The Insider: Think You Have A NAC For Security?

The other part of Cisco's NAC strategy involves working to develop an intelligent network infrastructure and framework policy that will eventually become a standardized way of delivering NAC. In this effort, Cisco is working in conjunction with more than 75 software partners, including Microsoft, Rice said. "On the technology side, we are changing some of the smarts within our networking products, including switches and routers, and working with Microsoft on how NAC integrates technologically," said Rice.

However, like Microsoft's NAP, this part of Cisco's NAC strategy has yet to reach the market. Although Cisco and Microsoft in October 2004 unveiled plans to work together to integrate NAC and NAP, neither vendor has provided details on exactly how that will happen. A Microsoft spokesperson said Cisco and Microsoft are working toward interoperability between the NAC and NAP architectures as they evolve and are delivered to customers.

Dave Shackleford, director of security solutions and assessment services at Atlanta-based solution provider Vigilar, said Cisco is trying to leverage its infrastructure dominance onto the desktop environment. "Cisco is making a play for client control—they've owned the core infrastructure for a long time and are now trying to push it out to the desktop level," said Shackleford. However, Cisco's offering can be expensive to deploy even if you own some of the Cisco infrastructure pieces, he added.

For Intelligent Connections' Haboush, being able to take security products from other vendors and combine them with Cisco equipment in a NAC solution provides much needed flexibility. "What VARs like about [Cisco's] NAC is that it makes end-point security product-agnostic, which means that no matter what desktop products organizations are using, we can still go in and drive discussion about what NAC brings," said Haboush.

The Trusted Computing Group, meanwhile, aims to create a standardized way of delivering the technology that uses existing network infrastructure. Its Trusted Network Connect initiative uses the same authentication architecture as Radius, but where Radius checks the identity of the user, TNC adds the health of the end point into the equation, said Steve Hannah, co-chair of the TNC subgroup at the Trusted Computing Group, and a distinguished engineer at Juniper, Sunnyvale, Calif.

"TNC works with the existing network gear as long as it supports Radius, which allows companies to deploy NAC more economically by leveraging their existing infrastructure," said Hannah. There is also a standard API for integration with the TNC architecture, and the Trusted Computing Group is shipping TNC-compatible products from Juniper, Hewlett-Packard's ProCurve division, Meetinghouse, Nevis Networks, Nortel Networks, Wave Systems and Consentry Networks.

NOT YET THE HOLY GRAIL
The ability to articulate to customers what NAC does and why they need it is helping some solution providers reap the benefits of a relatively untapped market. For example, Haboush has found that NAC is a good foundation when discussing security road maps with clients. "It gives them a view to the future that is appealing because it doesn't involve just throwing point products at the problem, and gives them the ability to manage, control, and have consistent security policies," he said.

It's important to figure out exactly what customers want to accomplish with NAC, said Chris Ellerman, national practice director for security at Dimension Data, a Reston, Va.-based solution provider. Once goals are established, VARs can help customers navigate through the different features of NAC and define their corporate security policy, Ellerman said.

Still, the fact that NAC is a new layer that clients haven't considered in their security stack can make it a tough sell, said Peter Bybee, CEO of Network Vigilance, a San Diego-based solution provider that deals mainly in the midenterprise space. "Everyone says they get it, and the second words out of their mouth are, 'But we're not going to upgrade our hardware,' " said Bybee.

In any event, solution providers shouldn't position NAC as the holy grail of network security just yet, said Tom Duffy, president and CEO of Igxglobal, a solution provider in Rocky Hill, Conn. He believes it will take awhile for the theoretical benefits of NAC to be realized and says integration and support require careful planning and execution. "The potential pitfall of promoting [the NAC] theory is that you can get whacked over the head with reality," said Duffy. "A lot of enterprise networks are not ready, do not support or cannot handle a full-blown NAC vision."

But what's important to note about the various approaches vendors are taking with NAC is not whether offerings are hardware-based or software-based, but whether they're easy to use and manage, according to Labatt-Simon. "Ultimately, it's the level of complexity and ease of management that will determine the success of a NAC solution," he said.

While he acknowledges that some customers are taking a wait-and-see attitude, Labatt-Simon feels that eventually it will become a cornerstone of every company's network security strategy. "There is a fear of NAC, but at some point in time the need for NAC is going to outweigh these fears—probably after the next major worm outbreak," he said.