Compatibility with legacy equipment key to NAC's future

Many network access control specialists have yet to address one of the biggest problems with their security technology: making their products work better with legacy network gear.

But vendors such as StillSecure, NetClarity and Nevis Networks plan to make their products compatible with 3Com, Cisco, Enterasys, Extreme Networks, Foundry Networks and HP switches, so corporations don't have to replace them to use NAC technologies.

Click to see: NAC pros and cons

Interoperability between these vendors and others could speed the adoption of NAC, which typically profiles devices that are logging on to networks, compares those profiles with security policies, decides what access, if any, a device is eligible for and enforces that level of access.

Security vendors also are looking to capitalize on a booming market in which one in three IT shops plans to buy or implement NAC this year, according to a Forrester Research survey of North American companies. About half of the world's 2,000 largest corporations already have some form of NAC, Forrester says.

For its part, StillSecure's SafeAccess software carries out NAC by scanning networked PCs from a server and receiving a compliance report from a software agent on the client machine or from an Active X agent downloaded to it that performs the same function. Based on the results, policies determine whether to admit the client, and SafeAccess instructs enforcement points what to do.

StillSecure says it plans this summer to partner with Extreme to incorporate SafeAccess on Extreme's Sentriant threat-detection and -mitigation appliance. Sentriant monitors behavior of devices on networks and blocks suspicious behavior. SafeAccess also can act as a bridge sitting inline to block traffic from noncompliant machines, use 802.1X switches as enforcement points or limit access by forcing an IP address on the machine that allows access only to a quarantined network segment.

NetClarity is adding 3Com and HP to the list of switch makers whose equipment can enforce policies after NetClarity Auditor appliances determine what access rights devices should receive. And the company is working toward compatibility with Foundry and Extreme as well as fellow NAC vendor ConSentry. Auditor also supports Cisco Catalyst switches. It uses command lines to communicate with the switches and assign noncompliant machines to quarantine virtual LANs (VLAN).

NetClarity says it is negotiating with intrusion-detection and -prevention vendors to use their gear as enforcement points for its NAC. This would add to its list of enforcement points that also include firewalls from Astaro, Check Point, Cisco, Cyberguard, Juniper, Secure Computing and Snapgear.

This fall Nevis Networks will introduce an appliance that sits between access switches and core switches to enforce policies on a per-switch basis. The appliance monitors traffic of devices that already have network access, seeking malicious behavior. When it finds some, it shuts down offending machines, preventing worms and viruses from propagating.