The Insider: Think You Have A NAC For Security?
Labatt-Simon, president and CEO of D&D Consulting, Albany, N.Y., is one of a growing number of solution providers educating more customers about NAC solutions, which address network security not by just protecting network borders, but by looking at applications and clients. Sales are starting to flow from the education process, said Labatt-Simon, who expects D&D's NAC deployments to hit 50,000 seats this year, up from 5,000 last year. "Perimeter security is going away as we know it," said Labatt-Simon. "It's easier to protect your [network] if you protect the client."
Over the past year, the growth of the NAC market has accelerated dramatically as key vendors have clarified their plans. Although there are different approaches to the technology, the central idea of NAC is to protect corporate networks from threats by scanning all PCs for malware each time they attempt to connect, ensuring that patches and software such as antivirus and desktop firewall are up to date before allowing users to access the network, and quarantining infected or noncompliant machines.
NAC especially helps to combat the threat of malware being introduced to the network by mobile workers bringing in infected notebook PCs, said Brian Haboush, vice president of business development at Intelligent Connections, a Royal Oak, Mich.-based solution provider. "The borders of the network have become so fuzzy with contractors and guests coming in and out, and NAC provides a way to secure those fuzzy borders," said Haboush.
NAC signals a shift toward a closed infrastructure where you open capabilities in an enterprise network based on specific policies for users, said Rod Murchison, vice president of marketing at Vernier Networks, Mountain View, Calif., which began selling NAC solutions in 2001. "The inflection point and overall change in the market is around turning enterprise networks into closed networks," said Murchison.
WHICH VENDORS HAVE THE NAC?
High-profile vendors such as Cisco Systems, Microsoft and others are helping solution providers lead the NAC charge. Redmond, Wash.-based Microsoft's NAC technology, which it calls Network Access Protection, or NAP, will be part of next year's planned release of Windows Vista and Longhorn Server, and is part of last month's release of Windows Longhorn Server Beta 2. Meanwhile, Cisco, San Jose, Calif., continues to focus on building awareness around its version of NAC, which it unveiled in 2003 under the name Network Admission Control. And the Trusted Computing Group, an industry coalition that includes Juniper Networks, IBM and Symantec, continues to work toward development of a standard that allows companies to deploy the technology without upgrading network infrastructure.
Microsoft's NAP is an enforcement platform that has been woven into the Windows Vista and Longhorn Server operating systems to ensure that machines connecting to the network are in compliance with corporate security policies. According to Mike Schutz, group product manager for the Windows Server division, Microsoft has provided a set of publicly available APIs to allow its ISV partners to make their products interoperable with the NAP framework, which will also support patch management vendors, Schutz added. John Parkinson, a longtime industry strategist who has done work for Microsoft, said NAP works well in networks with special requirements such as multiple levels of access and topologies. "Microsoft is saying in order to do that, we will provide a platform and architecture and tools and products to handle NAP, and we'll make it easier to put all the pieces together if you buy [them] all from a single vendor that's willing to take responsibility for the access management aspects of the platform," Parkinson said.
Microsoft has the advantage of controlling the desktop, which gives it a head start in the battle for NAC market supremacy, according to Jeff Roback, president of Praxis Computing, a Los Angeles-based solution provider. "Everyone realizes that the client side of NAC is going to make or break it, and that's why [NAP] is compelling, because [Microsoft solutions] tend to deploy smoothly and easily," said Roback.
While Microsoft focuses on a software-based approach to NAC, Cisco's version uses switches and routers to enforce compliance with security policies. NAC is one of the pillars of Cisco's Self Defending Network, which is designed to give networks the ability to identify, prevent and respond to security threats.
Cisco has a two-dimensional strategy for delivering its NAC technology. The first is its Clean Access appliance, which is based on technology Cisco gained from its 2004 acquisition of security startup Perfigo. The appliance is deployed out-of-band and integrates with switching infrastructure to perform NAC functions. Cisco has deployed the appliance in more than 600 customer sites since launching the product last year, said Russell Rice, director of marketing for the security technology group at Cisco.
