Network access control (NAC) stands out as one of the most promising security technologies, but it is also one of the most misunderstood.
That's in part because vendors want in on the NAC buzz and are clamouring for attention, despite selling products that are only peripheral.
This raises problems for companies that want to consider NAC but don't have a solid sense of what it is, what it might do for them and what kind of investment it requires.
FIRST THINGS FIRSTThe first step in cutting through the hype is to define NAC. According to Forrester Research, "NAC is a mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy".
Available products that fall into this category include those that make up Cisco's Network Admission Control architecture and Juniper's unified access-control environment. Single devices fitting the bill include products from ConSentry Networks, StillSecure and Vernier Networks. Other NAC vendors, such as Lockdown Networks and Mirage Networks, work in conjunction with partners.
The Trusted Computing Group (TCG), an industry group writing NAC standards to promote multi-vendor interoperability, also has a NAC scheme.
The Trusted Network Connect (TNC) specifies product interfaces that vendors can use to fit their gear into the TNC architecture. The TCG defines NAC as "an open, nonproprietary specification that enables the application and enforcement of security requirements for endpoints connecting to the corporate network".
So, a vendor might build its products to TNC's NAC standards but rely on other products to flesh out an operable NAC deployment.
That's the high level. In practice, NAC is a process for scanning computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is their virus-scanning software up-to-date? Is their operating system patched? Do they have a personal firewall in use?
That process requires an engine capable of matching scan results to policies to see whether the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.
UNDERSTANDING NACSome companies call themselves NAC vendors, but what they really mean is that their products fit into a broader NAC environment.
For example, CA says it has joined Cisco's NAC plan, which it has, by virtue of its eTrust antivirus and antispyware software being able to deliver status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network.
Similarly, IBM's Tivoli Security Compliance Manager is compatible with Cisco's NAC because it scans machines coming onto the network. By itself it can't enforce whether the device gains access. It still needs infrastructure from Cisco or some other vendor to enforce policy.
Security Compliance Manager and eTrust software fit into NAC architectures but can't create NAC environments on their own. Cisco, Microsoft and TCG list scores of partners whose gear fits in their NAC schemes and can claim to be NAC vendors.
Another major complicating factor is that Microsoft has its own NAC architecture called Network Access Protection (NAP). Because it involves Microsoft and its pervasive server and desktop software, NAP is a major factor in the NAC universe. The problem is that key components aren't available, making interoperability impossible to test beyond limited beta versions of Microsoft's NAP platforms.
On the upside, 75 vendors have pledged to make their gear interoperable with Microsoft NAP components when they become available. This includes Cisco, with which Microsoft is developing NAP and Cisco NAC interoperability. Cisco, which is pushing the IETF for NAC standards but does not participate in TCG, has about 30 partners shipping Cisco NAC-compatible gear and another 27 developing such products.
GETTING TO THE BOTTOM LINEThe bottom line on NAC is that while it may be a young and not yet fully defined technology, it can deliver value in the right circumstances. The key is to apply NAC only to address specific needs, according to Forrester Research analyst, Rob Whiteley.
Look at NAC with an eye to how it is evolving, he said, so future security and network acquisitions fit into the still-developing, broader NAC architectures.