Today's highly mobile workforce, along with a plethora of new tech gadgets and access to the Internet from anywhere, has raised the security stakes for corporate networks. Laptops, PDAs and cell phones were just the beginning. The number of network threats has increased exponentially, with VoIP phone capabilities, Web access from hotels, dorm rooms, airports and coffee shops, and even internal sabotage.
Network Access Control (NAC), a set of technologies that aim to ensure that only authorized users with fully patched and virus-protected hardware can access corporate resources, is more important than ever—not just for outside guests gaining accesses to internal networks, but for employees who have no business in the company's more data-sensitive systems.
A full NAC cycle solution includes pre-admission inspection and post-admission monitoring, a policy decision and enforcement point, and a method of quarantine and remediation for noncompliant machines. When a user requests access, the machine is checked and, if found to be compliant, it is allowed to access the network. Post-admission monitoring will ensure that the user stays compliant by entering the assessment/decision/enforcement process again periodically. If the user is found to be noncompliant, NAC solutions should offer a means of quarantine and remediation to bring the user into compliance. The user should then be allowed to access the network, once again under post-admission monitoring.
NAC roadblocks
Adoption of NAC solutions has been slow. The realities of the economy are starting to hit NAC, according to market analysis firm Infonetics. The firm’s estimate of the market for NAC enforcement appliances has shrunk based on its most recent numbers. Last year at this time, the firm’s prediction was for $670 million in worldwide revenues for the appliances by 2010. But based on new results, the number has been changed to $534 million by 2011.
“The NAC market is struggling with adoption when defined in terms of the pure access control. Customers are generally unprepared to rip out network infrastructure and take on huge disruption and cost to advance their authentication on connection. This combined with budgetary constraints is limiting the adoption of this market in the mainstream,” says Michelle Rae McLean, Sr. Director, Product Marketing, ConSentry Networks.
Mohammed Arif, Product Manager, Server & Tools, Microsoft Gulf, offeres a different perspective: “NAC technology has gone through many iterations over the past few years, becoming more mature and easier to adopt. Customer adoption historically has been hampered by confusion about NAC requirements, technologies and policies, though customers understand the benefits clearly. You have seen vendors like Microsoft and Cisco collaborate to address interoperability concerns that customers might have. And the industry has begun to standardize on a select number of NAC architectures, and you’ll see more standardization and interoperability efforts moving ahead. We also see a shift from traditional infrastructure and appliance based solutions to software based solutions. Regulation, compliance and security concerns remain the primary drivers for adoption.
Gartner Research Director Lawrence Orans says there are three issues causing network managers to delay deployment of network access control solutions.
“People tell us they think the technology is too immature,” Orans says, but that's not entirely true. “There are some very strong proven solutions from small companies, and you have some of the big players out there making the biggest noise.” For starters, Microsoft in February began shipping its Network Access Protection (NAP) solution with Windows Server 2008.
“It is a product and a framework,” says Robert Whiteley, a senior analyst at Forrester. “The framework has been around, so there are bits and pieces” that companies have been deploying, but they couldn't fully commit until now, he says.
Cisco's Network Admission Control solution has also been released but hasn't lived up to some analysts' and users' expectations. “That combination of events has caused people to view the technology as not mature,” Orans adds, but it has also created a window of opportunity for the little guys.
Last year was a turning point for NAC, however. The standards battles appear to have been resolved, and everything looks like it's falling into place. Customers apparently decided to wait for Microsoft to deliver its NAC products – and that left many third-party vendors out in the cold. A lot of them went under, including Caymas Systems and Lockdown Networks.
And because Network Access Protection (NAP, Microsoft's version of NAC) comes with Vista and Windows Server 2008, deciding to go with Microsoft has become a no-brainer for many customers. NAP represents a clear choice, rather than a technology that requires extensive research, RFPs, product tests and evaluations, and so forth.
Another important development has been the collaboration between Microsoft and Cisco. Microsoft and Cisco understand customers needs for interoperability and have collaborated to enable rich interoperability between the Cisco Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) solutions. This interoperability will allow customers to realize the benefits of both NAC and NAP while using and preserving their investments in their NAC network and Microsoft NAP desktop and server infrastructure. Customers now have a choice between Cisco NAC, Microsoft NAP, or the interoperable solution from both companies,”
The joint architecture allows communication and policy enforcement across Cisco NAC and Microsoft NAP, enabling an end-to-end solution to be built around the Cisco and Microsoft interoperability. Technology partners of the Microsoft NAP and Cisco NAC ecosystems can also refer to the joint architecture for building solutions that work within the joint framework. Microsoft has also announced interoperability agreements with TCG's Trusted Network Connect (TNC) architecture and Nortel’s Secure Network Access (SNA)
Whither NAC?
This year the questions for customers will be where do we deploy NAC, and how many NAC features do we turn on? Most customers today are using NAC just to control guest access. That's important, but the technology can do more.
NAC for guest access control is of course useful, but the more expensive and difficult problem to solve. A greater value in most organizations can be attributed to the post admission assessment and measurement of risk. Most businesses start of wanting to solve guest access control but end up focusing further on the managed estate to secure additional value. As technology in the infrastructure matures we will see more aggressive use of pre-admission and integration of the endpoint agent.
On the pre-admission side, it can scan user devices, determine whether they are clear of viruses, check to see if patches have been updated and quarantine the device if security conditions aren't met. NAC allows administrators to set rules that computers wishing to access the network must adhere to, meaning the policies structure all network activity. “NAC continuously assesses computers, on or off the network, to ensure compliance with an organisation’s security policy. If a contractor or employee's computer, for instance, does not comply with the company's IT policy, access to the network is not granted,” says Dr Kamel Hues, Senior Business Development Manager MEA, Sophos.
On the post-admission side, it can make sure that a clean machine remains that way, and that users access only those parts of the network to which they have authorization.
What type of product fits your company?
Users also face the choice among various approaches to NAC. These choices can generally be grouped into architecture-based options, software-only solutions, and appliances. Research analyst Chris Rodriguez at Frost & Sullivan offers advice for evaluating these NAC choices according to the buyer's company size and type of business.
Organizations that require the highest levels of security should investigate architecture options, Rodriguez says. “It provides comprehensive end-to-end security,” he says. It also allows flexibility in deployment. It can be rolled out in pieces according to budget, time, testing requirements and geographic constraints. The solution also scales easily. “They scale in direct relationship to the size of the network” because it's part of the network infrastructure, he adds.
Appliances have a good pricing advantage over infrastructure solutions, especially for smaller organizations. A single point device makes it easy to implement and maintain, Rodriguez says. But there are limits to how many users the device can support. The number varies from 2,000 to 4,000 users per box. “That makes scalability something that you should consider,” he says. Also, in-line devices represent single point of failure. “So definitely use redundant boxes, but that increases the cost.” An out-of-band device eliminates that problem.
Endpoint agents or software are appropriate for all company types. Leading vendors include Symantec, McAfee, and London-based Sophos.
“You really need two products,” Whiteley says. Deploy a software agent on all company machines, and deploy an appliance to handle pre- and post-admission activities to patrol all guest machines, he adds. Most importantly, the two products need to communicate with each other—which isn't hard to do.
Major vendors have pledged to work with standards groups like Microsoft's Network Access Protection and the Trusted Network Connect specification set up by Trusted Network Connect organization for interoperability. Deploying NAC security points on both ends of the network spectrum will improve the chances of having a safe network.
“If you're investing in patch configuration management or other security tools, they're only as good as they are widely deployed and correctly configured,” Langston adds. “Users have suspicions about whether that's why their laptops are slow, and they may disable these products from time to time. With NAC you can ensure that these things don't happen and that you're covered.”
Though potential NAC use may have become confused by the marketing din generated by many vendors, what is for sure is that NAC is slowly emerging as a ‘must-have’ security solution for companies looking to ensure compliance with external industry and regulatory compliance standards, or with their own internal security policy.