NAC: More Is More

Like a train gathering speed as it heads downhill, NAC projects are gaining momentum, particularly at larger companies. Forty-five percent of those responding to our second annual Network Computing NAC Survey are already rolling out network access control technology, while 41 percent plan to deploy NAC, most within 12 months. Only 14 percent said they have no plans for NAC, compared with 46 percent last year. But the most interesting finding is that the 45 percent who've taken the leap have learned that some common fears are unfounded--most said NAC is easier to deploy, is less disruptive and requires fewer changes to network configurations, and has less of an impact on productivity than was expected.

That's the good news; it's always easy to see positives once the deployment is finished. But as always with emerging technologies, there are bumps in the road, and--surprise!--interoperability is one of the biggest.

Currently, more than 30 vendors are pushing products that help IT staff enforce security policies by preventing noncompliant machines from connecting to the network. Trouble is, they're all using different, usually proprietary, mechanisms to determine a PC's state and act on that information.

Then there's the cost factor. Enhanced security comes at a high price: IT groups that have deployed NAC said its average cost is 12 percent of the entire enterprise IT budget; that's about one-third more than the mean estimate from those who have not started to roll out the technology. Still, most find it money well-spent.

NETWORK ACCESS CONTROL
Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS TUTORIALS | STRATEGY | MORE

"NAC is expensive, but worth it," says an information management expert at a federal government agency who asked to remain anonymous.

He wasn't totally positive, however, mainly because he had to use NAC products from more than one vendor. "There was no single solution that would do everything we wanted," the info management pro says. "And the two products we use aren't interoperable." To work around this situation, he uses a separate product for each application--some users must log out, then log in again when moving between e-mail and productivity applications.

For NAC vendors, the prevailing message from our readers is "make these products play nicely together, and hurry up about it."

"We've been evaluating NAC products since 2004, but they're a year behind what we need. Once the products could do what we needed, we'd moved on," says Allen Brokken, principal systems security analyst at the University of Missouri. Brokken eventually built his own system, which involved a lot of integration work. "All our NAC equipment has different purposes. We co-opted DHCP servers, firewalls and IPSs and spent a good chunk of three years putting it all together." Although he's happy with the system now, Brokken says he is still looking at commercial NAC products to improve features such as quarantine and remediation.

There definitely are lessons to be learned for those in the planning stages of NAC, or even in the pre-planning phase. As with many technologies before it, standards and interoperability are likely to cause some heartburn, and NAC will probably take a considerable bite out of your overall security budget.On the positive side, deployment may take less time than expected, and disruptions to existing systems may be minimal. One warning: Expect the overall satisfaction of upper management to wobble a bit once the deployment is finished. As with all security-based projects, NAC ROI is hard to prove.

Continue Reading This Story...

Tracking NAC

Network Computing first surveyed IT professionals on NAC in 2006. Then, slightly more than half of respondents had plans for it, with a heavy concentration of those in government and highly regulated industries (find last year's survey and see more of this year's results). This year's survey, which used a similar methodology, response rate and demographic profile, shows some important changes. Excluding the 14 percent who have no interest in NAC, slightly more than half of respondents have bought products and started deployment. This helped us separate respondents into two groups: planners and deployers.

Deployers have a higher opinion of NAC than planners do, not surprisingly. They also expect more from the technology and are paying for it. In many cases, high expectations are based on real experience: NAC can be brought online quickly. In fact, 41 percent of deployers said initial rollouts are taking less than three months, even though most projects involve multiple locations and several different applications. Ten percent said they completed the entire NAC setup within a single month.

And these can be big projects. Unusual for early adopters, most deployers are involved in larger NAC installations than the planners' anticipated deployments, both in terms of number of sites they're covering and the technology's functionality. This is in part because two of the biggest drivers for NAC are branch-office security and compliance with the Sarbanes-Oxley Act (SOX), both of which tend to cause headaches for larger enterprises.Comply To Connect

Regulatory compliance is still the main reason most organizations deploy NAC, and its importance has only increased since last year. But it's far from the only driver. Controlling access to specific network resources remains a close second and was rated particularly high by deployers.

In many cases, data center access control is crucial. "We do a lot of classified work, so we have traditionally relied on physical security," says one respondent at a government lab. Until recently, his data center wasn't even connected to the Internet, but the agency has now opened it up to VPN users--provided their PCs pass some strict NAC tests enforced by endpoint agents.

