Network access control products have been the talk of the security industry for some time now, but until recently...
there has been precious little action to accompany all of the marketing hype.
That is beginning to change now that some components of Microsoft's NAP architecture are available in Vista, with the rest to follow later this year in Longhorn. Cisco Systems also has rolled out most of its NAC offering, but the company changed strategies on NAC midstream, which has slowed its progress.
In their most basic form, NAC products are designed to serve as gateways to enterprise networks, portals that can check the security posture, patch level and other attributes of any machine attempting to connect to a network. This typically involves a small agent on each client device and either an appliance or software on the back end that functions as the policy server. Each vendor has a slightly different approach to the problem, but the goal is the same: an automated way to make a yes/no decision on clients connecting to the network. "People are looking at third parties like us because of the pace at which Microsoft and Cisco have moved," said Dan Clark, vice president of marketing at Lockdown, based in Seattle. "There's been a huge increase in the appliance-based, out-of-band approach. The approach that Cisco takes isn't fine-grained enough."
But, because of their sheer size and power in the marketplace, any enterprise IT shop looking to deploy an NAC product must begin its search with Microsoft and/or Cisco. The two companies have been working together for more than a year on ways to make their respective technologies interoperable, which is all to the good for customers. NAC and NAP will share a common agent, and there is an API in Vista that both Cisco's and Microsoft's offerings use. And, in a move that was all but unthinkable just a couple of years ago, Microsoft plans to license its NAP quarantine agent to makers of third-party operating systems, notably Apple and various Linux vendors.
"The recurring theme here is choice. We're giving customers a choice of which company to use," said Bob Gleichauf, CTO of Cisco's Security Technology Group. "I think this is a model that Cisco and Microsoft can return to over and over."
The common admission control architecture that Cisco and Microsoft have developed is dependent upon customers having networks full of Cisco gear and Windows machines. Granted, that describes 95 percent of the enterprise networks in the U.S., but not every organization is willing to wait for the release of Longhorn, then go through the lengthy process of upgrading servers, desktops and Cisco routers and switches in order to have a workable NAC system. Cisco recognized this last year and began scaling back its efforts around the router-and-switch-based NAC architecture in favor of its Clean Access box, now known as the Cisco NAC Appliance. The full NAP offering should be available by the second half of 2007, after Longhorn's release, and Cisco's NAC framework will continue to fill out throughout the year as well.
Microsoft officials know that by the time Longhorn hits the streets they will be significantly behind in the NAC market. But they are confident that their large installed base and interoperability with Cisco NAC will drive adoption.
"We were driven to this by customers in the first place," said Mark Ashida, general manager of the Enterprise Network Group at Microsoft. "We realized everyone has a different network and there's not one size that fits all. This is much more of an infrastructure play than just antivirus policy. NAP will be a pillar of how you manage your network, so you're not going to want to yank it out. Customers can pick any kind of enforcement they want, and we'll support it. There's no doubt people want something like this."