The Insider: Think You Have A NAC For Security?

The first time solution provider Chris Labatt-Simon mentioned network access control to a customer three years ago, the executive was so stunned by the cost and complexity of putting a client on every single machine in his corporate network that he actually burst out laughing. But a few weeks later, after the same customer's network was brought to its knees by a worm introduced from a contractor's infected notebook PC, he grew much more receptive.

Labatt-Simon, president and CEO of D&D Consulting, Albany, N.Y., is one of a growing number of solution providers educating more customers about NAC solutions, which address network security not by just protecting network borders, but by looking at applications and clients. Sales are starting to flow from the education process, said Labatt-Simon, who expects D&D's NAC deployments to hit 50,000 seats this year, up from 5,000 last year. "Perimeter security is going away as we know it," said Labatt-Simon. "It's easier to protect your [network] if you protect the client."

Over the past year, the growth of the NAC market has accelerated dramatically as key vendors have clarified their plans. Although there are different approaches to the technology, the central idea of NAC is to protect corporate networks from threats by scanning all PCs for malware each time they attempt to connect, ensuring that patches and software such as antivirus and desktop firewall are up to date before allowing users to access the network, and quarantining infected or noncompliant machines.

NAC especially helps to combat the threat of malware being introduced to the network by mobile workers bringing in infected notebook PCs, said Brian Haboush, vice president of business development at Intelligent Connections, a Royal Oak, Mich.-based solution provider. "The borders of the network have become so fuzzy with contractors and guests coming in and out, and NAC provides a way to secure those fuzzy borders," said Haboush.

NAC signals a shift toward a closed infrastructure where you open capabilities in an enterprise network based on specific policies for users, said Rod Murchison, vice president of marketing at Vernier Networks, Mountain View, Calif., which began selling NAC solutions in 2001. "The inflection point and overall change in the market is around turning enterprise networks into closed networks," said Murchison.

WHICH VENDORS HAVE THE NAC?
High-profile vendors such as Cisco Systems, Microsoft and others are helping solution providers lead the NAC charge. Redmond, Wash.-based Microsoft's NAC technology, which it calls Network Access Protection, or NAP, will be part of next year's planned release of Windows Vista and Longhorn Server, and is part of last month's release of Windows Longhorn Server Beta 2. Meanwhile, Cisco, San Jose, Calif., continues to focus on building awareness around its version of NAC, which it unveiled in 2003 under the name Network Admission Control. And the Trusted Computing Group, an industry coalition that includes Juniper Networks, IBM and Symantec, continues to work toward development of a standard that allows companies to deploy the technology without upgrading network infrastructure.

Microsoft's NAP is an enforcement platform that has been woven into the Windows Vista and Longhorn Server operating systems to ensure that machines connecting to the network are in compliance with corporate security policies. According to Mike Schutz, group product manager for the Windows Server division, Microsoft has provided a set of publicly available APIs to allow its ISV partners to make their products interoperable with the NAP framework, which will also support patch management vendors, Schutz added. John Parkinson, a longtime industry strategist who has done work for Microsoft, said NAP works well in networks with special requirements such as multiple levels of access and topologies. "Microsoft is saying in order to do that, we will provide a platform and architecture and tools and products to handle NAP, and we'll make it easier to put all the pieces together if you buy [them] all from a single vendor that's willing to take responsibility for the access management aspects of the platform," Parkinson said.

Microsoft has the advantage of controlling the desktop, which gives it a head start in the battle for NAC market supremacy, according to Jeff Roback, president of Praxis Computing, a Los Angeles-based solution provider. "Everyone realizes that the client side of NAC is going to make or break it, and that's why [NAP] is compelling, because [Microsoft solutions] tend to deploy smoothly and easily," said Roback.

While Microsoft focuses on a software-based approach to NAC, Cisco's version uses switches and routers to enforce compliance with security policies. NAC is one of the pillars of Cisco's Self Defending Network, which is designed to give networks the ability to identify, prevent and respond to security threats.

Cisco has a two-dimensional strategy for delivering its NAC technology. The first is its Clean Access appliance, which is based on technology Cisco gained from its 2004 acquisition of security startup Perfigo. The appliance is deployed out-of-band and integrates with switching infrastructure to perform NAC functions. Cisco has deployed the appliance in more than 600 customer sites since launching the product last year, said Russell Rice, director of marketing for the security technology group at Cisco.