Our survey asked network managers to choose the three main drivers for NAC, with 10 different options. As "Top NAC Motivators" (page 76) shows, the planner group's answers are mostly in line with last year's results, which didn't distinguish between planners and deployers. This makes sense, given that most enterprise NAC projects would have been less advanced last year. The major difference is that addressing general security compliance issues and controlling access to specific network resources have increased in importance--both were selected by more than half of all respondents. The relative positions of NAC drivers remain largely unchanged between this year's planners and last year's respondents.

The deployers tell a different story. General compliance and specific access control are even more important, but early adopters are also more likely to cite specific regulatory compliance requirements. In total, 69 percent of current NAC deployments are driven by compliance. This is reflected in our questions that asked about five particular regulations. Every one was more likely to be cited by the deployers, while the planners were more than twice as likely not to pick one at all.So which regulations are driving NAC? The deployers and planners were both most likely to mention SOX, with it farthest ahead among deployers. In general, HIPAA (the Health Insurance Portability and Accountability Act) was the most important regulation for organizations not planning or deploying NAC. This suggests that NAC in its current incarnation can't address many concerns of the health-care industry, which uses many network-connected devices that can't participate in NAC because of their design.

The starkest differences between deployers and organizations with no NAC plans were in SOX and Department of Defense directives, both of which are about twice as likely to apply to organizations already deploying NAC. A look at the survey's demographics shows that deployers have higher revenue and more employees than average, as SOX applies to all public companies.

Many respondents are in government, the aerospace industry and heavily regulated sectors, such as finance. However, overall this year's respondents are from a broader swath of businesses, which suggests that NAC is becoming more widely applicable. The fastest growing sector among both NAC planners and deployers is education, which accounts for one-fifth of all NAC initiatives in our survey. Although most schools and colleges don't have to answer to DoD directives or SOX, they do have a lot of unmanaged devices connecting to their networks.

"We're in a situation where we have to keep our network open, so we have to put a lot more effort into knowing who's in our network at any given time," says the University of Missouri's Brokken.

Protecting wireless computers looked like an important reason for NAC in 2006, and the planner group continued to rate it fourth. For deployers, however, it slipped into seventh place, behind correlation and accounting. And this isn't just because compliance is getting more important. Wireless's close cousin, mobility, is also down sharply: Just 16 percent of deployers rated protecting mobile computers as one of the top three drivers, compared with 29 percent of last year's respondents.Wireless users still need security, so why has NAC's role declined?

"We don't see any reason to have a wireless network," says an IT administration manager at a financial services company. "It would just add another risk factor." Her sentiments are echoed by other deployers: The people who are most likely to be using NAC are less likely to have wireless networks at all.

In addition, at the same time as NAC adoption is gathering momentum, the IEEE's wireless authentication mechanisms have become more mature. This has decreased the need for a wireless security fix. Wireless initially drove adoption of 802.1X, the protocol used by many NAC systems, but the need for security for wireless devices isn't driving NAC. Because enterprise WLAN gear already uses 802.1X, it's less likely to need upgrading for NAC.

Infrastructure Impact

The issue of network upgrades has dogged NAC from the beginning--this technology is notorious for demanding network upgrades, with some major frameworks requiring new clients, switches or servers. But surprisingly enough, our survey revealed that the upgrade rap may be undeserved. On average, respondents expect NAC to require upgrades to less than one third of their IT gear, and those actually deploying NAC expect to require fewer upgrades than people at the planning stage. This is probably because most current NAC products are standalone appliances, with few vendors yet shipping anything based on frameworks."We looked at solutions that would require an upgrade of the infrastructure, and that would be close to 50 percent of our security budget," says a security engineer at a state university. He eventually deployed NAC across five campuses, using standalone products from three different vendors. For the moment, he's avoiding the framework issue because the benefits of multiple enforcement points doesn't justify the extra cost.

We asked how much of the IT infrastructure readers expect to upgrade for a successful NAC deployment. The mean answer was around 30 percent, with deployers expecting to upgrade less than the planners, as shown in "Upgrade Plans," page 78. Just 10 percent of planners said they anticipated no upgrades, with 32 percent expecting not to upgrade more than a quarter of their infrastructure. In contrast, 15 percent of deployers were able to avoid upgrades altogether, with 26 percent upgrading more than a quarter of their infrastructure.

This difference between planners and deployers is probably the result of NAC initiatives that caused less disruption than expected, not because those deploying NAC had more advanced network infrastructures from the start. As mentioned, early adopters tend to be larger organizations, with bigger initial deployment projects. We also asked how much of respondents' networks are 802.1X-capable, and got similar results from both groups: around 54 percent. The main difference is that NAC deployers are more likely to be using this capability, running 802.1X over 33 percent of their networks, compared with 23 percent of nondeployers' networks (those of planners and those with no plans to deploy NAC).

