RealTime IT News

It's a NAC World For Network Security. Or is it?

Is network access control (NAC) the Holy Grail of network security?

A very long list of vendors trumpeted their NAC wares and initiatives at the RSA show this week. Many of the announcements struck similar cords with bold pronouncements of being the industry's best, most complete or leading NAC initiative. The NAC parade included announcements and pronouncements from Microsoft, Symantec , Juniper, Sophos, TippingPoint, StillSecure, ConSentry, Nevis Networks, Lockdown, Lockdown Networks, InfoExpress, Vernier Networks, Extreme Networks and many others.

Yet rising about all the NAC noise of the RSA show floor a new theme is beginning to emerge that NAC is only a part, albeit an important part, of a wider network security posture.

Microsoft, for instance, which trumpeted the fact that its Network Address Protection Program (NAP) already has 100 partners. This despite the fact that NAP isn't available as a shipping product yet and won't be until Windows Server Longhorn is released later this year.

Though not all of Microsoft's 100 NAP partners issued corresponding releases announcing their NAP interoperability, a good number of them did. Lockdown Networks announced that their flagship NAC solution, Lockdown Enforcer, now has full support for NAP. Lockdown is also compatible with the other two big access control frameworks, Cisco's NAC and Trusted Computing Group's Trusted Network Connect (TNC).

Lockdown's VP of Marketing Dan Clark argued that, as opposed to others among Microsoft's partners, Lockdown is differentiated because the product is a purpose-built solution as opposed to a feature in an overall product designed for something else.

The last two years has seen a dramatic explosion in the number of vendors that claim to do some form of NAC.

"At the last RSA, the number of vendors who said they did NAC began to explode," Clark told internetnews.com. "When we started there was just us and Cisco. By the end of 2005 there were maybe 15 companies that said they did access control. By the end of RSA 2006 there were 60."

In Clark's opinion, however, this is the year when a shakeout in the market is likely to occur.

"I think for the industry as a whole 2007 will be the year where the weaker network access control players fade away," Clark said. "It will be the year that 40 of them give up on trying to market themselves as NAC and we'll get consolidation down to the real players with real solutions."

Juniper Networks is also on Microsoft's NAP partner list, though Juniper has its own views on NAP and it's own partners for its TNC compliant Unified Access Control (UAC) solution.

Karthik Krishnan, Juniper Networks' UAC product manager told internetnews.com that Juniper customers are not asking for NAP because it is not a shipping solution. The plan is for UAC to interoperate with NAP but, according to Krishnan, that is more of a technical line item for whenever Windows Server Longhorn ships.

As far as NAC is concerned, Krishnan has a strong opinion there as well.

"The word NAC is much abused," Krishnan said.

He explained that access control is only the first step in a wider plan for networking security with the second step being a broader and co-coordinated threat management approach.

Nevis Networks, which is also on Microsoft's NAP partner list, went so far as to say that even though they do NAC and are compliant with Cisco, Microsoft and TNC, they are not in the NAC business. Dominic Wilde, VP of marketing, argued that NAC is the past and what Nevis calls LAN security is the future.

Nevis announced a purpose-built LAN security appliance and switch that can handle NAC this week.

"We don't view ourselves as being in the NAC market though we think that NAC and all the buzz that goes around it, is a good starting point," Wilde said. "But we believe that NAC is part of a much bigger problem."

For Wilde that means Nevis' offering is more comprehensive than others since the solution offers post-connect security with inline threat detection.

That being the case, Wilde admitted that Nevis' solutions doesn't do everything needed quite yet either.

"We need to go deeper and do more application layer control," Wilde said. "We're at network layer and we can do application control today, but we need to do more of that and increase the functionality."

Cisco , the company that coined the term NAC in the first place, actually agrees that there is a lot of misplaced conjecture around NAC and what it can and can't do.

"It's an unfortunate byproduct of a very rapidly evolving technology without a lot of really well defined terminology," Mike Nielsen, marketing manager for threat control systems and solutions at Cisco said.

Cisco didn't actually end up announcing any new NAC products at RSA this week. Instead what they did was roll out a massive update to their broad Self Defending Network architecture, which NAC is a member.