Microsoft is winning the NAC war, expert says

Security guru Joel Snyder from Opus One recently starred as the guest of a live Network World chat where he discussed the state of network access control. Snyder says that Microsoft is emerging as one of the clear winners of NAC, but that Microsoft's technology is a foundation from which to build, not an end-all. He also says that those who are anti-NAC simply don't understand the technology. He answered a slew of technical questions from attendees including why ACLs are better than VLANs, the dirty dark corner of NAC (management) and the how and why of 802.1X. What follows is a full transcript.

Moderator-Keith: Please welcome security guru Joel Snyder, a senior partner with consulting firm Opus One from Tucson, Ariz., and member of the Network World Lab Alliance. Today's chat will focus on the facts and fictions about NAC, answering questions about what NAC products can and cannot do, including integration with wireless, technology shortcomings, plug-ins and more.

Joel_Snyder: Keith, it's great to be here!

Moderator-Julie: While waiting for Joel to type up answers to the first questions rolling in, here's a pre-submitted question: You just got back from Interop Labs with a lot of NAC testing. What are the most interesting things you learned?

Joel_Snyder: Thanks for asking! I'll put in a pitch for the Interop Labs NAC resource Web site (http://www.opus1.com/nac/). That has a bunch of our white papers (about 13 of them), all of our device configurations, classes on NAC, and basically about 90 MB of stuff that we've gathered and learned about NAC. The really interesting thing we noticed is that things are finally beginning to converge. We ran a nice little graphic (click on the "Click to see" diagram) in NWW last week talking about the family trees, and the key is that people seem to be willing to let Microsoft take a leading role in NAC. So we really focused on that: what comes built-in with XP SP3 and Vista? And then how do you extend things if you don't like what's built-in? We definitely had other policy decision points besides MS NPS---Cisco, Avenda Systems, Juniper, and Radiator, plus FreeRADIUS sort-of. Even on the client side, there are interesting things. For example, you can add more system health agents/verifiers, or you can go for other supplicants, or you can do non-Windows or pre-XPSP3 operating systems, or you can worry about other devices, like cameras and VoIP phones and printers. What we ended up with was about a dozen demonstrations, all showing what you need for a complete NAC solution. And it really focused on "let's start with Microsoft and work out from there." Much more satisfying than trying to have three silos like we've done in the past that don't work together. [Editor's note: Also check out Network World's NAC Buyer's Guide which compares dozens of NAC products.]

Brian: I've been asked to investigate .1x for port-based authentication. I have reservations recommending this for production use because of the mixed clients on our 1,000-node LAN (Macs running 10.4 and 10.5, PCs with Windows 95 to Vista). I think support would turn into a nightmare, plus I don't know of anyone using .1x. What are your thoughts?