Still, beyond nitty-gritty technical issues and the larger question of future interoperability, upgrading 30 percent of an enterprise's IT infrastructure is a major commitment, no matter how you slice the data. But that commitment is one that an increasing proportion of organizations are willing to make. We were surprised last year by how many respondents were open to significant network changes, and this year the proportion is up slightly among both the deployer and planner groups.

Adding inline appliances or extra enforcement points, such as firewalls, is still the most likely upgrade that sites make to accommodate NAC, but the gap with other architectures is narrowing. Compared with last year, our readers are more willing to add out-of-band appliances, and a lot more willing to upgrade their switching or routing infrastructures.This, of course, bodes well for infrastructure vendors, especially Cisco, whose framework is based on using its switches as enforcement points. Other approaches also require support in the network infrastructure, leading such vendors as Enterasys Networks, Extreme Networks, Hewlett-Packard and Nortel Networks to add features that make their gear more NAC-friendly. Microsoft's Network Access Protection (NAP), for example, uses a nonstandard version of 802.1X alongside IPsec, which is why the company has partnered with almost every networking vendor in the last two years. However, many vendors say they can support Microsoft's extended 802.1X version anyway, so users may need fewer upgrades than anticipated.

Hidden Hits

Cost and complexity are the biggest barriers to NAC adoption, but the fastest growing concern is NAC's impact on productivity. This can mean specific application conflicts, or fears that it will prevent people from connecting to the network and doing their jobs. Whereas respondents last year complained about a general trade-off between security and productivity, this year they were more likely to mention NAC's incompatibility with particular applications, such as CRM and ERP.

As "System Incompatibilities", shows, a majority of readers planning NAC are now highly or very highly concerned about its impact on productivity software.

"Security can be your own denial-of-service attack if you go overboard," said one respondent, whose main worries are about incompatibility with remote-access clients. A system dependent on an IPsec VPN, for instance, can't co-exist with a softphone that requires direct access to the Internet.Some concerns may be overblown, as those who have deployed NAC rate incompatibilities slightly less severely. One even said that NAC increased productivity because it means that users spend less time waiting for IT staff to fix security problems: Instead of sending out a technician, IT can just let quarantine and remediation happen automatically.

When asked about the top three barriers to NAC adoption, a clear majority of both groups picked cost and complexity. There was more division about the third. Planners are put off by other, higher-priority projects or by immaturity of the NAC market, whereas deployers are more likely to complain about an inability to demonstrate clear benefits and ROI to internal stakeholders.

The lack of demonstrable ROI has always been a problem with security spending, but the fact that IT pros who are already spending money on NAC rate it as a more serious problem than those who are not is significant. NAC deployers are also 50 percent more likely than planners to mention lack of senior management buy-in. This lack of enthusiasm is unlikely to stop a NAC deployment in its tracks, but it could derail plans for future security projects.

Part of the problem may be extremely high expectations. As shown in "Prevailing Policies," page 84, network-access policies are becoming more stringent, with every category showing an increase in importance. User identity remains the leading factor, but others are catching up. Group membership showed the largest gain. More than half of respondents now rate the resource being accessed as very important to an access control decision, a consequence of NAC's initial role in many organizations as a means of protecting particularly sensitive data or systems.

Stricter policies lead to an increasing emphasis on NAC products' capabilities. When we asked about factors such as ease of deployment and support for multi-site architectures and different authentication methods, we found that every one had grown in importance since last year. Not only that, but all were more important to deployers than planners.The highest-rated factor is easy integration with existing infrastructure: Of the 179 people in the deployer group who expressed a preference, all said integration is either "somewhat important" or "very important." Fault tolerance, high availability and low impact on LAN performance are also critical, rated as somewhat or very important by more than 90 percent of all respondents in both groups.

Support for non-Windows OSs remains the least important selling point for a NAC system. However, just 50 percent this year rated Apple Mac support as "not important," down from 75 percent last year. Attention to Linux is also growing, with about one-third rating support "very important." Both of these OSs can be problems for architectures that rely on client-side agents, as can non-PC-based network devices such as VoIP phones and network printers.

There is also an increased demand for particular enforcement methods, though no clear favorite has emerged. Candidates are 8012.1x, VPN encryption and out-of-band technologies such as spoofing and ARP poisoning.

