Bradford Networks is revamping its network access control software, which initially was customized for college campuses, to make it more suitable for corporate use.

The vendor’s new NAC Director appliances come loaded with software that is functionally very similar to Bradford’s original product, Campus Director.

In its initial release, NAC Director attaches to the monitoring port on a network switch where it profiles the network by interrogating switches, access points and databases.

The device can be dropped into heterogeneous networks without altering their architecture, essentially adding a security-control plane, says Eric Ogren, an analyst with Enterprise Strategy Group. This lets customers add NAC functionality without a big investment in new network switches or software on every device connected to the network, he says.

This was key to NaviMedix, an Internet portal company based in Cambridge, Mass., that links medical facilities to insurance companies and other third-party providers. The company is a Cisco shop, but didn't want to be tied to a single vendor for its security, says Bob Chin, the executive vice president for NaviMedix. "It's out-of-band so we're not tied to a particular set of network equipment, which Cisco does," he says.

The fact that the appliance links users to MAC addresses makes it easier for users to change locations yet maintain NAC security, he says. The architecture does not rely on devices being attached to specific switch ports. "If someone moves from cube 1 to cube 17, they don't have to go to the wiring closet and move things around," Chin says.

Other vendors touting add-on NAC include Nevis Networks, ConSentry Networks, Mirage Networks and Vernier Networks.

Once it has familiarized itself with the network, NAC Director can manage identities of individuals by associating them with MAC addresses, the users' roles in the company, IP addresses, how the device is attached to the network and time of day.

It can then check the endpoint to see whether it complies with security policies such as updated operating systems, registry settings, application patches and whether certain applications such as antivirus scanning are running. Based on the results, the device can admit the machine trying to gain access or quarantine it to a virtual LAN where the user can fix whatever shortcoming was found.