As I start to test product for the upcoming NAC reviews, in-line NAC being the first of many, one thing strikes me as truly annoying???the lack of decent logging and reporting within network devices. Without good logging, there is no way to troubleshoot problems and that hampers my productivity and more importantly, support desks productivity.
Like you, I deploy these products in a network and try to make them run. Sure, I deploy products in a ???test network???, but my ???test network??? is my production network. If my production network breaks, I have to fix it. If I can???t make products work, I can???t write reviews (while we sometimes joke about running reviews with one line ???This product blows???, that wouldn???t be responsible or fair.) I tend to break stuff a lot, so I get plenty of time to troubleshoot issues. A lot of IT people I talk to often don???t even look at logging during procurement and come to regret that. The product has to do what you want, that???s a given, but once you buy it, you have to live with it.
Troubleshooting is all about information. If you can???t discover what the problem is, you can???t troubleshoot it. The ???reboot??? only works on PC, network gear tends to come back just the way you left it. Troubleshooting is compounded when products, like NAC appliances rely on external services like authentication to function. I was testing a product (I won???t say who yet. Wait for the review to come out) that uses an AD server to authenticate users. When I tried to authenticate as a user, the product was telling me the authentication was denied. I tried several times, each time progressively slower, because I could have fat fingered the credentials. Hell, I may have fat fingered the credentials multiple times. After the fourth or fifth attempt???mind you I am now deliberately typing with one finger???I gave up and tried to see what the problem is by looking at the product logs. Maybe the appliance isn???t talking to the directory or some other configuration issue. And there was nothing. Zilch. So I called support and they confirmed that they don???t log that information. I wonder what else they don???t log. Could you see how a support call might go if one of your users couldn???t authenticate?
User: Hello, support, I am trying to login to this web page and it won???t let me.
Support: Did you try your username password? Try again.
User: I did that several times with the same response.
Support: Huh, I don???t see any errors.
Bad, bad, bad. When you are building a tool that purposely gets in the way of network connectivity like NAC does, you absolutely must provide the tools to troubleshoot problems. Here???s a short list of troubleshooting requirements every NAC product should have:
- Don???t call system logs audit logs: Audit logs record an irrefutable chain of events with sufficient detail that you can recreate in the future the exact same steps. System logs are log entries that may or may not provide enough detail for audit purposes. I can tell you, most security products don???t log the right information for audit purposes.