Working With Frameworks

With so many different NAC products, customers are demanding standards for integration with other security applications. Our survey showed a sharp increase in the number of readers who said that a NAC solution must be based on a standard. Cisco's CNAC framework is still the favorite, but as "Trusted NAC Vendors", shows, the majority of respondents to our poll don't care which one wins, just so long as a standard does eventually emerge (see "Four for Fighting" ).Compared to last year, Microsoft's NAP shows the largest increase in awareness, now having nearly caught up with Cisco. This is likely due to Microsoft's aggressive partnership program and the availability of Windows Vista, though NAP's most important component--Longhorn Server--is still in beta.

It's likely that frameworks will be able to work together, eventually. Microsoft and Cisco have committed to interoperability between their systems, while the NEA--so new that it wasn't included in last year's survey--looks like it could even help the other frameworks interoperate. Its intention is to define standard interfaces between popular NAC components that the other frameworks can use, not to compete with them. Now that's a goal we can get behind.

Four For Fighting

The demand for a NAC standard may have been answered too well--four different frameworks are now emerging. Our survey showed that each has grown in popularity, with more readers rating compliance with the standard as important or critical. However, most still know little about the Trusted Computing Group's Trusted Network Connect (TNC) or the IETF's Network Endpoint Assessment (NEA) (see "Who Ya Gonna Trust?" and "IETF Strives for NEA Standard"), despite rating them as important. In fact, awareness of TNC has actually decreased slightly since last year, and 42 percent of respondents said they had never heard of NEA.Battling Vendors, Standards

Rather than offering a standalone product, Microsoft has its NAP Framework, which aims to build NAC into the Windows OS at both client and server levels. Cisco promises to offer the same functionality in its switches through the Cisco Network Admission Control (CNAC) framework. However, Cisco also has the NAC Appliance, a standalone box it acquired with Perfigo. As "NAC Market Share," below left, shows, these let it hold both first and second place in NAC market share, with the NAC Appliance more popular than CNAC.

This isn't surprising: Cisco recommends the appliance over the framework, and customers have a strong preference for a single box. Although frameworks theoretically are more scalable and better able to integrate with existing utilities, such as antivirus software, personal firewalls and patch management systems, most deployments aren't this ambitious at first. And appliance users can later upgrade to the full framework, using the appliance as a policy controller.In total, 65 percent of current NAC deployments in our survey are using one or both Cisco architectures. Microsoft is in third place, with an additional 29 vendors scoring less than 10 percent each.

But don't count the others out: A majority of Cisco shops, including many who are using both the NAC Appliance and CNAC, must augment their Cisco NAC gear with third-party products. More than one-third of these respondents are considering Microsoft's NAP, while NAC products from Check Point Software, IBM, Juniper, Nortel, Symantec and Trend Micro are already used by more than 10 percent of CNAC customers.

The positions are similar when looking at future NAC plans. At least 20 percent of respondents are considering products from Cisco, Microsoft and Juniper. Although Juniper's NAC product is not yet on a par with some other vendors' offerings, its acquisition of Funk Software gives it an important position in the Trusted Computing Group (TCG), one of the organizations trying to standardize NAC frameworks. As a matter of fact, almost every vendor in the computing and networking industry has joined the TCG, though Cisco is notably absent from the organization.

Every vendor has increased its mindshare for future plans since last year, thanks to the greater interest in NAC overall. However, filtering out users who have no plans to deploy NAC shows most vendors down slightly, compared to last year, as customers are further along in the decision process. Check Point does noticeably better among planners than deployers, which could be a result of its large base of firewall installations.

Most NAC systems rely on client agents to check a PC's state, so a vendor's ability to deliver in this area can is critical. As "Choosing Sides" shows, Cisco is also a clear winner here, though it's trusted by less than 30 percent of respondents (see "Trusted NAC Vendors" ).• See all poll result charts in the image gallery

About This Survey

This year, 326 readers of Network Computing and other CMP Technology magazines responded to our NAC survey. Approximately 36 percent were in IT management, 25 percent IT staff and 25 percent C-level executives, with the rest independent consultants or in other positions. Respondents are in companies of all sizes, with 22 percent representing organizations with fewer than 50 employees and 19 percent at least 10,000. Similarly, 14 percent have annual revenues of less than $1 million, while 9 percent make at least $5 billion. Another 12 percent are in the government or non-profit sector. The survey included 26 categories for an industry breakdown, of which the largest was education at 15 percent.

Andy Dornan is a senior technology editor for Network Computing. Write to him at [email protected].