More than two years into its Network Admission Control (NAC) infrastructure vision, Cisco Systems Inc. last week...
announced the addition of a new appliance to its NAC arsenal.
While it's not completely clear what impact Cisco's new NAC Appliance 4.0 will have on users, some industry analysts say an appliance-based approach to NAC could serve as a building block for a later framework rollout.
"They can get started with it now," Yankee Group vice president Zeus Kerravala said of companies that are considering NAC but are still teetering on the fence about deployment. "It can give them a taste of what it's like, and it lets them see the benefits."
For an NAC framework approach, users would have to go through a full router and switch upgrade, which is often costly, complex and time consuming. Though Kerravala said a framework approach is a better way to go, NAC alone can't justify a complete upgrade.
"If someone's running older routers and switches, NAC isn't going to be the sole reason for an upgrade," he said.
Simply put: An NAC framework is not a weekend road trip, it's a years-long journey and NAC 4.0 would be the gasoline.
Cisco NAC Appliance 4.0 is the latest incarnation of Clean Access. The upgrade provides policy enforcement at enterprise network entry points. Version 4.0 can be deployed in-line or out-of-band with network traffic at Layer 2, and it can be deployed out-of-band at Layer 3 to minimize the number of services required for multiple locations. Version 4.0 also has single sign-on for VPN clients, wireless clients and Windows Active Directory domains.
Robert Whiteley, a Forrester Research analyst, said an NAC appliance from Cisco can help ease users into an NAC deployment, something many Forrester clients have on their mind.
According to a recent survey from Whiteley and Forrester, 4% of 149 enterprises have deployed NAC, while 36% plan to purchase or implement the technology in 2006. However, companies that have no NAC plans cited cost and complexity as their main sticking points. Also, those planning to deploy NAC want to do so across all technologies, meaning they want a universal access control policy across their wired, wireless and remote-access media.
"Why all the buzz?" Whiteley asked in his report. "Because, done right, NAC enables pre- and post-admission compliance checks, which effectively stop the bad guys from getting on the network in the first place, as well as kicking off legitimate users if they don't comply with company policy."
Whiteley said NAC 4.0 can be the starting point of an NAC framework roadmap.
Still, deploying an NAC appliance now, with a framework around the bend, could present a new set of challenges, Whiteley said.
"If I'm an enterprise and I want to get results today, how do I do that without painting myself into a corner?" he asked.
An appliance could be obsolete within a short time or may not fit into the standards when the time comes for a full-framework cut over. With NAC 4.0, however, the appliance will still have a role to play within a framework, Whiteley said, and its policy will be able to scale along the way.
"If you're a Cisco shop, this is a no-brainer," he said. "It's what users want -- to get something up and running now. Folks need to get started with something that will give them a roadmap."
Andrew Braunberg, an analyst with Current Analysis, agreed. He said NAC 4.0 can be a logical first step in a wider NAC deployment.
Sun Microsystems recently deployed Cisco NAC appliances across its network and is doing so with an eye to the future. Though the company is "starting off small" with appliances, it could eventually embed NAC into its architecture, according to Sun senior security engineer Mike Roncadori.
"We're not quite ready to do all those kinds of things yet," he said. "But we're starting to look at how else we can leverage this technology. I don't think there's any question we're going to drive this into our architecture."
Sun's NAC deployment was originally rolled out to stop malware but had potential to solve compliance issues and protect data within the architecture.
"Who accesses what, when and where and for what purpose?" These are the key questions Roncadori wants NAC to answer.
Deploying NAC as an appliance fulfilled what Sun wanted to do but also supported its future vision, but with NAC frameworks so costly and complex, Roncadori said, rolling out an appliance was a great first step.
"We really can't wait for nirvana," he said. "We've tried to do that with a number of other things and you end up never solving the problem."
Cisco's director for Clean Access, Rohit Khetrapal, said NAC Appliance 4.0 is an evolution of its Clean Access NAC appliance, and NAC 4.0 will help users take a more phased approach to an entire NAC framework.
"We need to provide an NAC appliance now and embed it into the NAC infrastructure later," Khetrapal said.
Companies can learn the NAC basics now with minimal infrastructure changes, as opposed to the framework approach, which is robust but requires more architectural planning and vendor integration, Khetrapal said. Cisco NAC can be the first step in the phased approach.
Khetrapal said that NAC 4.0 offers investment protection because it can be purchased now as a standalone NAC solution but can later be thrown into the mix with an NAC-based infrastructure, as companies find the time and money to roll out.
Still, the NAC 4.0 announcement left some experts wondering whether Cisco is trying to overthrow its NAC framework partners and take sole ownership. Braunberg suggested that Cisco's appliance vs. framework NAC approach could alienate the host of partners involved in the vendor's NAC framework by taking a more "go it alone" approach to NAC.
"The original criticism of CNAC was that it was really just a means for Cisco to sell lots of switches and routers -- security differentiator for its core business, if you will," Braunberg said. "Now, two years into it, though, we really see Cisco thinking of itself as much more of a security vendor, and the shift of the appliance into the CNAC framework indicates to me that Cisco sees so much revenue potential selling security boxes that it wants to take ownership of the entire NAC infrastructure."
"The only room for partners now is with tangential pieces" such as patch management vulnerability scanning and anti-virus, Braunberg said. Kerravala added, however, that there will always be room within the NAC framework for best-of-breed vendors. Others, though, will have to evolve to keep their places.
"I think this will drive a lot of NAC vendors toward the NAP [Microsoft Network Access Protection] and TNC [Trusted Computing Group's Trusted Network Connect] frameworks, which may further complicate the standards issue," Braunberg said.
Khetrapal disagreed, saying that Cisco's NAC partners remain an integral part of the company's overall NAC framework vision. Moving forward, he said, Cisco will continue to work with those partners.
"How do you embed it in the infrastructure, and how do you find a place for partners?" are two main questions Cisco will tackle moving forward with NAC, Khetrapal believes. "To us, [partners have] made an investment and we've made an investment."