NAC's Growth Good News for Vendors, Users

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

There are a number of milestones in the introduction and acceptance of new technology. One sign of maturation in functionality is becoming available in more flexible ways than when it was introduced. This shows that vendors are learning to work with technology and, in most cases, integrating and miniaturizing. This is good, of course, as it spreads existing benefits more widely, introduces new benefits, reduces costs -- or provides any combination of those advantages.


This is true of network access control (NAC). NAC systems control whether devices get access to the network and, if they get past the electronic bouncer, where they are allowed to go. NACs check if the security on the device is up to date and, if there is a problem, segregates them for remediation.


This week, Cisco said that it is adding NAC functionality to its Integrated Services Router (ISR). The ISR provides routing, intrusion prevention and virtual private network capabilities. Previously, this internetnews.com story says, Cisco's NAC was only available in discrete appliances.


In a separate but thematically related announcement, Cisco introduced the NAC Profiler. Essentially, the story says, NACs have focused on PC and PC-type devices. Handling threats from other networked elements -- such as printers, door readers and IP telephones -- was time-intensive. The Profiler, the story says, will ease this process. The thread through the two announcements is that they tend to broaden the flexibility of the company's NAC and the Cisco Self-Defending Network, of which it is a part.


NAC certainly solves a lot of security problems. It is a complex technology, however, and there are barriers to its effectiveness. http://weblog.infoworld.com/zeroday/archives/2007/09/hanna_mixed_gra.htmlThis InfoWorld blog notes the comments of Stephen Hanna, the co-chair of the Trusted Network Connect Work Group, at a security conference in Chicago. He outlined several problems with NAC. The most threatening -- because it strikes to the heart of how a NAC operates -- is end points that lie. NACs use information provided by the device seeking network admission. If this information is bogus -- something that is most commonly caused by rootkits -- the NAC has failed.


Hanna says the group is working on a solution to the problem. Without elaboration, the piece listed four other problems (lack of scalability, poor interoperability, lack of commitment to standards and cost of some implementations) and four positives (most devices have good security and performance, interoperability is taking root and improved pricing).


Users are getting serious about NAC. For instance, InformationWeek polling says that only 15 percent of respondents have no plans to implement NAC -- a big decrease from the 46 with no plans a year ago. The survey is full of interesting tidbits, including an apparent disconnect between what those deploying the technology expect and what they are getting. The survey said that compliance requirements -- led by the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA) -- are fueling the growing interest in NAC.


The results are beginning to come in on vendors. Last month, Current Analysis rated NAC providers by two measures: Whether organizations currently not using that vendor's products would consider deploying them (vendor attraction) and whether a company would consider using a current vendor for a future project (vendor retention).


The top five vendor attraction scores were Cisco's appliance (45 percent);Cisco NAC (a more general category,41 percent);Microsoft (21 percent);and Check Point and Juniper Networks (15 percent each). Retention leaders were CA (81 percent), Juniper Networks (80 percent), Bradford Networks (78 percent) and Check Point and Nortel (both at 71 percent). Cisco's CNAC and appliance finished with 68 percent and 67 percent on the retention scale, respectively.


NAC is complex, and there is agreement that it is immature. The general sense is that the shortcomings will fade as the value of this technology, which addresses some of the most pressing security concerns organizations have, becomes clearer to decision makers.