The other part of Cisco's NAC strategy involves working to develop an intelligent network infrastructure and framework policy that will eventually become a standardized way of delivering NAC. In this effort, Cisco is working in conjunction with more than 75 software partners, including Microsoft, Rice said. "On the technology side, we are changing some of the smarts within our networking products, including switches and routers, and working with Microsoft on how NAC integrates technologically," said Rice.
However, like Microsoft's NAP, this part of Cisco's NAC strategy has yet to reach the market. Although Cisco and Microsoft in October 2004 unveiled plans to work together to integrate NAC and NAP, neither vendor has provided details on exactly how that will happen. A Microsoft spokesperson said Cisco and Microsoft are working toward interoperability between the NAC and NAP architectures as they evolve and are delivered to customers.
Dave Shackleford, director of security solutions and assessment services at Atlanta-based solution provider Vigilar, said Cisco is trying to leverage its infrastructure dominance onto the desktop environment. "Cisco is making a play for client control—they've owned the core infrastructure for a long time and are now trying to push it out to the desktop level," said Shackleford. However, Cisco's offering can be expensive to deploy even if you own some of the Cisco infrastructure pieces, he added.
For Intelligent Connections' Haboush, being able to take security products from other vendors and combine them with Cisco equipment in a NAC solution provides much needed flexibility. "What VARs like about [Cisco's] NAC is that it makes end-point security product-agnostic, which means that no matter what desktop products organizations are using, we can still go in and drive discussion about what NAC brings," said Haboush.
The Trusted Computing Group, meanwhile, aims to create a standardized way of delivering the technology that uses existing network infrastructure. Its Trusted Network Connect initiative uses the same authentication architecture as Radius, but where Radius checks the identity of the user, TNC adds the health of the end point into the equation, said Steve Hannah, co-chair of the TNC subgroup at the Trusted Computing Group, and a distinguished engineer at Juniper, Sunnyvale, Calif.
"TNC works with the existing network gear as long as it supports Radius, which allows companies to deploy NAC more economically by leveraging their existing infrastructure," said Hannah. There is also a standard API for integration with the TNC architecture, and the Trusted Computing Group is shipping TNC-compatible products from Juniper, Hewlett-Packard's ProCurve division, Meetinghouse, Nevis Networks, Nortel Networks, Wave Systems and Consentry Networks.
NOT YET THE HOLY GRAIL
The ability to articulate to customers what NAC does and why they need it is helping some solution providers reap the benefits of a relatively untapped market. For example, Haboush has found that NAC is a good foundation when discussing security road maps with clients. "It gives them a view to the future that is appealing because it doesn't involve just throwing point products at the problem, and gives them the ability to manage, control, and have consistent security policies," he said.
It's important to figure out exactly what customers want to accomplish with NAC, said Chris Ellerman, national practice director for security at Dimension Data, a Reston, Va.-based solution provider. Once goals are established, VARs can help customers navigate through the different features of NAC and define their corporate security policy, Ellerman said.
Still, the fact that NAC is a new layer that clients haven't considered in their security stack can make it a tough sell, said Peter Bybee, CEO of Network Vigilance, a San Diego-based solution provider that deals mainly in the midenterprise space. "Everyone says they get it, and the second words out of their mouth are, 'But we're not going to upgrade our hardware,' " said Bybee.
In any event, solution providers shouldn't position NAC as the holy grail of network security just yet, said Tom Duffy, president and CEO of Igxglobal, a solution provider in Rocky Hill, Conn. He believes it will take awhile for the theoretical benefits of NAC to be realized and says integration and support require careful planning and execution. "The potential pitfall of promoting [the NAC] theory is that you can get whacked over the head with reality," said Duffy. "A lot of enterprise networks are not ready, do not support or cannot handle a full-blown NAC vision."
But what's important to note about the various approaches vendors are taking with NAC is not whether offerings are hardware-based or software-based, but whether they're easy to use and manage, according to Labatt-Simon. "Ultimately, it's the level of complexity and ease of management that will determine the success of a NAC solution," he said.
While he acknowledges that some customers are taking a wait-and-see attitude, Labatt-Simon feels that eventually it will become a cornerstone of every company's network security strategy. "There is a fear of NAC, but at some point in time the need for NAC is going to outweigh these fears—probably after the next major worm outbreak," he said.