|
All conspiracy theorists worth their salt have one thing in common: A certainty that far-reaching and insidious forces are conspiring, molding events to suit their nefarious aims.
That about sums up the NAC market.
The number of players in this intrigue has exploded from a handful a few years ago to upwards of 35 today. And it's not just infrastructure gear vendors, though Cisco Systems and its rivals are well represented. From AirMagnet to Vernier, and of course Microsoft, everyone wants a piece of your security budget, and they're not above forming convenient alliances to get it.
And no wonder: Worldwide manufacturer revenue for NAC (network access control) enforcement products will grow to $3.9 billion by 2008 from $323 million last year--that's more than 1,100 percent growth, according to a recent Infonetics Research survey. Our own reader poll shows that more than half of organizations surveyed already deploy some form of NAC. Most start with a targeted scope, such as regulating network access to guest users, mobile laptops and wireless hosts.
If vendors have their way, those modest use cases will spread like a bootleg X-Files clip at a UFO convention.
The high number of enterprisewide deployments we saw in our poll was surprising until we dug a bit deeper and discovered that the bulk of these respondents are in government or financial services, where compliance with regulations is a powerful driver.
That many IT groups are starting with limited deployments around wireless, remote access and mobile laptops is no surprise, to us or to NAC vendors. They smell big future contracts and have been targeting marketing dollars and sales pitches to pain points that give IT serious agita. Guest contractors and consultants need to connect to your network, and saying no is rarely an option.
Get Framed
The big news in NAC is the move toward frameworks, by both vendors and standards bodies. Frameworks should let IT combine products from multiple vendors through such integration points as APIs and common protocols. How important is it that a NAC product adhere to a standardized framework? Very, according to our reader poll. But demand for any one particular framework isn't evident, indicating that a leader has yet to emerge.
Not for lack of trying. Three main NAC frameworks--Cisco System's Network Admission Control (CNAC), Microsoft's Network Access Protection (NAP) and the Trusted Computing Group's Trusted Network Connect (TCG/TNC) are vying for attention and generating more plot twists than a Desperate Housewives story line. Cisco and Microsoft have joined forces with the NAC/NAP Interoperability Architecture; Microsoft is on the record as committed to aligning NAP with specifications from the TCG; and Cisco has joined other vendors, including Juniper Networks, on the IETF Network Endpoint Assessment BoF (birds of a feather). If formed into a working group, the NEA BoF will attempt to unify competing standards.
NETWORK ACCESS CONTROL
Immersion Center
For now, the Cisco/Microsoft Interoperability Architecture has an edge simply because of the market clout these two giants wield. TCG/TNC, on the other hand, is the "everyone but Cisco" contingent--and that everyone includes Microsoft, which is hedging its bets.
The IETF may have a say in the outcome ... if the NEA BoF makes it to working group status and can unify the competing standards. We're hopeful the NEA BoF will be approved as a working group and that its standards will be adopted by the industry. But those are big "ifs." Only enterprise demand drives vendors to implement standards.
Dissecting The Frameworks
The premise is simple, whether you call it network access control, network admission control, network access protection, network node validation or Trusted Network Connect. These systems grant access to the network based on factors such as host assessment, host and user authentication, patch level, location, and even time of day.
Feature sets have evolved, though: In early NAC products from vendors like Sygate, acquired by Symantec, and Zone Labs, acquired by Check Point Software Technologies, assessment was accomplished through an agent on the host. Now, NAC products use a wider variety of host posture data points--including antivirus and antispam status, patch levels, firewall status and policy, authentication, logged-in users, access methods and location as defined by IP address--to make assessments Similarly, the early enforcement model handled through an inline gateway has morphed into an array of enforcement strategies, including inline, out-of-band and host-based (see "Enforcement Taxonomy" ).
