Why can't we all play NAC nicely?

This week, we've released the findings of the industry's most in-depth, hands-on evaluation of network access control gear available today.

Network World Lab Alliance member Joel Snyder tested how adequately NAC products work together to limit network access for endpoints that don't meet policy requirements. Each of these products (more than 30 in all) was running in an environment defined by the Cisco-controlled CNAC architecture or the more standards-based NAC plan championed by the Trusted Network Connect (TNC) working group of the Trusted Computing Group (TCG).

With a test like this it is tempting to trot out headlines such as "The great NAC smack-down: Cisco vs. every other vendor."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

This week, we've released the findings of the industry's most in-depth, hands-on evaluation of network access control gear available today.

Network World Lab Alliance member Joel Snyder tested how adequately NAC products work together to limit network access for endpoints that don't meet policy requirements. Each of these products (more than 30 in all) was running in an environment defined by the Cisco-controlled CNAC architecture or the more standards-based NAC plan championed by the Trusted Network Connect (TNC) working group of the Trusted Computing Group (TCG).

With a test like this it is tempting to trot out headlines such as "The great NAC smack-down: Cisco vs. every other vendor."

But as reader advocates, we need to be encouraging Cisco and TNG (as well as Microsoft, which has yet to finalize its NAC plans) to work on a single interoperable NAC architecture.

"This is not a case where the industry is better off with competition and choice," Snyder says. "We can have plenty of choice within a standards-based framework. We just want NAC products that can work cooperatively."

To that end, here are some points NAC players need to take to heart:

* Cisco's customers would be best served if the company concentrated its NAC efforts on transforming its infrastructure gear into state-of-the-art enforcement points.

* Microsoft, as the owner of the client world, should immediately jump in with TCG/TNC on a single means of incorporating clients into the NAC fold. Likewise, Microsoft should not insist on rolling out a NAC policy server that runs only on Windows.

* TCG/TNC needs to revisit its tight-lipped communications policy pertaining to future developments in its architecture.

At the end of two months of testing NAC products, Snyder concluded that for very simple NAC deployments, either CNAC or TCG/TNC NAC pass muster. However, both fall short of the mark if an enterprise wants to move beyond Windows XP endpoints and virtual LAN quarantines.

If NAC is going to make it to the next level where it can support non-Windows clients and devices, and segment access based on more sophisticated mechanisms, such as stateful firewalls, we need to see more cooperative industry effort from market leaders that have a lock on the network infrastructure market, start-ups with the agility to introduce innovative software-based approaches to the problem, and industry groups claiming to hold the collective customer's interest at heart.

Read more about security in Network World's Security section.