Vendor missteps keep network security a work in progress

When Cisco Systems announced in June 2004 that it planned to develop network access control technology, it drew enormous attention to what had been an obscure market niche.

All of a sudden, users believed that NAC products could make corporate networks nearly impervious to compromises that took advantage of vulnerable devices like PCs and laptops. The backing of a top networking company would help usher in a new IT era in which security was tied much more closely to the network fabric.

Interest increased even further four months later, when Microsoft announced plans to incorporate NAC-like technology into future versions of its operating systems. Microsoft called its NAC offering Network Access Protection (NAP).

Alan Shimel, chief strategy officer at StillSecure, a US-based vendor of NAC products, said Cisco and Microsoft managed to create a buzz around NAC and legitimize it to an extent that wouldn't have been possible otherwise.

But the buzz didn't last long, once Cisco and Microsoft failed to deliver on their early promises.

Analysts today say that users should instead look for NAC capabilities to be incorporated into a variety of core data center products, from configuration management tools to antivirus software.

Cisco started bringing out some stand-alone NAC tools about a year after its announcement, but the job of integrating NAC functionality into its switches and networking gear is still mostly a work in progress.

Meanwhile, Microsoft's NAP technology is only now becoming a reality in Windows Server 2008.

"In those four years, they froze the market," Shimel said. "There was a sizable chunk of people who were interested in NAC but said they were not going to do anything because Microsoft's product was just over the horizon."

NAC's image among users has also suffered as a result of unsuccessful corporate IT efforts to broadly implement the technology.

For example, even before Cisco launched its initiative, Wells Dairy was burned when it tried to use NAC products to secure its network.

Wells installed an endpoint access-control product from a vendor that was later acquired by a larger company. The technology was designed to inspect the computers of workers at remote sites, and Wells at first had some success stopping improperly patched systems from logging onto its network, said Jim Kirby, a senior network architect at the company.

But Wells ran into problems when it tried to more closely integrate the product into its Cisco infrastructure to better control what users could do on the network. Nine times out of 10, said Kirby, the product would improperly lock users out of the Cisco network, so the company had to abandon the effort.

"It was difficult to manage, broke down all the time and was really complicated," Kirby said. "When the rubber met the road, it was a very new kind of technology."

Kirby asked that the product not be identified.

Early third-party NAC tools, which emerged around 2002, were designed to help companies enforce security policies at network endpoints. The technology let IT managers set rules to prevent client devices from accessing a network unless they complied with corporate policies on security patches, antivirus software updates, firewall configurations and other security settings.