McAfee's addition of network-based NAC fills a critical gap in its NAC portfolio, strengthening its competitive position in the sometimes confused, always over-hyped world of network access control.
"Customers are not extremely sophisticated in NAC policies; they want to put some controls in and scale over time."
Robert Whiteley, Principal Analyst and Research Director, Forrester Research Inc.
Network appliances address organizations' most pressing need: enforcing policy for unmanaged devices belonging to contractors, partners and customers. This has given hardware solutions from network infrastructures (Cisco Systems, Juniper Networks, etc.) and pure-play NAC vendors (such as Consentry Networks, Nevis Networks, Mirage Networks) a leg up while endpoint security companies like McAfee Inc. and Symantec Corp. provide agent-based controls for managed devices, especially remote laptops.
Analysts say we're reaching the point where companies are beginning to address both scenarios.
"The hyper-focus in the market has been on guest, unknown, and unmanaged machines because that's clearly the highest risk," said Robert Whiteley, a principal analyst and research director at Forrester Research Inc. "Data also shows about three-quarters of the companies deploying NAC are worried about both (managed and unmanaged devices). This favors vendors with broad portfolios."
McAfee portfolio got a lot broader with its NAC Module for Network Security Platform intrusion prevention appliance (formerly Intrushield), announced today as part of its Unified Secure Access approach. McAfee also introduced a standalone NAC Appliance for deployments that don't include IPS. This allows McAfee customers to create and enforce unified policies across unmanaged and managed devices when combined with the agent-based Network Access Control, leveraging its popular ePolicy Orchestrator (ePO) management console for both.
"Our customers tell us most of the solutions on the market today have identified the need to integrate both network and endpoint," said Rees Johnson, senior vice president and general manager of McAfee's Network Security Business Unit. "Similar to multilayer protection from malware, having a multilayered NAC solution is critical."
As enterprises look for comprehensive NAC, they can look to single providers like McAfee, which now cover both the network and endpoint, or mix and match solutions, Whiteley said.. For example, as Microsoft NAP becomes ubiquitous, companies can combine it with a network product. The problem, he said, is that you still have to deal with distinct policy stores for network and endpoint.
This may become less of an issue if vendors adopt new standards, such as IF-MAP, introduced by Trusted Computing Group, which created the Trusted Network Connect (TNC) initiative, supported heavily by Juniper and other vendorss. IF-MAP is a standard for collecting and storing network device, application and user information in a database to promote interoperability and common policy creation, monitoring and enforcement.
Whiteley also said that McAfee's NAC solution is tightly tied to its audit capabilities, which will appeal to organizations whose primary NAC focus is on compliance, rather than operations.
While a basic yes-no device assessment is sufficient for pre-admission access control, organizations with more mature security programs are increasingly concerned with post-connect monitoring -- the ability to continuously monitor device status behavior on the network. IPS is well-positioned for this since it performs close inspection of inbound, outbound and internal network traffic.
While most early NAC deployments focus on simple pre-connect access control policies --"health assessments" based on things like up-to-date antimalware and patching -- over time we'll increasingly see enterprises design and enforce complex role and context-based policies. At the heart of McAfee's NAC package is what it calls Adaptive Policy Control, which not only provides granular policy creation for both unmanaged and managed devices but also allows McAfee NAC users to modify policy to specific scenarios based on the ability to monitor activity on the network.
"Customers are not extremely sophisticated in NAC policies; they want to put some controls in and scale over time," said Whiteley. "McAfee will be more behavioral and learn what is happening in environment. It fills a need a lot of customers aren't asking for, but it's critical as they ratchet up so companies are not dedicating three or four professionals to run NAC."