NAC enforcement appliance revenue dropped 32% from the third quarter to the fourth quarter of 2008. Then it declined an additional 7% in the first quarter of 2009, Infonetics Research announced
In his research note on the numbers, Infonetics' principal analyst Jeff Wilson described the recent market numbers in the NAC industry as a "bloodbath" that was felt directly by every NAC vendor in the market.
But NAC spending is expected to bounce back, he said, with double-digit percentage growth annually from 2010 to 2013. Despite the ugly end to 2008, NAC spending actually rose by 50% on the year to $221 million, according to Gartner vice president John Pescatore.
In fact, NAC spending outpaced spending in the broader network security appliance and software market in the first quarter. While NAC spending dropped by 7%, overall security spending shrank by 16%, according to Infonetics.
Infonetics also asked enterprises whether the recession would force them to cut NAC spending in 2009 and 2010. Nearly 60% said it would not.
Networking pros still question the importance of network access control
And yet, there remains some confusion among networking pros about what NAC technology can do.
Pescatore just returned from the annual Gartner Information Security Summit, where many attendees told him that no one is doing NAC, but they all want to know how they can allow unmanaged PCs to connect to their networks and stay secure. "That is NAC," Pescatore wrote in a recent blog entry.
"I think Gartner actually coined the term 'network access control' about six years ago," he said. "Before that, we'd been calling it 'scan and block.' It was the idea that if someone connects to you with a worm, keep them off the network. That's what NAC stood for back in 2001 and 2003. Once worms went away, in people's minds NAC was still scan and block. And it was, 'Oh, wait a minute. I'm going to keep people off the network because they're missing a patch? I'll get creamed. That will disrupt the business.'"
Guest networking and security baselining bring back network access control
Today, NAC is not about scanning and blocking, Pescatore said. Instead, it is more about guest networking and establishing a baseline security posture for managed and unmanaged devices on the network. There is a huge increase in demand for guest networking capabilities in enterprises today, he said. Employees are starting to demand the ability to connect their personal devices to the network as well. This is where NAC can solve problems for the enterprise.
"For a successful deployment of NAC, first you've got to get guest networking working. You need to be able to detect when someone connects to your network because a lot of people can't even do that yet," Pescatore said. "Once you detect when someone connects to your network, you need to make a simple decision: Is it one of my machines or not? Get that working, get it stable, and that's guest networking."
The next step in NAC is baselining, he said. Networking professionals should use NAC to determine the security status of machines connecting to the network.
"Invariably, at this stage, people start finding out that, 'Gee, 40% of my PCs connecting to the network aren't compliant or are missing patches, or antivirus is turned off, or the personal firewall isn't there,'" he said. "You can't block 40% of your workforce from getting onto the network. So you've got to go fix the process and figure out why you're so much worse off than you thought you were. Once that's done, then you can start selective blocking and access control."
The ways in which networking professionals can introduce NAC to an enterprise are evolving, too. Standalone NAC appliances are now competing with infrastructure-based NAC features built into network switches from vendors like ConSentry and Cisco. Endpoint security vendors like Symantec and McAfee are also introducing the technology to desktops. Cisco and Aruba are introducing NAC-like features to wireless LAN technology, since WLAN is so often used for guest networking.
"When we did a market note a couple of years ago, we said 2010 would be the year that NAC as a standalone market would start to flatten because more NAC features would be built into your switches and endpoint software," Pescatore said. "We think it will morph so that a couple of years from now we won't even be calling it 'network access control.' We'll be calling it 'identity-aware networks' or something like that."
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor