Some Surprises in Novell’s Foray Into NAC

Novell is diving into the market for network access control (NAC) with its new ZENworks Network Access Control solution. The launch isn’t without its quirks, however.

The idea behind Novell’s NAC is that it’s supposed to be easy to deploy and is suitable for heterogeneous network environments. However, while Novell’s solution is a software-based appliance built with a Linux kernel, ZENworks NAC does not yet support Linux endpoints.

Additionally, while Novell as a company is supportive of open standards, ZENworks NAC does not yet support the open Trusted Network Connect (TNC) standard. The TNC standard had been created by the Trusted Computing Group, a vendor-neutral industry body, with the goal of creating interoperability between access control solutions from different providers.

Novell’s approach to NAC comes as the market for such solutions is maturing, with offerings from Microsoft, Cisco and Juniper, among others, already in the market.

Such solutions provide preadmission controls that validate the integrity and security of an endpoint before it’s allowed to get network access. Some solutions, including Novell’s NAC, also perform post-connect access checks, which can ensure that the endpoint remains in compliance with network policy.

“This rounds out our capabilities for the endpoint security market,” David Ferre, product manager for Novell ZENworks, told “We are seeing a good market for growth, and probably will be for at least the next three or four years.”

The ZENworks NAC builds on technology that Novell acquired with the purchase of endpoint security vendor Senforce in August 2008.

Ferre explained that Senforce’s previous version of the NAC product had been limited to a single console for servers. In its new version, however, Novell has broken out the management and enforcement server components. As a result, an enterprise can now blend both DHCP and 802.1x modes of NAC enforcement, Ferre said.

“The focus is on minimizing the amount of investment required for deploying NAC and for allowing it to all be controlled from a single, central location,” he added.

While ZENworks NAC uses the Linux operating system as its base, it’s not the flavor of Linux one might expect, considering that Novell has its own SUSE Linux distribution as well as a burgeoning initiative around promoting SUSE appliances. Instead of SUSE Linux, the NAC uses a customized version, Ferre said.

“The Linux kernel [in ZENworks NAC] is actually proprietary to this solution,” he said. “We are taking the packages individually and creating the Linux build, so it is not the same structure as SUSE Linux.”

The surprises don’t end there. Although ZENworks NAC is built on top of a Linux kernel, it does not actually support the OS as an enforcement endpoint. Ferre explained that Linux support wasn’t a priority because Novell sees a higher demand for Windows-compatible solutions, owing to the density of Windows devices in the enterprise.

“It was a decision on coming to market,” Ferre said. “We needed to either deliver on what is in the most demand and get to market sooner, or we could have held off and release at a later date. Based on where the market is today, we wanted to move forward immediately rather than wait for Linux compatibility.”

Still, he added that Linux support may be in the works.

“We are offering testing capability on Windows and Mac OS X,” Ferre said. “Linux is a logical extension since we have SUSE Linux, and it is something we will be looking at in the near term.”

Linux isn’t the only platform that might experience interoperability issues with Novell’s NAC. Ferre also said that ZENworks NAC does yet support Microsoft’s (NASDAQ: MSFT) Network Access Protection (NAP), either. NAP, Microsoft’s technology for access control, ships as part of Windows Server 2008. It’s also compatible with the TNC standard, which is supported by many other vendors, including Juniper.

Despite those pluses, Novell so far has not seen a lot of demand for it, Ferre said. On the other hand, he added that TNC compatibility, while currently lacking in ZENworks NAC, may also be in the cards for a later version.

“We have been actively watching [TNC] and are interested in that,” Ferre said. “I see no resistance and I do agree it’s the only open standard, and it is the way that things will go. I do fully expect that it is something we will adopt on ZENworks NAC, but not something that is in process at this point.”

Though lacking TNC support, ZENworks NAC does support Cisco’s NAC framework. Cisco (NASDAQ: CSCO) currently does not support TNC, either, though an Internet Engineering Task Force effort is currently underway that might yield a broader standard acceptable to both the Cisco and TNC communities.

News Around the Web