If your organization has not yet deployed a network access control (NAC) solution, you're not alone. But it's a good bet you're giving it a lot of serious thought. Research firm, Gartner Inc. says the market, estimated at a modest $100 million in 2006, will double by the end of the year.
But once you tune out the persistent buzz around NAC over the last couple of years, you'll find that it's tough to define your short- and long-term security requirements, and tougher still to find a solution that fills the bill now and will still be viable in a few years.
Most of the emphasis has been on pre-connect access control, basically, a health check for things like up-to-date antivirus and patch status, etc. for every device logging on to your network. Products use a variety of network and agent assessment and enforcement methods. As is, they'll meet a lot of organizations' short-term needs, notably limiting visitors' network access.
"Guest networking is the thing most people want addressed; that's the biggest driver," said Gartner analyst Lawrence Orans. "People call guest networking NAC, but it's just the first step. With NAC, you have an opportunity to define polices, and identify and evaluate endpoints."
NAC picture unclear
The NAC landscape is far from settled. Cisco's infrastructure-based approach is still developing--it offers appliance and software solutions with a migration path to switch/router-based enforcement. Microsoft's Network Access Protection (NAP), which requires Windows Vista (or a Windows XP patch) and Longhorn, is years away from general deployment. Some of the early market entries have been acquired by Symantec (Sygate, Whole Security), Check Point (Zone Labs), Cisco (Perfigo) and Sophos (Endforce). Other independents are presenting mixed sets of capabilities and methods, giving organizations pause as they assess their present and, significantly, future needs.
Gartner defines full NAC as requiring both pre-connect and post-connect assessment. The vanishing perimeter means that you have no guarantee, for example, that a laptop that's been remediated with current antivirus and patches is free of malware. Further, how do you know that employee, guest, contractor--or hacker--aren't accessing apps and data they shouldn't? VLANs and ACLs offer some access controls, but are difficult to configure and manage if you're looking for dynamic control in a changing environment with guests, contractors and partners all requiring some level of network access.
Continuous access, malware monitoring
If these things keep you awake at night, you can consider one of several network-based inline appliances that provide granular access control and persistent monitoring to detect attack behavior and authorized access. Consentry Networks, Nevis Networks and Vernier Networks all offer these comprehensive capabilities.
"The strength of these solutions is their identity-based NAC and post-connect capability," said Gartner's Orans. "Their strength is user policies, device policy because of they tie user policy to Active Directory. They sit inline and drop or allow packets depending on who you are."
Do you need this level of security? Are you ready to use it? It depends. Most organizations don't have the kind of sophisticated role-based access policies to take full advantage of these product capabilities.
"Most organizations use broad group definitions as a starting point; for example, patients, doctors, nurses, certain types of staff," said Alan Norquist, vice president of marketing at Vernier. "They find it gives them a lot of value. It's secure but much simpler than doing VLANs."
Alliance Imaging, an Anaheim, Calif.-based nationwide provider of medical imaging and oncology solutions, was primarily concerned about inappropriate access on shared networks at 85 distributed locations across the country.
"Our concern was how do we create security mechanism to prevent others on site from attacking one of our remote edges and how do we prevent us from attacking one of our business partners," said Adam Le, Alliance's director of IT infrastructure. "For example, you may have a family practice on one floor, radiologist, then us, with patient data passed through the same network. Patching and managing endpoints is extremely difficult--network isn't ours."
Le deployed a Consentry's LANShield appliance in Alliance's data center in Arizona and large branch offices in California, Ohio and Massachusetts, and is gradually installing LANShield Switches at the remote locations, replacing existing switches as they reach end of life.
Security on the switches
The switches--Nevis offers a switch-based solution as well--are an attractive option. Gartner believes that switches are the best way to implement continuous identity-based controls with the ability to monitor traffic for malware, but that widespread adoption will wait until Cisco, which dominates the infrastructure market, can offer this kind of technology at a competitive price.
"The right place is in switching functionality; as people do switch upgrades, we'll capture market," said Dominic Wilde, Nevis' vice president of marketing. "We're under no illusions, but we fill a niche protecting high-value resources down to the port level. And we have deals where we can become the new switching standard,—mostly in green field sites like Asia."
"70 percent of our shipments were switches, but we're still a blip on radar compared to Cisco' said Dan Leary, Consentry vice president of marketing and product management. "We're confident the switch to embedded technology will be faster than analysts think."
"Really, a lot of this is belt and suspenders security, defense in depth," said Gartner's Orans. "The defense and intelligence communities are interested because they need an extra level of protection; and schools and universities because students and faculty share the same physical networks. And any organization—pharmaceuticals come to mind--that places a premium on intellectual property are interested in network enforce access based on who you are."