NAC Vendors Vie Over Architecture, Product Direction

The network access control (NAC) market has finally matured enough that vendors and users can at least agree on the baseline features and functionalities required to make up a NAC solution. On deck for 2007: the battle of NAC architectures, an expected standards shake-out; and plenty of vendor posturing, positioning and - more than likely - consolidation.

That was the story at Network Computing's NAC Forum event, held Thursday in San Jose, Calif. The event brought together NWC real-world IT analysts, leading NAC vendors and users that have both deployed NAC and those still in the evaluation phase. Even though NAC feature sets and technology approaches remain in flux, several users detailed early successes in rolling out NAC in their enterprises.

Key business drivers included improving remote and guest access to corporate networks; avoiding catastrophic attacks and vulnerabilities; and locking down security policies and practices for regulatory compliance.

Cedars-Sinai Medical Center has completed a NAC deployment using NAC gear from Vernier Networks to manage how a wide variety of devices access its corporate network, including not only computers, laptops and handhelds but net-enabled medical instruments such as heart monitors and even task-specific robots. "In looking for a NAC solution, it's important to keep things in perspective. NAC isn't a magic pill," said Mazen Abu-Hijley, director-networking for Cedars-Sinai. "From an operational perspective, we were looking for something that was easy to put in and allowed us to apply and monitor the policies we needed."

The hospital is largely a Cisco shop, but turned to Vernier for a best-of-breed NAC appliance that it could deploy today without having to make massive changes across its installed base of routers and switches, Abu-Hijley said.

Medical device manufacturer Beckman Coulter is planning its own NAC deployment, with implementation planned to be rolled out on a site by site basis in the next 12 to 18 months, said Steve Campbell, the company's director of network services. "Our goal is fairly simple-keep visitors, contractors and interns off the network. We need to be able to control what they do," Campbell said, adding that the biggest surprise in planning the NAC deployment was that while IT had locked down remote access very tightly, "the thing that wasn't secure (from an access perspective) was the LAN."

Working with vendor Nortel, Campbell's team is taking a measured approach to its NAC roll-out, testing NAC piece-parts and overall interoperability in the lab before rolling out live deployments, beginning with its corporate headquarters. Campbell recommends that enterprises deploying NAC "spend a lot of time in the lab and test everything and look for unexpected effects."

Users have plenty of options when evaluating NAC solutions, including platforms and enabling technologies from infrastructure vendors such as Cisco, Microsoft and Nortel, which aim to make NAC essentials a core part of the network environment. Meanwhile point solutions have emerged in two main flavors, including "in-band" approaches that sit in between access and distribution switches (or act as a replacement switch themselves) and examine incoming traffic and "out-of-band" solutions that monitor link ports and control host access.As NAC grows to become an almost all-encompassing framework for enterprise wide access control and intrusion detection, many enterprises will end up using combinations of these approaches, said NWC analyst Mike Fratto. "These are not exclusive technologies," he said. "Many of the products I've seen that hold the most promise for large enterprises support multiple NAC methods."

Indeed, even as NAC architectures continue to evolve, 2007 is expected to see some important NAC milestones, including progress on a standards-based NAC architecture and approach from the Trusted Computing Group/Trusted Network Connect. Meanwhile, Microsoft and Cisco will walk the line between cooperation and competition as elements of Microsoft's Network Access Protection (NAP) framework arrives on Vista desktops and Longhorn servers and Cisco's Network Admission Control architecture continues to evolve. The two vendors have pledged to cooperate on NAC interoperability, but with so much at stake there will undoubtedly be areas where they will set down stakes as well.

Look for Microsoft to demonstrate plenty of NAP interoperability with a variety of NAC partners at the upcoming RSA show, while the standards-driven TNC approach is driving toward interoperability demos at the Interop show later this year.

Meanwhile, NAC solutions continue to mature. In 2007, look for advances in how enforcement devices understand the state of the client, an area ripe for standardization, said Michelle McLean, senior director of product marketing for ConSentry Networks. Also on deck should be improved integration of NAC devices with standalone policy servers, McLean said. And don't be surprised if additional security functionality gets sucked into the NAC universe, in particular the integration of intrusion detection systems with NAC, enabling NAC platforms "to learn from or inform" IDS/IPSs, said Sanjay Uppal, president and CEO of Caymas Systems.

0