NEW YORK — Is now the right time to buy into NAC?
Network Access Control (NAC) vendors would like you to think so. But if audience reaction at the Interop conference here is any indication, vendors would be wise to wait until broader industry standards exist.
That said, NAC may well be widespread within the enterprise inside of five years, according to networking experts from Juniper Networks, Cisco, Microsoft, StillSecure and the Trusted Computing Group.
During a panel discussion, they agreed that NAC will exist somewhere within most enterprises inside of the next five years. The group also agreed that what may be in use in five years may well be different than what is currently available in order to adhere to an as yet unspecified IETF specification for NAC.
Confused yet? You wouldn’t be the only one.
NAC, short for Network Access Control, is a term first introduced by Cisco but rapidly becoming a generic moniker for network access control technologies in general.
Thomas Howard, security solutions engineer at Cisco Systems, said the biggest confusion surrounding NAC is that people think that NAC is just 802.1x, a standard for port-based security, when in fact it’s more than just 802.1x Dave Greenstein, chief architect at security vendor StillSecure, agreed that 802.1x need not be a holdup for deployment. In his view, 80 percent of networks are ready for NAC today. “802.1x is what people want in the long run, but there are other ways to do it,” Greenstein said. The key to rolling out NAC successfully has a lot to do with how you actually roll it out in the first place, added Steve Hanna, a distinguished engineer with Juniper Networks. Hanna was actually sitting on the panel as as the co-chair of the Trusted Network Connect (TNC) Sub Group within the Trusted Computing Group. TNC is an effort to create interoperability between access control solutions from various vendors. Hanna advised that it’s likely best to start out with an advisory rollout and no enforcement. This way, users would get an advisory as opposed to be locked out of network assets altogether or barred from logging onto the network. “You don’t start with enforcement on day one since no one will be able to logon,” Hanna said. Cisco’s Howard agreed with Hanna on the importance of an advisory mode in an initial roll out. “Advisory mode is huge because you don’t know what you don’t know,” Howard said. Panelists also squared off on what is likely the single most contentious issue about NAC today: standards. Cisco’s NAC implementation is different than that used by Juniper for example. Microsoft’s NAP will work with Cisco’s NAC and may also work with others. Trusted Network Connect (TNC)is the open standard for allowing interoperability between TNC compliant NAC implementations, like Juniper’s. Cisco is not TNC compliant but is working toward an industry standard as well which could ultimately prove to be the binding standard for access control. “We’re working with the IETF to come up with a single standard,” Cisco’s Howard said. “But even if that were out there tomorrow, it wouldn’t solve all the problems with NAC.” A member of the audience took exception to Howard’s comments, asking how an enterprise could choose any NAC solution when there is no standard. The audience member then argued that the IETF is essentially a Cisco puppet. Howard responded that Cisco has stated that it will work with a standards body and that body is the IETF. Juniper’s Hanna also came to the IETF’s defense, noting that many TNC participants are very active in the IETF. Hanna however raised a very important point about whatever spec actually does come out of the IETF for NAC, one that could well render all current NAC implementations obsolete. “What’s likely to happen is that whatever comes out of IETF are not any of the things that went in,” Hanna said. “It’s going to be some sort of amalgamation and there will have to be a transition from whatever people have deployed.” “My hope is something that we can have a smooth easy transition too from any of these technologies.”