At the RSA conference this week, several vendors announced their plans to play in the network access control (NAC)...
space, giving networking pros more options as they consider beefing up security and locking down their networks.
3Com Corp., Shavlik Technologies, McAfee and Mirage Networks are among the companies adding their wares to a market already crowded with products and enjoying burgeoning interest.
NAC, called Network Admission Control by Cisco Systems Inc. and Network Access Protection (NAP) by Microsoft Corp., was one of last year's must-have systems and is expected to continue that trend. Infonetics Research recently predicted the market for all NAC enforcement tools will grow an astronomical 1,101% over three years. That jump will make NAC a $3.9 billion market by 2008, up from $323 million last year.
NAC's immense popularity, in part, is fueled by how porous the network perimeter has become because of wireless, wired and remote access all coming together. "[Corporations] have to actually build some kind of security into the network" to determine who and what can get on, Forrester Research analyst, Robert Whiteley said.
But even as the NAC market continues to boom, options are becoming more complex, and networking pros are forced to decide whether it's right for their network. And while no one will contest that NAC has its benefits, there are also some drawbacks to consider before deploying it, including the number of moving parts, the cost and the time involved in a full NAC deployment.
Whiteley said for some enterprises, installing NAC can be a "daunting task" and a "sizable endeavor." A typical NAC deployment can take months, cost hundreds of thousands of dollars and involve numerous pieces.
"I would argue that the operational burden far outweighs the capital gain," Whiteley said. "Firms that have started [deploying NAC] have stopped because of the complexity. You really can't get it up and running enterprise-wide from the get-go."
But while NAC is continuing to dominate the network security space, there are some alternatives that, while not exactly NAC replacements, can act as building blocks for a scaled back NAC rollout.
"NAC is an ecosystem; it's not a particular set of technologies," Whiteley said, adding there are vendors that can quarantine and provide access control techniques without being explicitly defined as NAC. Those vendors' products can act alone to protect a network, or be added to a larger NAC framework for additional protection.
Some examples include Funk Software, a provider of standards-based network access security products. Juniper Networks acquired Funk in November. Funk's line of products includes Radius/AAA server, Steel-Belted Radius and the Odyssey Client, an 802.1x client for wireless and wired networks. Funk also has an Endpoint Assurance Product suite for network-based enforcement of endpoint integrity.
Funk's products require users and devices to meet a company's security policies before accessing a corporate network to protect against Trojans, viruses, worms and other threats that could be introduced by wireless or remote workers. If those policies aren't met, the device or user can't access the network.
ConSentry Networks has a line of secure LAN controllers that control user access and malware outbreaks within internal networks. And Nevis Networks offers the LANenforcer line of appliances that enforce security policies and prevent outbreaks.
Another alternative comes from Infoblox, which this month announced its "NAC-related, but not NAC" ID Aware DHCP Toolkit. The Toolkit provides a link between DHCP and IP address delivery to grant network access. It also scans, quarantines and remediates endpoints and mitigates and reports threats.
Rick Kagan, vice president of marketing for Infoblox, called the Toolkit a "foundation block for NAC," meaning it helps enable a NAC deployment, but does not necessarily have to be installed as part of a NAC framework.
The Toolkit, Kagan said, eliminates the idea of an anonymous network and creates an "identity driven network." Essentially, the Toolkit can tell networking pros who or what is using a certain IP address, when and how they got that address and what that address is allowed to do, while also showing a history of what that IP address has accessed. It controls which users and devices get into the network and can limit what those users can do based on policy.
"Traditional NAC has a lot of moving parts," Kagan said. "It takes time, money and resources. Not everybody is going to do it."
Whiteley agreed, but added that vendors that offer NAC alternatives are cautious to say they "enable or enhance NAC," not that they can work independently of it. One reason behind that caution is the possibility that Cisco and Microsoft will team up on network access control, making either NAC or NAP a standard. The companies discussed the partnership more than a year ago, but the talks have since fallen silent.
"[Other vendors will] have to say they're NAC or NAP compliant. If they don't have that stamp of approval, they open themselves up to obsolescence if it becomes the standard," Whiteley said.
Alternative technology, building-block or enhancement tool, NAC is top of mind as vendors continue to enter this space. According to Infonetics Research, Cisco reins the NAC market with its multi-vendor NAC framework, while Microsoft's NAP comes in second. Third is the Trusted Computing Group, an independent consortium working on standard implementations for NAC.
But along with the big boys are also some emerging NAC players, like InfoExpress, Lockdown Networks and Vernier Networks.
Nortel Networks also recently announced its own version of network access enforcement, Nortel Secure Network Access (NSNA), which checks endpoints for policy adherence, quarantines and remedies. NSNA is available in a control that can be added to the core.
The announcements are expected to continue at RSA, where 3Com made the biggest NAC-related announcement yesterday when the company rolled out TippingPoint Quarantine Protection, which uses the LAN infrastructure to isolate infected devices. Shavlik Technologies announced a partnership with McAfee to add its patch management technology to McAfee's NAC System, which protects the network from endpoint malware and misconfiguration. And Mirage Networks announced a partnership with McAfee to enhance Mirage's NAC devices. The Mirage system scans for vulnerabilities and checks policies at network entry and after by monitoring all devices on the network. Infected devices are quarantined and fixed before access is granted.
"NAC is a security trend for sure, but it's only as good as the policies you create," Whiteley said. "You can start with a partial solution and work your way to a full deployment."