after all, even though our HP contact had assured us that he ran the configuration past engineering. We were then stuck with some additional purchases to bring it up to snuff.

Whine, whine, whine. We really do like the HP products we’ve got. We really do depend on them heavily for the work we do. Those aspects of things got high marks in my survey responses. But sometimes it’s hard to do business with HP, especially when we’re this far off the radar screen.

That’s why I do the survey. The survey gives us a chance to let HP know what’s working well and what’s not.

I have my soapboxes. A coworker at a previous job even presented me with a soapbox as a parting gift (Irish Spring, but it’s the thought that counts). Password complexity hype is one of my regular soapbox topics.

Password complexity: A lot of people tout the benefits of password complexity rules. Current Windows password complexity requirements include the need for at least 3 of 5 character groups in the password (upper case, lower case, digits, non-alphanumerics, and Unicode). Some sites require at least one each of upper case, lower case, and non-alphabetic.

Consider that “Password1″ passes all the usual complexity requirements, but it’s a terrible password. Consider also that “igympayldt” fails complexity requirements, yet it’s a pretty decent password. It’s also easy to remember (if you’ve seen the Wizard of Oz: “I’ll get you, my pretty, and your little dog too”). And in case you’re wondering, no, I haven’t just revealed my passwords!

Microsoft’s password checker looks for length and complexity. It claims that “Password1″ is a strong password. It claims that “KNxh,TJ” (a randomly generated string) is a weak password, apparently because it’s 7 characters long instead of 8. If I add a 0 to the end, it gets a strong rating. It gives “Aaaaaaa0″ a strong rating, but “igympayldt” is weak. Yeesh.

Do the math: Fans of complexity requirements tell us to “do the math.” The time needed to crack a password by brute-force methods is proportional to the number of possible passwords. (I admit now to the purists that I’m oversimplifying a complex discussion.)

The “do the math” defense for complexity runs like this. Compare an 8-character password of lower-case letters to an 8-character password that uses the 94 printable characters found on a typical U.S. keyboard. For the lower-case password, there are about 209 billion possibilities. For the password using the 94-character set, there are about 6 quadrillion possibilities. (I’m using U.S. terms for large numbers.) That’s a huge difference, like handling petabytes of data instead of gigabytes.

Given that the 94-character set allows about 29,000 times as many passwords, “complex” passwords must be about 29,000 times better, right? A password that could have been cracked within a couple of days using an ordinary laptop becomes a password that would probably take decades to crack. Sounds good, huh? Well, not so much…

Bride of do the math: Let’s face it. If you ask users to include at least one upper-case letter, it’ll probably be the first character. If you ask them to use at least one non-alphabetic, it’ll probably be a digit at the end. If, as a password guesser, you start with that pattern, you’ll probably succeed within your first 80 billion guesses, which you’ll achieve in less than 24 hours. That is, you have a good chance of success in the first 0.001% of the possible passwords. The complexity requirement wasn’t much help, was it?

Son of do the math: Now compare 8 “complex” characters against 11 lower-case letters. That’s 6.1 quadrillion possible passwords vs. 3.7 quadrillion. Adding 3 characters to the length is almost as good as adding 68 characters to the character set. Size matters more than complexity.

Return of do the math: Computing keeps getting faster, ya know? It’s pretty cool if complexity requirements can turn a 2-day attack into a 2-century attack. But what if the attack on the “simple” password takes only a few minutes with better compute resources? If we take the “do the math” approach at face value, complexity requirements turn an attack of a few minutes into an attack of several weeks. Given that many passwords last 90 days or longer, that’s not much help. The faster these attacks can happen, the less it matters whether you apply complexity requirements.

Entropy (oh yurg, a term from thermodynamics): Entropy is basically a measurement of how many random bits your password is equivalent to, in terms of guessability. Dictionary words have low entropy. An adult’s vocabulary might have around 15 bits of entropy, less than the entropy of 3 randomly generated characters.

NIST SP 800-63, Electronic Authentication Guideline, includes a discussion of entropy in Appendix A, Estimating Password Entropy and Strength.

According to NIST SP 800-63, an 8-character randomly generated password using a 94-character alphabet has 52.7 bits of entropy. If you let users pick their own 8-character passwords, you’re down to 18 bits of entropy, the equivalent of about 3 randomly generated characters. This means a random password is about 28 billion times better than a user-chosen password. If you add in a complexity requirement, you’re up to 24 bits of entropy, which is not quite as good as 4 randomly generated characters. The “do the math” crowd acts like you’ve got 8 random characters, when it’s more like 4. They’re off by a factor of about half a billion.

Per NIST, adding 2 characters to the password length (for user-chosen passwords) is about as effective as adding complexity requirements.

The human factor: Regardless of how strong a password is on its own, you still have to worry about the user’s inclination to write the password on a sticky note or to have client software remember the password. Complexity rules don’t help you with the human factor, and they might make things worse.

My advice for user passwords is to think of a memorable phrase of at least 8 words, preferably more, and then to use the initials as a password (”Maslwlaboc” from “Mama always said life was like a box of chocolates”).

My advice for privileged accounts is to use a pronounceable password generator like a Perl script on a Unix system (such as pass_gen), the OpenVMS password generator (see the HP OpenVMS Guide to System Security), or Xyzzy on Windows. These tools are also good for resetting user passwords.

My advice for non-user passwords (like service accounts for which no human has to remember the password), is to use the Ultra High Security Password Generator. Make the password the maximum length allowed and let it be permanent.

Here’s how I went about using the Session Scheduler for the HP Technology Forum and Expo 2008.

Now that I’ve scheduled my hands-on labs (mwa-ha-ha), I can safely share this experience with you. The hands-on labs fill up fast, you know.

My overall approach is to do a first pass to flag sessions of possible interest by subject area, then I prioritize them, then I put the Auto Scheduler to work.

I also make sure I check out the user group activities (chapter meetings, special interest groups, etc.) and I look for the vendor theater sessions. I’m especially interested in the user group sessions this year, given that Encompass, ITUG, and HP Interex EMEA are merging into a new user group, Connect.

I also like to schedule at least one visit to the Technology Expo, where you’ll find lots of exhibitors waiting for you to drop by.

My steps…

1. Log in at the Session Scheduler. This link appeared in your registration confirmation e-mail.
2. Click on the Session Catalog.
3. Click on the Technology Area tab.
4. For each technology area of interest:
• Choose a technology area from the drop-down menu. This produces a list of sessions in that topic area. Many sessions show up in multiple topic areas.
• Click on the session numbers of of possible interest to read the abstracts.
• If a session is a must-have, schedule it in the abstract window by clicking on the “plus” icon.
• If it’s a maybe, flag it as one of “My Interests” by clicking on the “plus” icon back in the session list, not in the abstract window.

  Note that the plus icon serves different functions in these two contexts.

5. Click on the Type tab.
6. In the pull-down list, select User Group Meetings. Schedule them or add them to My Interests as above.
7. Still under the Type tab, select Vendor Theater instead of User Group Meetings. Pick and choose as before.
8. Click on My Interests and assign Low, Medium, or High priorities to each. They all start out at Low. This will help the Auto Scheduler.
9. Click Update and Return to Auto Scheduler.
10. Click Start Auto Scheduler. That immediately schedules the sessions where you have no conflicts.
11. If there are conflicts, click on Resolve Scheduling Conflicts. It walks you through each conflict, giving you a choice of how to resolve it.

    You can hover your mouse over the session number to get the session title (if your browser displays link titles). You can click on a session number to reread the session abstract.

12. Do you want to schedule some personal items? Click on My Schedule then click on Add Personal Time. (It’s at the top of the schedule display.) You can schedule items on any quarter hour during the conference hours, lasting for 15-60 minutes.

    Because the scheduler covers the main conference hours only, you can schedule only the daytime hours of the Technology Expo (Tuesday 10:30-3:00, Wednesday 11:00-3:00, and Thursday 11:30-2:30). You can’t schedule the two evening times (Monday and Wednesday, 6:00-8:00) because they’re outside the regular conference hours.

13. Do you want to export your schedule? Click on My Schedule then click on Export. If it asks for a time zone, leave it at Mountain Time.

I just read yet another article proclaiming the demise of anti-virus software.

Weaknesses in signature-based approaches

First, let me acknowledge the weaknesses of signature-based anti-virus detection (also signature-based intrusion detection):

• Once a virus is released into the wild, it can spread and do damage at wire speed, while initial detection, signature development and testing, and sometimes signature propagation happen at human speed.
• Signature-based detection is more reactive than preventive.
• Signatures are developed only for attacks that are widespread enough to warrant the effort. A malicious attack focused only on your organization operates below the radar of the anti-virus vendors.
• Signatures only accumulate. Does anyone ever remove old signatures? Eventually, there’ll be too many signatures to handle in a timely manner.
• Signature-based detection is based on secondary characteristics, which means it’s subject to false positives and false negatives.
• Viruses can morph in ways not recognized by the current signatures.

Does all this mean that signature-based solutions are dead? No. Consider:

• All the weaknesses I listed above have been present all along, yet signature-based tools still catch things.
• Signature-based detection has never been sufficient for any organization’s information security plans. Is there anybody making information security decisions who thinks it is?

Okay, so if the weaknesses aren’t news, and if signature-based solutions still catch things, and if an overall security plan is more comprehensive than mere virus detection, is it worth trying to do better? Absolutely.

Whitelisting

Whitelisting of software is a commendable idea worth pursuing, because it follows the fine security principle That which is not expressly permitted is prohibited. But it too has weaknesses:

• Whitelisting is based on the assumption “good today = good tomorrow.” That won’t always be the case.
• Whitelisting is also based on the assumption that I’ll always be able to tell which software deserves whitelisting and which doesn’t. I won’t always be able to do it accurately, cost-effectively, and in a timely manner.
• Whitelisting shares a flawed assumption with signature-based virus detection, namely, the assumption that goodness or badness is a permanent attribute of the software, and not a transient attribute of its usage. An authorized user with a whitelisted tool could still wreak havoc, accidentally or intentionally.
• Some users (including your bosses and customers) will see the whitelist process as an unnecessary obstruction. They’ll insist, for business reasons or mere convenience, that you disable the whitelist controls, that you whitelist something RIGHT NOW, or that you grant them the authority to whitelist software themselves.

But, just like signature-based detection tools, whitelisting will catch things that might not have been caught otherwise. It just won’t be sufficient.

Behavior detection

Another alternative is the behavior-based approach: what the software does, not what it is. It’s closely related to anomaly detection: finding changes in things that shouldn’t normally change.

That addresses one of the main flaws of signature approaches and whitelisting. Slick.

Yet behavior detection shares a number of flaws with the other approaches too:

• Behavior-based detection is still essentially a signature-based approach. It will only detect behaviors it knows how to detect, predictable behaviors in particular.
• It’s reactive, not preventive.
• Sometimes, you won’t know whether a behavior is good or bad until after the damage is done.

Endpoint Security

Endpoint security (NAC, NAP, and related solutions) is very promising in some ways. Endpoint security is the bouncer who can reject or eject the unwelcome. It seeks to keep out the riff-raff before they’ve had a chance to do any damage. Good stuff.

Pre-admission NAC is the bouncer at the door who decides who’s allowed in and who’s not. It’s still essentially signature-based. In the absence of post-admission NAC, it makes the flawed assumption that if you were okay upon connection, you’re okay for the rest of your session.

Post-admission NAC solutions are the bouncers keeping an eye on things once you’re in the door. That’s better, but it’s still essentially signature-based. I’d hate to see a post-admission false positive mess up somebody’s important work in progress.

NAC solutions are at risk of false positives and false negatives. For example, if my anti-virus signatures are two weeks old, and I’ve got tracking cookies, my workstation isn’t perfect, but it could still be harmless to the destination network. Conversely, if my workstation has no detected problems, I or my workstation could still be up to no good.

Let’s compare:

I detect a pattern! None of these solutions are entirely useless, and none of them solve the entire problem.