News Stay informed about the latest enterprise technology news and product updates.

NAC in Interop spotlight

Network access control appliances are gaining steam, experts and vendors said. And with the focus on security turning to the network level, NAC is also becoming a necessity.

NEW YORK -- The line between security and the network is blurring and many in IT are being forced to wear two hats to keep their networks free from attacks.

And at Interop yesterday, that shift was evident, as several vendors and industry experts outlined the need to add appliances that protect from worms, viruses, Trojan horses, hackers and other malicious onslaughts at the network level.

Welcome to the era of network access control.

"Going forward, we'll be seeing a shift in focus from threat protection to security design," said Paul Stamp, analyst with Cambridge, Mass.-based Forrester Research Inc. "Security will be built into our network technology so that it's secure from the ground up. Network access control and quarantining mechanisms are a step in that direction."

For more information

Check out our story on Cisco's NAC framework

Read an interview on Cisco's NAC strategy

Essentially, network access control restricts who can get onto the network and what they can do once connected. It uses authentication and corporate security policies to dictate where users can go and what information they can access, while also scanning for the appropriate antivirus software and other network threat protection.

While the big boys, Cisco Systems Inc. and Microsoft are major players in the network access space, other smaller vendors are starting to make waves.

Lockdown Networks Inc. today rolled out its NAC appliance, version 4.1, which works at the switch level to make access decisions based on device health, time, date, user and group information. Senior product manager Bryan Nairn, of Seattle-based Lockdown, said the appliance controls network entry and continually checks to make sure linked devices are in compliance with the latest software and updates.

Similar to Cisco's NAC framework, users are quarantined if anything on their device is amiss. From there, they are offered remediation and not allowed onto the network until the problem is fixed.

"It keeps out viruses and protects against unauthorized access," Nairn said. What sets Lockdown apart, he said, is that version 4.1, supports several modes of authentication, not just 802.1x.

Another vendor planting its foot in the NAC space yesterday was Vernier Networks, which offers a single, agentless, vendor-agnostic appliance. Unlike Cisco, the Mountain View, Calif.-based vendor's EdgeWall Rx network access management appliance sits in-line on the network.

Ranjeet Sonone, product manager with Vernier, summed the EdgeWall Rx up this way: "You send a bad packet to us and we drop it."

Like Lockdown 4.1, EdgeWall authenticates and continues with periodic device checks to ensure users and devices are still in compliance.

Going forward, we'll be seeing a shift in focus from threat protection to security design. Security will be built into our network technology so that it's secure from the ground up.
Paul Stamp
AnalystForrester Research Inc.
"Now you have a machine to make sure every device that accesses that network is compliant," Sonone said. EdgeWall also features a browser-based notification of quarantine and, like Lockdown, allows network administrators to set their own security and compliance policies based on several criteria, including user, device and role.

But John Stier, telecommunications and networking director for Stony Brook University in New York, wasn't sold on NAC as a viable solution for his network security woes.

"I'm not convinced," he said. "Quite frankly, we're dealing with an unsolvable problem."

Stier explained that NAC may be fine for a corporation, but on a university network that handles tens of thousands of varying devices this technology approach is simply not plausible.

"We're dealing with computers that are not centrally managed and not uniform," he said. "Those machines could have anything under the sun on them, and they probably do."

Though Stier admits that a NAC appliance would be beneficial, he can't picture any realistic way he could deploy it. Stier said he feared forcing students into compliance-based access would create droves of privacy and support issues that his staff just couldn't handle. Plus, he added, catching one infected device out of thousands is a tough feat.

"If you have a room full of 100 people and one has the flu, how do you catch him?" he asked.

Despite Stier's protests, experts said NAC appliances are going to be a necessity within the next year. Chris Christiansen, vice president of security products and services for Framingham, Mass.-based research firm IDC, forecasted that by 2008, 80% of all security products will be network appliance-based.

"Once an unhealthy device connects to a LAN and immediately injects something malicious, it's over," he said.

During his discussion "Network Security: Two Worlds Collide," Christiansen said Trojans horses, viruses and worms will pose a serious threat for the foreseeable the future, while spyware attacks will continue to flourish. He said protecting the network from unwelcome or infected devices is imperative and NAC is a big part of it.

"If you think it's bad now," he said, "it's going to get incredibly worse."

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.