Well everyone- there’s something I’ve been wanting to tell you and now, after a year, I can!

Because of non-disclosure and other confidentiality contracts with various partners, vendors and manufacturers, we’ve had sealed lips for almost exactly 12 months. Now that it’s been made public by the media, I can share a little information with you and explain why I think you should be excited.

What cat is out of the bag now? HP ProCurve’s network access control solution leverages endpoint management technology from StillSecure’s Secure Access solution. Information Week spilled the beans, so to speak, in Mike Fratto’s recent 2008 NAC Survey Analytic Report. (See page 32)

Now, at this point, I can probably lump you into one of three groups… 1) You don’t care or have no clue what this means 2) You care but think this means HP ‘has no NAC’… or group 3) You know about StillSecure’s success and ProCurve’s integration and think this is a great combination.

I’m sure everyone will have their own opinion– I happen to be in Group 3. Why? Because HP has taken the power of their servers, leveraged a very solid endpoint management tool and incorporated a variety of other management and security features by way of their identity management solution.

    • The endpoint security.
      StillSecure’s Safe Access solution has been winning awards and earning stars for years. You can probably Google it, or check out some of Shimel’s blog  posts, such as this one, with 4- and 5-star reviews from SC Magazine. In fact, just this year (and in previous years) Safe Access was voted Best Endpoint Security Solution by SC Magazine and has won numerous other awards and accolades from various analysts and media firms. They have a clean, user-friendly GUI, a solid Linux platform and a variety of testing methods, deployment options and switch integrations. (And no, you don’t need ProCurve switches, the NAC integration is ready for your Cisco, Extreme, or whatever you have). 
    • User management.
       Combine one of the highest-rated endpoint security solutions with ProCurve switches, the #2 leader in the switching market (and Magic Quadrant resident) and the full integration with ProCurve’s Identity Driven Manager platform and you have one amazingly capable access control system. With ProCurve IDM, you can integrate directly with their NAC 800 appliance to offer per-user (or per-group) ACLs, QoS, restrictions or priviliges. Rules can be identity-based, time-based, location-based, or a combination of all. And, IDM eases 802.1X integration by offering users a central management and repository for user settings and VLAN assignments; it really is ProCurve’s special sauce and a distinguishing feature.


    • Switch security.
      The integration of advanced switch security functions, such as DHCP snooping, Dynamic ARP protection and dynamic IP lockdown gives ProCurve another leg-up to fight common known attacks for both in-line and out-of-band NAC deployments.
    • Zero-day protection.
      It gets better, the new Dynamic Configuration Arbiter (DCA) functions in ProCurve’s Pro-vision switches gives customers the unique advantage of integrating the NAC and IDM with ProCurve’s Network Immunity Solution (NIM). NIM uses flow analysis from sFlow and network behaviour anomaly detection (NBAD) to detect and automatically remediate on the edge. In English, that means we can use ProCurve’s NIM to detect attacks and take action at the edge port, such as blocking the port, locking out the MAC address of the offender, rate-limiting, or even mirroring the traffic to an IDS for further inspection. The super-nice part is, all the sFlow and NBAD works on wireless too. (Hey Stiennon, did you hear that?)


  • Full integration.
    Unlike some of the other network-based NAC vendors, ProCurve has done an exceptional job of integrating these features and we’ll continue to see more integration in future revisions of the softwares and as more TNC/TCG integration frameworks are released (such as IF-MAP).

I think the strong integration with the infrastructure and the ability to leverage a mature endpoint integrity will make HP a ‘real’ player in the NAC market moving forward.

Not to knock other NAC solutions- Choosing a NAC is like selecting the perfect wine for your dish- there’s no 1 ‘right’ choice for all occasions. Each have their advantages and disadvantages. There are several that have special sauces and you’ll actually be seeing more on that soon…


# # #


Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts


  • Do you guys know about anyone lokiong into the agent software being used by NAC (is it Cisco Trust Agent?) to see if it really has a decent architecture? It always seemed to me that a networking device asking a computer if it “is secure” is not a good way to deal with the problem. Maybe they are using some ninja digital signature based technique to reduce the risks from trusting the evaluator to be in the evaluated computer, but even this could be tricked by clever malware.

  • John… really..

    Surely you’re a professional adult and you understand the implications of corporate partnerships, contracts and NDA.. ? You get that, right…?

    Hewlett-Packard (aka mothership) has extremely strict policies on disclosing OEM agreements. No one was allowed to discuss it… even if we did know.

    And of course many companies knew.. including folks at ProCurve’s business unit, StillSecure, the training partners and all of us involved in the beta testing.

    However, we all had those nice pieces of paper with the tiny writing and Paul’s signature requiring we abide by HP’s rules…

    So like big grown up adults in the business world (who do not wish to be sued by HP) we do what we’re told. In fact, had you read the first line of this blog post, we probably could have avoided this comment.

    Surely that makes sense.

    And yes, I am perfectly happy “being connected to StillSecure” and especially Alan.


  • “Do you really want to be connected to StillSecure?” Or worse, Alan Shimel?

    I recall a 2007 podcast Shimel did with HP ProCurve’s CTO Paul Congdon where Shimel discussed ProCurve’s (then) new NAC 800 product as if he knew nothing about it. In Alan’s own words, “HP ProCurve … came out with 2 security products. One is a NAC Appliance … I think it’s called ProNAC 800 or something like that … It looks like a pre-connect NAC product …”

    Shimel knew the cat would be out of the bag at some point, so why play games like that? And for what gain other than to weaken Shimel’s – and StillSecure’s – credibility? So, it’s an emphatic NO, you do not want to be connected to StillSecure, or to Shimel.

  • JJ,

    Not sure if I understand your angle here after looking at Mike’s report again. Surely it was no secret that HP’s NAC 800 was based on StillSecure? I distinctly remember discussing this with HP folks on the show floor in 2007. One look at the dashboard shows it is the same product.



  • Do you really want to be connected to StillSecure? Richard give me a break. No, better to be connected with some Australian backed MSSP who is going to change the world with the next big thing, multi-function routers? Richard your NAC-paranoia has gotten the best of you!

  • Stiennon, you mean like unabashedly plugging your Analyst event on a NWW chat? (Is that what you mean?)

    Do your homework- we sell a variety of solutions including HP, ProCurve, Symantec, Juniper and a variety of others. I research, evaluate & test many more.

    I just happen to actually integrate, design and use these things in the real world… so I know what works, and what doesn’t. Feel free to sit around and ‘theorize’ all you like, obviously it’s worked out well for you.

    Personally I prefer application over musings, it’s what works for me. To each their own.


  • Wow, do you work in HP’s marketing department? It is so unusual to read a blogger who unabashedly pushes products. Well, an Apple fanatic blog maybe.

    I am sorry, working at a VAR that sells HP (and I assume StillSecure, are you really sure you want to be connected to them?) taints you as much as working directly for a vendor. Leave the Stiennon bashing to Rothman and Hoff. They have earned some respect for being objective.