NAC Vendors Vie Over Architecture, Product Direction

The network access control (NAC) market has finally matured enough that vendors and users can at least agree on the baseline features and functionalities required to make up a NAC solution. On deck for 2007: the battle of NAC architectures, an expected standards shake-out; and plenty of vendor posturing, positioning and - more than likely - consolidation.

That was the story at Network Computing's NAC Forum event, held Thursday in San Jose, Calif. The event brought together NWC real-world IT analysts, leading NAC vendors and users that have both deployed NAC and those still in the evaluation phase. Even though NAC feature sets and technology approaches remain in flux, several users detailed early successes in rolling out NAC in their enterprises.

Key business drivers included improving remote and guest access to corporate networks; avoiding catastrophic attacks and vulnerabilities; and locking down security policies and practices for regulatory compliance.

Network access control (NAC) processes boil down to a repeating series of steps: • Monitor host • Define/deploy policy • Gather host posture • Compare posture to policy • Make access decision • Enforce access decision • (Repeat) As for deploying NAC, the costs can be high both on the product side ($50 per desktop and up) as well as the operational side, including the need to not only create but administer new security policies, according to Fratto. As for product interoperability, Fratto said: "There's little interoperability today and no clear indication of interoperability in the future." In the end, NAC offers tighter and more fine-grained access control, but stops short of application-level control. "It makes the attack surface somewhat smaller, but fundamentally the question remains 'what can a user access on the network?'" Mike Fratto Senior Technology Editor