Network Security, Part 2: NAC Moves Up the Architecture

Businesses and large institutions dreaming of enforcing consistent security policies are finding solace in network access control, or NAC — programs that establish authentic users, identify network devices, perform integrity checks, take remedial actions and authorize access to information system resources based on organization-wide security policies.

While the market has seen a steady cash flow ever since these systems were introduced by Cisco in 2003, NAC’s evolution is still not complete, asPart 1 of this two-part series notes. Issues of cost, complexity and confusion surrounding vendor claims and actual performance means that buyers need to tread carefully. Part 2 delves further into the prospects for NAC.

Talk About Fast-Growing

The fledgling market for NAC enforcement appliances nearly quadrupled between 2005 and 2006, exceeding US$83 million worldwide, and it’s expected to double this year, according to a May Infonetics Research report. Manufacturers’ revenue for NAC enforcement will grow an astounding 1,101 percent — from $323 million to $3.9 billion — between 2005 and 2008, according to a January Infonetics’ report.

“By far the largest portion of NAC enforcement revenue between now and 2008 comes from network-integrated enforcement devices, but the biggest change is in NAC enforcement appliances, whose share of the market nearly triples between 2005 and 2008,” said Jeff Wilson, Infonetics’ principal analyst for network security.

The “three big guns” in the NAC space are Cisco, Microsoft, and theTrusted Computing Group (TCG).

The first two are developing their own NAC-like solutions and the third is an independent consortium working on standard implementations for NAC, Wilson said.

In-Band or Out?

Cisco’s NAC Appliance is not only in-band as some competitors claim, according to Irene Sandler, vice-president of Cisco NAC.”It can be deployed in-band or out-of-band. … Most competitors attack us on that front, because the product was initially in-band then evolved to support out-of-band deployment. Competitors like to latch on to the past vs. the present.”

Sandler also emphasized that the Cisco Clean Access Agent isn’t a mandatory component for the Cisco NAC solution.

Furthermore, “you do not need a complete Cisco network to deploy Cisco NAC,” she added. “This misperception is completely off-base. Cisco NAC is compatible with Cisco-only or multi-vendor networking infrastructures. It was designed to be that way for obvious reasons, providing more of a realistic solution to real-life IT settings.”

Getting a NAC Education

Given the diversity of information and telecommunications systems set up in universities, these institutions have been NAC hot spots.

“Educational institutions are still like the wild, wild West when it comes to computers,” Jeff Reed, president ofClassic Networking, told TechNewsWorld.

“The students’ PCs are not owned by those institutions, so traditionally the institution did not have the power to assume total control of the PC. Most student PCs were not updated and patched a few years ago before automatic updates were around. Add to that the possibility of where they are Web-surfing to find ‘research material’ [and] the students’ PCs tended to come into the schools network already infected — and they would infect other devices right away. NetMD (Classic Networking’s NAC solution) will continue to grow in that market, because we offer the strong clients and some of the lower pricing on the market,” he explained.

“The story behind NAC solutions and their value to schools and businesses is gaining steam, and our expertise level has granted us a leg up on most VAR’s (value-added resellers) who are dealing with multiple solutions right now. It all comes down to three things: speed, granularity and cost,” added Dave Feligno, Classic Networking’s Western regional sales director.

“We deal with tons of requests from higher education regarding NAC and how it can help with student registration, application monitoring, rogue detection and security policy,” he said. “There is a big cry for help right now from schools regarding these topics. … There are multiple players, all of which genuinely say that their solution is the best. That’s what the story is: How do you pick what NAC fits your needs best without breaking the bank?”

NAC in Tempe

More than 58,000 students attendArizona State University, making it one of the largest academic and research universities in the United States.

“We had a very hard time with viruses early in the last academic year,” reported William Lewis, ASU’s chief information officer, in a Cisco NAC case study. “We didn’t go down, but we suffered greatly.”

To avoid this from reccurring, ASU rolled out Cisco’s Clean Access technology.

“We estimated that Cisco Clean Access will cut our security incidents by at least 80 percent for Fall startup,” Robin Manke-Cassidy, ASU’s technical support principal for the information technology department, said in the study.

Employing network and device scans, Cisco’s solution evaluates all devices that attempt to access a network for compliance to internal security policies before access is granted. Noncompliant devices are placed into a quarantine area where users’ devices undergo automated repair processes, eliminating a lot of work that would have to be done by network and information technology staff.

Cost and Complexity

Cost and the complexity associated with NAC technology are the two main factors limiting its application at this point.

“Not everyone is right for NAC, but those who can afford it have more options now than they did, say, two to three years ago,” Classic Networking’s Reed observed.

The potential to disrupt the regular conduct of its operations may also be a concern.

“In many cases, employees are given company-issued computers that are regularly updated by the company themselves,” Cisco NAC’s Sandler told TechNewsWorld.

“The company in the first example may choose to have a stricter list of compliance parameters, such as requiring a particular version of a specific antivirus application, while the university may choose to require any updated version of any antivirus application.

The NAC Outlook

“As NAC evolves, even the smallest organizations will be able to benefit from a solution that is custom-tailored to their environment, because we are now seeing more lower-tier vendors handling small- to medium-sized networks,” Reed commented.

Illustrative of this, two members of Harvard University’s IT staff in March released PacketFence Zero Effort NAC, a free virtual NAC appliance that supports their open source network access control platform. Dubbed “Zen,” it consists of an operating system image that runs on Linux or Windows and performs policy checks of devices as they log on to networks, and it’s one of a growing number of free NAC tools entering the market.

“Ease of use and ease of installation are still just a dream for NAC. As we make this easier, more customers will get on board. As Microsoft builds more of it into the Desktop OS and Server OS, it will slowly become a commodity. Vendors are starting to work together on standards to share NAC technology. The two gorillas in the market, Cisco and Microsoft, talk a lot about standards — but only time will tell if they mean it,” Reed concluded.

Network Security, Part 1: The Buzz About Network Access Control

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels