News Stay informed about the latest enterprise technology news and product updates.

NAC gains traction

Until recently, the network access control market had been all style and little substance, but at last vendors large and small are proving that NAC may be worth the investment.

Network access control products have been the talk of the security industry for some time now, but until recently there has been precious little action to accompany all of the marketing hype.

That is beginning to change now that some components of Microsoft's NAP architecture are available in Vista, with the rest to follow later this year in Longhorn. Cisco Systems also has rolled out most of its NAC offering, but the company changed strategies on NAC midstream, which has slowed its progress.

 "There's been a huge increase in the appliance-based, out-of-band approach. The approach that Cisco takes isn't fine-grained enough."
Dan Clark,
 vice president of marketing at Lockdown, based in Seattle
In the interim, a host of smaller, more agile vendors such as Lockdown Networks, StillSecure and Consentry have made inroads into the enterprise NAC market with various appliance-based and software NAC offerings. Some of these products have been in the market for more than two years, and the success of some of the smaller vendors has given Microsoft and Cisco confidence that enterprises are eager for help with their network hygiene problems.

In their most basic form, NAC products are designed to serve as gateways to enterprise networks, portals that can check the security posture, patch level and other attributes of any machine attempting to connect to a network. This typically involves a small agent on each client device and either an appliance or software on the back end that functions as the policy server. Each vendor has a slightly different approach to the problem, but the goal is the same: an automated way to make a yes/no decision on clients connecting to the network. "People are looking at third parties like us because of the pace at which Microsoft and Cisco have moved," said Dan Clark, vice president of marketing at Lockdown, based in Seattle. "There's been a huge increase in the appliance-based, out-of-band approach. The approach that Cisco takes isn't fine-grained enough."

But, because of their sheer size and power in the marketplace, any enterprise IT shop looking to deploy an NAC product must begin its search with Microsoft and/or Cisco. The two companies have been working together for more than a year on ways to make their respective technologies interoperable, which is all to the good for customers. NAC and NAP will share a common agent, and there is an API in Vista that both Cisco's and Microsoft's offerings use. And, in a move that was all but unthinkable just a couple of years ago, Microsoft plans to license its NAP quarantine agent to makers of third-party operating systems, notably Apple and various Linux vendors.

"The recurring theme here is choice. We're giving customers a choice of which company to use," said Bob Gleichauf, CTO of Cisco's Security Technology Group. "I think this is a model that Cisco and Microsoft can return to over and over."

The common admission control architecture that Cisco and Microsoft have developed is dependent upon customers having networks full of Cisco gear and Windows machines. Granted, that describes 95 percent of the enterprise networks in the U.S., but not every organization is willing to wait for the release of Longhorn, then go through the lengthy process of upgrading servers, desktops and Cisco routers and switches in order to have a workable NAC system. Cisco recognized this last year and began scaling back its efforts around the router-and-switch-based NAC architecture in favor of its Clean Access box, now known as the Cisco NAC Appliance. The full NAP offering should be available by the second half of 2007, after Longhorn's release, and Cisco's NAC framework will continue to fill out throughout the year as well.

RSA Conference 2007

Can't make it to the show? staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
"We wanted to establish an admission control infrastructure and Cisco works, but it's too cumbersome," said George Owoc, director of business administration at EADS Astrium North America, which uses Lockdown's appliance. "A lot of NAC products are concerned with making sure machines are updated, but we wanted more than that. We have the ability to assign users to various VLANs."

Microsoft officials know that by the time Longhorn hits the streets they will be significantly behind in the NAC market. But they are confident that their large installed base and interoperability with Cisco NAC will drive adoption.

"We were driven to this by customers in the first place," said Mark Ashida, general manager of the Enterprise Network Group at Microsoft. "We realized everyone has a different network and there's not one size that fits all. This is much more of an infrastructure play than just antivirus policy. NAP will be a pillar of how you manage your network, so you're not going to want to yank it out. Customers can pick any kind of enforcement they want, and we'll support it. There's no doubt people want something like this."

<< Return to our special coverage of RSA Conference 2007

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.