Scanning PCs before they are allowed network access is technology that will take another two years before it is mature, according to speakers at an Interop session Monday.

Even SSL VPN vendors, who already supply a version of this endpoint-checking software acknowledge it has a way to go before it is fully featured and flexible, network executives were told at the SSL VPN Day session.

"It's relatively early in the development of that technology," says Reggie Best, vice president of marketing for AEP Networks, which makes SSL VPN equipment. "There's a lot of work that needs to be done on that."

This endpoint scanning technology is part of a broader trend toward network access control (NAC) - security architectures that check whether computers trying to gain access to networks meet corporate security requirements. These requirements can range from having a personal firewall installed, to having a properly patched operating system, to having antivirus software running in conjunction with an updated virus signature library.

The best known efforts in this area are from Cisco (called network admission control or NAC), Microsoft (network access protection or NAP) and Trusted Computing Group (trusted network connect or TNC). "Here's a prediction," says Joel Snyder, senior partner in technology consulting firm Opus One and a member of Network World's Clear Choice Alliance, who ran the Interop SSL VPN Day, "endpoint checking won't ultimately be in the VPN box. It will be in a NAC box. There will be just a thin layer of endpoint checking [in the SSL VPN gateway] that punts off to policies that are defined on a different box."

This makes sense, Snyder says, because NAC is properly considered part of desktop management, and central control of desktop security creates tighter controls. "You don't want desktop management plus SSL VPN desktop policy enforcement," he says.

Within 18 months to two years, NAP, NAC and TNC will establish themselves and SSL VPN vendors will defer to whichever ones prove viable and popular, he says. Meanwhile, SSL VPN vendors offer a broad range of endpoint-checking software that varies widely in its capabilities. Snyder says he thinks most vendors won't spend a lot more effort on these protections in anticipation of the separate network access initiatives.