NAC Struggles for Standards and a Clearly Defined Mission


Few institutions are as evocative as the New York City subway system. Many adjectives aptly describe it: Huge, noisy (both the people and the always pleasant metal-on-metal braking), efficient, crowded and smelly are just a few. It also is dangerous: It's simply impossible to fully monitor the system, which is a big target for terrorists.


While most people think of the security issues related to the subway from a physical perspective, there is an electronic element as well. This SC Security article on the deployment of network access control (NAC) devices from Mirage Networks is useful in two ways.


The first half of the piece describes why New York City Transit is opting to deploy NAC as it rolls out IP networks to its 460-odd stations. The concern is stark: A hacker gaining entry through one of the access points can do some very dangerous things, such as create false bomb alerts.


The second half of the story discusses the state of NAC. It is a segment in transition. The common wisdom, the story says, is that in order to thrive, NAC must grow beyond its current task of simply assessing the security status of devices and, if necessary, guaranteeing and remediating those that aren't up to snuff. NAC systems now are offering "post admission monitoring." As the name suggests, this is the tracking of devices once they enter the network. NAC overlaps with various other security procedures, such as intrusion detection system and intrusion prevention systems (IDSes and IPSes). The ways in which those systems and others coexist, compete or combine going forward will be interesting to watch.


In the final analysis, the profusion of security approaches and equipment means that many will not be deployed in precisely the way they would be in a vendor PowerPoint presentation. Network World provides a prime example of the real world. The writer points to a company that uses ForeScout equipment to identify devices that are out of compliance with corporate security policies. At that point, the help desk addresses the concerns. That is far short of the full force of NAC, in which out-of-compliance machines are automatically segregated and fixed. The company feels that such a procedure will annoy users, and that gradually implementing NAC in this way will be far smoother.


There is a lot of detail in this InformationWeek blog, in which the writer reports on a panel that he hosted at NAC Day at Interop last month in New York City. The big picture beyond various groups and efforts that are mentioned in the post is that NAC is a long way from standardization. Indeed, the point of the blog is that various groups are still discussing the structure and nature of a standards-setting process. Being at such an early stage of the standards process simply isn't good news for a sector that at least some insiders already see as disappointing and slow to develop.


CIO.com takes a look at the NAC landscape and comes to a familiar conclusion: NAC has a lot of promise, but is a young industry. The writer suggests that it is beginning to come to grips with the standards issues, but says that more time is necessary. The most valuable part of the piece is the discussion of the two basic approaches: In-band NACs are positioned between devices and the rest of the network. In out-of-band approaches, the intelligence mediates between the network and the switching architecture to assess devices requesting entry.


This Realtime Community podcast features the Redmont Corp.'s Dan Sullivan, who discusses the nexus between NAC and mobile devices. The two, of course, are tightly related. The piece is a bit of a primer. The bottom line is that mobile devices -- many of which are owned by the employee and not the company -- carry significant risk. Sullivan calls these "semi-managed devices" and suggests that NAC can be a key player in making sure that they measure up to corporate standards or, if they don't, that the IT department is flagged.


At a high level, NAC makes perfect sense. Whether the technology thrives and the ways in which it evolves will depend, to a great extent, on the emergence of standards and whether the value the technology offers is co-opted by other security approaches.