NAC will make a splash at Interop

Dedicated network access control devices and software will dominate NAC deployments for the next few years.

IT executives looking to control access to their networks should have two more options to consider after announcements this week at Interop Las Vegas.

InfoExpress and Vernier Networks are scheduled to introduce network access control (NAC) products that deny or allow network access based on whether users and their machines are qualified, and enforce policies they must follow once they are admitted.

Both companies are coming out with gear that delivers NAC today by adding hardware and software to existing networks but not requiring upgrades to network infrastructure, an expensive and disruptive downside to some other NAC schemes.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

IT executives looking to control access to their networks should have two more options to consider after announcements this week at Interop Las Vegas.

InfoExpress and Vernier Networks are scheduled to introduce network access control (NAC) products that deny or allow network access based on whether users and their machines are qualified, and enforce policies they must follow once they are admitted.

Both companies are coming out with gear that delivers NAC today by adding hardware and software to existing networks but not requiring upgrades to network infrastructure, an expensive and disruptive downside to some other NAC schemes.

A sense of corporate urgency surrounds NAC, as shown by phenomenal sales projections for NAC equipment. Infonetics, for example, expects the market for NAC devices to grow from $323 million last year to $3.9 billion at the end of 2008. That growth is fueled by a desire to get NAC in place quickly, which in most cases means installing NAC appliances in networks, according to Infonetics. "The biggest [growth] is in NAC enforcement appliances, whose share of the market nearly triples," says Jeff Wilson, principal analyst for Infonetics.

Infonetics breaks NAC designs into three components: clients that check end devices for compliance, enforcement points that impose policies and back-end servers that dictate policies to the enforcement points. NAC identifies and authenticates users and machines, ensures machines meet security policies, sets policies based on user and machine status, and grants access to specified resources.

An Infonetics survey recognizes Cisco's Network Admission Control, Microsoft's Network Access Protection (NAP) and the Trusted Computing Group (TCG) consortium's Trusted Network Connect as the three NAC schemes best known among IT executives.

TCG is working on a standardized NAC implementation, while the other two are working on their own architectures with partners. Vernier and InfoExpress are members of TCG, and they support NAP. InfoExpress participates in Cisco's NAC program.

At Interop, InfoExpress is set to announce Dynamic NAC (DNAC), software using existing servers and PCs as enforcement points on a network. Each end device is given a DNAC client that scans the machine to determine whether it meets security policies, including having a patched operating system, current virus-signature libraries and an operating personal firewall.

Whenever a user logs on, the DNAC client scans the machine, reports the results to a DNAC policy server and gives the machine access if it comes up clean. This access or denial is performed by another machine on that network segment - usually a server or PC - that has been designated the enforcer. Using capabilities contained in the DNAC client, the enforcer intercepts all traffic from machines logging on until they certify the policy server has cleared them. Then the enforcer allows them on the network.

Other NAC architectures place enforcement in access switches or in dedicated appliances, says Eric Ogren, an analyst with the Enterprise Strategy Group. "With DNAC, you don't upgrade your network by putting more iron into your network. It's using what's in the network already," he says.

DNAC is a feature of InfoExpress's 5.0 software for its CyberGatekeeper Server NAC software and its CyberGatekeeper Policy Manage software. DNAC costs $49 per seat and is scheduled to be available July 1.

Click to see: At Interop, InfoExpress is announcing Dynamic NAC (DNAC) software that uses existing servers and PCs as security enforcement points on the network.