Open source players show a knack for NAC

A pair of Harvard University IT staffers last week released a free virtual appliance that supports their open source network access control platform -- just one of many free NAC tools springing up to address security-hungry customers.

Called PacketFence Zero Effort NAC (ZEN), the virtual appliance consists of an operating system image that runs on Linux or Windows and performs policy checks of devices as they log on to networks.

PacketFence ZEN is the latest innovation among about a dozen free NAC packages, most them created at colleges in reaction to the same Sasser and Blaster worms that led commercial vendors -- such as Cisco, Microsoft and the Trusted Computing Group industry consortium -- to develop NAC for profit.

NAC has proven so popular that Infonetics projects commercial vendors will reap $3.9 billion in NAC sales by 2008, but the open source alternatives probably won’t share in the payday, says Rob Whiteley, an analyst with Forrester Research. “Open source NAC will be a catalyst that big vendors like HP or IBM will wrap around their own products and then support the heck out of it,” for a fee, he says, but that will take some time and leave out the open source innovators.

That’s OK with Dave LaPorte and Kevin Amorin, the two Harvard IT workers who develop PacketFence together in their off hours. “We’re just doing it because it’s fun, and we use it on our jobs, and it’s useful to a lot of people,” says LaPorte.

Their software authenticates users via any method supported by open source Apache Web servers. It performs vulnerability scans and can divert machines found lacking to remediation sites. It can isolate devices from the network using DHCP changes as well as manipulating Address Resolution Protocol caches.

Commercial vendors rely mainly on 802.1x port authentication to isolated devices, which is arguably more secure, according to analyses of various NAC architectures. But some open source projects embrace 802.1x as well.