INTEROP - Network access control isn't cooked yet

Scanning PCs before they are allowed network access is technology that will take another two years before it is mature, according to speakers at an Interop session Monday.

Even SSL VPN vendors that already supply a version of this endpoint-checking software acknowledge it has a way to go before it is fully featured and flexible, network executives were told at the SSL VPN Day session.

"It's relatively early in the development of that technology," says Reggie Best, vice president of marketing for AEP Networks, which makes SSL VPN equipment. "There's a lot of work that needs to be done on that."

This endpoint scanning technology is part of a broader trend toward network access control (NAC) -- security architectures that check whether computers trying to gain access to networks meet corporate security requirements. These requirements can range from having a personal firewall installed, to having a properly patched operating system, to having antivirus software running in conjunction with an updated virus signature library.

The best known efforts in this area are from Cisco (called network admission control or NAC), Microsoft (network access protection or NAP) and Trusted Computing Group (trusted network connect or TNC). "Here's a prediction," says Joel Snyder, senior partner in technology consulting firm Opus One and a member of Network World's Clear Choice Alliance, who ran the Interop SSL VPN Day, "endpoint checking won't ultimately be in the VPN box. It will be in a NAC box. There will be just a thin layer of endpoint checking [in the SSL VPN gateway] that punts off to policies that are defined on a different box."

This makes sense, Snyder says, because NAC is properly considered part of desktop management, and central control of desktop security creates tighter controls. "You don't want desktop management plus SSL VPN desktop policy enforcement," he says.

Within 18 months to two years, NAP, NAC and TNC will establish themselves and SSL VPN vendors will defer to whichever ones prove viable and popular, he says. Meanwhile, SSL VPN vendors offer a broad range of endpoint-checking software that varies widely in its capabilities. Snyder says he thinks most vendors won't spend a lot more effort on these protections in anticipation of the separate network access initiatives.

For now, different regions of the world seem interested in different ways to carry out NAC, says Sunil Cherian, director of product management for SSL VPN vendor Array Networks. For example, North American businesses seem more likely to supplement SSL VPN-supplied endpoint checking with other means of access control for their remote users. In Asia-Pacific, that customers seem more willing to rely on the SSL VPN vendor-supplied endpoint protection.

A spokesman for Juniper Networks, who also sat on the SSL VPN panel, says endpoint checking can also control direct communications between PCs on a VPN. Policies can be set to prevent such connections if one or both PCs involved flunk the endpoint scan, says Kevin Fletcher, technical marketing engineer for Juniper.