Network access control (NAC) was all the rage four years ago when worms and other malware found their way behind corporate firewalls on infected laptops and wrought havoc on networks. Spurred on by heavy publicity for these exploits, network security professionals turned to NAC technologies to protect themselves.
"Then the worms went away and NAC changed to: 'When you connect I'll check if you're vulnerable, if you have antivirus, if you're missing patches,' " said John Pescatore, vice president and distinguished analyst for Gartner Inc. "It had nothing to do with protecting the network. And that's when the wind went out of NAC's
Pescatore said NAC became notorious for blocking CEOs and vice presidents from accessing the network because they didn't have the latest patches on their laptops.
NAC evolved into a "catch basin" for many security initiatives, such as desktop management, device management, threat protection and vulnerability assessment, according to Robert Whiteley, principal analyst and research director at Forrester Research. The promise of NAC as a single platform to protect everything and everyone raised expectations. It also led some customers to bite off more than they could chew, which resulted in many failed deployments.
"If you had some kind of problem with security, this technology could solve it," Whiteley said. "So it sort of went through an irrational exuberance stage where people were deploying it and not getting the value they wanted. But this wasn't the technology's fault. It was more the hype."
Whiteley said the NAC market has since stabilized. Beginning this year, he started to see enterprises take a more mature approach to the technology. Rather than treating NAC as the magic pill to cure all security worries, companies are instead trying to use NAC to ease specific pain points.
Some NAC vendors are adjusting their strategies to reflect this change. Bradford Networks, for instance, launched NAC Director GCS earlier this year. A scaled-down version of Bradford's flagship network access control appliance, GCS specifically enables companies to control guest and contractor access to corporate networks. Both Pescatore and Whiteley said this issue is a leading challenge for IT organizations.
This month, Bradford announced three more point product appliances aimed at addressing specific use cases.
- User Visibility and Control leverages identity management technology to track users across the network. Its appeal is likely to be strongest in organizations that allow multiple users to share computers.
- Device Profile and Control automates the management of devices, including non-administrative devices that are connected to a network, such as manufacturing process control technology, HVAC systems, and medical instruments.
- Behavior Monitoring and Control integrates with intrusion detection and prevention systems and network behavioral analysis tools to track the behavior of users and devices.
Jerry Skurla, vice president of marketing for Bradford, said his company has plenty of customers who were early adopters of NAC and were interested in being on the leading edge of security technology. The next wave of customers is more pragmatic. These potential customers have specific problems they need to solve with NAC, such as guest and contractor access. Other features of NAC are less of a priority. Skurla said Bradford has adapted to this by offering simpler, cheaper products to meet those challenges.
Bear Terburg, manager of network engineering for online discount retailer Overstock.com, said that when he was shopping for an NAC vendor last year, he was simply looking for a technology to handle identity-based access in an open network environment.
"All of the other things we kind of didn't care about during the demo," Terburg said. "We needed to have an open environment."
Terburg selected Bradford over Juniper and Trusted Networks because he felt its product was the most flexible.
"Our CEO wants open communication and collaboration," he said. "He wants everyone to collaborate better. Let's say we have a developer who needs to talk to the people or work with the people who control the servers. The developer, according to PCI, can't have access to user accounts or access to our production credit card processing environment. But they write code that those applications use."
Terburg said he uses Bradford's NAC Director to allow a developer to walk into the room where those server administrators work, log onto a machine in the room, and have access to only what he needs to see in order to collaborate with the administrators. Most of Bradford's other NAC features go unused at Overstock.
Terburg would have adopted Bradford's User Visibility and Control product instead of the company's full-blown NAC solution had it been available last year when he was shopping for a solution, he said. He may still buy a couple of the new appliances for some of his smaller warehouses, he said, as they do not have fast enough WAN connections to take full advantage of his centrally deployed NAC technology.
"What I think is interesting about [Bradford's] approach is they've essentially taken their solution, and through a pricing and packaging exercise, they've carved it up so companies can start with a use case that makes sense for them and scale up to additional use cases as time goes on," Whiteley said. "That's exactly the approach most organizations are taking. They may identify five or 10 different scenarios that they need to do with NAC, but they're only going to start with the first two or three, then expand to more in the next budget year."
Other vendors, such as Cisco and Juniper, have taken a different tack with their NAC solutions, offering scalability options where enterprises can start with small deployments of NAC and expand them to larger deployments within the organization over time. Whiteley said Bradford's approach may be better, but customers will ultimately choose one approach over another depending on how their IT organizations are structured.
Pescatore said Gartner's most recent MarketScope for network access control estimated that the industry generated $225 million in 2007 and would grow to more than $430 million by the end of this year.
The NAC market will start to plateau in a couple of years as enterprises gravitate away from appliance-based NAC products and look into more affordable and scalable approaches, Pescatore said. For instance, Microsoft and Cisco both offer infrastructure-based NAC technologies. Newer Cisco switches and Microsoft's Vista operating system both offer NAC capabilities that can be leveraged as more organizations refresh their switches and their PCs. PC security software vendors like McAfee and Symantec are also offering similar capabilities through their desktop clients. Pescatore said that organizations need only add a policy server to take advantage of these options.
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor