Analysis: Security And Configuration Solutions Converge

The ultimate vision of Cisco's Network Admission Control and Microsoft's Network Access Protection initiatives is to provide network and system-configuration control on the fly. If a system isn't up to policy or presents a risk, it can be quarantined or remedied before access is granted. An entire security and configuration-management ecosystem, consisting of dozens of vendors that manufacture patch-and-configuration management, anti-malware and vulnerability scanners, is making their solutions compatible with these systems.

This enables solution providers to design so-called best-of-breed applications within a vulnerability and configuration-management framework to help companies better enforce policies in near real-time. For example, a company could use Qualys' QualysGuard vulnerability scanner to vet any untrusted systems that attempt to gain access to an NAC-enabled network. If the scanner finds the system to be vulnerable, that system could be quarantined until the problem is fixed.

"Configuration management is a critical portion of NAC," says Richard Ptak, an analyst at Ptak, Noel & Associates. "You have to be able to automatically monitor, enforce and change configurations."

Alex Thurber, director of security worldwide channels for Cisco, says most NAC deployments have so far been focused on enforcing the security configurations for remote access and smaller internal pilots. "If you're a financial-services firm with 100,000 endpoints, you're not going to start out with a full NAC deployment," he says.

But as companies and the channel get more comfortable with the technology, and more devices and applications become compatible, expect to see companies adopt the architecture to more broadly enforce configuration and security compliance throughout their organizations. "When it comes to SOX and HIPAA enforcement, companies can establish and enforce their policies and report back to their regulators the tight controls they have in place," Thurber says. "While this isn't happening now, conversations about this capability are certainly under way."