RealTime IT News

The NAC: Can't They All Just Get Along?

LAS VEGAS -- Decisions, decisions -- especially network access control decisions (NAC). Should enterprises choose Microsoft's NAP, Cisco's NAC or Juniper-backed TNC for their NAC needs? And, most important, can they all get along?

Panelists from Microsoft , Cisco , Juniper and McAfee  took on the question in a debate at the Interop Conference here. The topic appears ripe. NAC has been one of the most-hyped new networking technology approaches over the past few years, but plenty of work remains regarding interoperability between vendors' solutions.

That's not to say that enterprises won't get benefit out of NAC today. Paul Mayfield, group program manager at Microsoft, said Microsoft was surprised with its results when it first deployed NAP into its own environment.

"Just being able to actually see what compliance is, is the first benefit of NAP," Mayfield told a standing room only crowd. "We have things that do it today on [virtual private networks]. For wireless security, the ultimate NAC promise is that it will provide a policy framework to unify these things together."

While security policy for network access does already exist in other parts of the enterprise infrastructure, it's typically not unified.

"NAC brings all policies together under one umbrella," Karthik Krishnan, Juniper Networks' UAC product manager said. "NAC is an uber-moniker for motherhood and apple pie. What it gives you is a policy framework that works in real time."

NAC can also serve as a vehicle to help organizations better define policy, panelists here said.

"Customers want to identify the asset and the threat it may mean and they want give the asset the right level of access," said Russell Rice, director of product management at Cisco. "Some organizations know what they want. Others need a sharpening of the sword and don't know what to do. NAC is that sharpening and can be the venue where you drive that process and get audit-ability and control."

Panelists agreed that a key success criteria for organizations that want to deploy NAC is the ability to work with existing infrastructure.

"People want to deploy technology that doesn't cause big changes to the enterprise environment," Cisco's Rice said. "We already have 2000 customers deployed with NAC and we keep on expanding deployment options."

Still, they continued, NAC needs to be easier to implement than it has been in the past. MacAfee's' Vimal Solanki, senior director of worldwide product marketing, noted that the main feedback he gets from customers is this: they need NAC but think that it is far too complex and forces them to upgrade what they've already got.

That's where Microsoft may well have an advantage over other vendors. Microsoft's Mayfield noted that Windows Server 2008 will offer NAP. But, perhaps more important, Windows Vista already has full NAP client capability. Mayfield said that the upcoming Windows XP Service Pack 3 will add NAP client capability for Windows XP users as well.

"Having the agent built into the operating system is a tremendous value to the customer as it dramatically reduces deployment when you can use desktops you already have," Mayfield said.

Standardization of NAC and integrating the different frameworks in the marketplace ranked as the most contentious topics for the panel, and not surprising, given recent events.

This week, Microsoft announced a landmark interoperability deal with Trusted Computing Group' s Trusted Network Connect (TNC). Microsoft also has a deal in place to integrate NAP with Cisco?s NAC as well. Yet, despite the recent spate interoperability announcements, plenty of work remains.

"We already work with Cisco NAC, Microsoft NAP and TNC," McAfee's Solanki said. "It's good that we're gone from three to two standards but it's still one too many."

Cisco's Rice noted that Cisco is working within the IETF standards body to develop broad industry standards for access control, Both Microsoft and Juniper participate in that effort as well.

Though the panelists all sung the praises of NAC interoperability, at least one member of the audience wasn't convinced. In the Q&A session that followed the panel discussion an audience member stood up and accused the panel members of singing "kumbaya" when it's really not true. According to the audience member, when respective vendors come and pitch him, they are not so friendly and the solutions don't interoperate.

"I think the industry is moving toward standardization because of the willingness for interoperability," Microsoft's Mayfield responded. "There is a lot of goodwill among vendors even if they try and sell you their own solution when they come to see you."

Cisco's Rice responded in a different way. He noted that when the IPsec  VPN standard first came out it took six years to evolve into an industry standard that was interoperable.

"NAC is a technology that has been around for only a few years and there is a lot of pent up interest in making use of it. But you've got to understand that, in any other technology where you ask for interoperability, it has taken more than two years."

"The trending is positive with more interoperability earlier than with other technologies but you've got to have a little bit of patience with this."