NEW YORK -- The line between security and the network is blurring and many in IT are being forced to wear two hats...
to keep their networks free from attacks.
And at Interop yesterday, that shift was evident, as several vendors and industry experts outlined the need to add appliances that protect from worms, viruses, Trojan horses, hackers and other malicious onslaughts at the network level.
Welcome to the era of network access control.
"Going forward, we'll be seeing a shift in focus from threat protection to security design," said Paul Stamp, analyst with Cambridge, Mass.-based Forrester Research Inc. "Security will be built into our network technology so that it's secure from the ground up. Network access control and quarantining mechanisms are a step in that direction."
While the big boys, Cisco Systems Inc. and Microsoft are major players in the network access space, other smaller vendors are starting to make waves.
Lockdown Networks Inc. today rolled out its NAC appliance, version 4.1, which works at the switch level to make access decisions based on device health, time, date, user and group information. Senior product manager Bryan Nairn, of Seattle-based Lockdown, said the appliance controls network entry and continually checks to make sure linked devices are in compliance with the latest software and updates.
Similar to Cisco's NAC framework, users are quarantined if anything on their device is amiss. From there, they are offered remediation and not allowed onto the network until the problem is fixed.
"It keeps out viruses and protects against unauthorized access," Nairn said. What sets Lockdown apart, he said, is that version 4.1, supports several modes of authentication, not just 802.1x.
Another vendor planting its foot in the NAC space yesterday was Vernier Networks, which offers a single, agentless, vendor-agnostic appliance. Unlike Cisco, the Mountain View, Calif.-based vendor's EdgeWall Rx network access management appliance sits in-line on the network.
Ranjeet Sonone, product manager with Vernier, summed the EdgeWall Rx up this way: "You send a bad packet to us and we drop it."
Like Lockdown 4.1, EdgeWall authenticates and continues with periodic device checks to ensure users and devices are still in compliance.
But John Stier, telecommunications and networking director for Stony Brook University in New York, wasn't sold on NAC as a viable solution for his network security woes.
"I'm not convinced," he said. "Quite frankly, we're dealing with an unsolvable problem."
Stier explained that NAC may be fine for a corporation, but on a university network that handles tens of thousands of varying devices this technology approach is simply not plausible.
"We're dealing with computers that are not centrally managed and not uniform," he said. "Those machines could have anything under the sun on them, and they probably do."
Though Stier admits that a NAC appliance would be beneficial, he can't picture any realistic way he could deploy it. Stier said he feared forcing students into compliance-based access would create droves of privacy and support issues that his staff just couldn't handle. Plus, he added, catching one infected device out of thousands is a tough feat.
"If you have a room full of 100 people and one has the flu, how do you catch him?" he asked.
Despite Stier's protests, experts said NAC appliances are going to be a necessity within the next year. Chris Christiansen, vice president of security products and services for Framingham, Mass.-based research firm IDC, forecasted that by 2008, 80% of all security products will be network appliance-based.
"Once an unhealthy device connects to a LAN and immediately injects something malicious, it's over," he said.
During his discussion "Network Security: Two Worlds Collide," Christiansen said Trojans horses, viruses and worms will pose a serious threat for the foreseeable the future, while spyware attacks will continue to flourish. He said protecting the network from unwelcome or infected devices is imperative and NAC is a big part of it.
"If you think it's bad now," he said, "it's going to get incredibly worse."