NAC complexity stymies deployments

Network access control promised a much-anticipated, multi-faceted set of tools that could check endpoints for compliance, fix machines that flunked, define and enforce user access rights, and monitor user activity to assure continued compliance.

So, why are most NAC deployments targeted at the most basic task of keeping guest users off the corporate network?

Read how NAC secures U.N. agency
See slideshow on What is confusing about NAC.
Read the transcript from a live chat debate between security gurus Joel Snyder and Richard Stiennon. On July 22 they argued the merits of NAC with Snyder defending NAC and Stiennon dissing it.
Plus, read an earlier chat with Snyder on NAC.

The short answer: NAC turned out be far more difficult to roll out across a large enterprise than customers imagined.

"It was supposed to be what people have been looking for - the weaving together of infrastructure and security," says Yankee Group analyst Phil Hochmuth. "It turned out to be a lot harder than anyone thought it would be. A lot of stuff didn't work or wasn't delivered for a long time."

Forrester analyst Rob Whitely says NAC's reputation has taken a beating of late perhaps because users misunderstood the complexities of deploying it successfully. Businesses installed NAC appliances for guest access then tried to expand to screening for security compliance and controlling access for all managed corporate endpoints, he says. That increased the load on the NAC machines to the point where the gear can't handle it.

"Now you're probably spending more time and energy retrofitting your environment than you ever did on the initial deployment," Whiteley says.

Making NAC work for you

Of course, NAC isn't an all-or-nothing proposition. There are plenty of useful things that companies can do with NAC that fall between guest access on one end of the spectrum and a full-out deployment that takes advantage of all of NAC's capabilities.

"Companies are beginning to get a little more savvy about how they approach network access control and as a result they're getting out what they put in," Whiteley says.

In fact, Gartner predicts that sales of NAC gear will double this year. Gartner's long-term view is that sales of NAC-specific products will continue to increase in 2009 and 2010, then flatten out and begin to decline as other NAC options - installing it on endpoints, embedding it in switches, servers and computer operating systems - start to take hold as the preferred methods of deploying the technology.

These non-appliance methods of deployment scale better and will shepherd in use of more NAC features, Whiteley says. For now, many who have tried NAC focus on a single use.

For instance, Harvard University's Kennedy School of Government deployed NAC just to identify machines on its network that were causing trouble and cut them off, says Kevin Amorin, and information security manager at the school.

He wasn't interested in having NAC automatically tell users how to remediate their machines because those instructions generated more help-desk work than they prevented. "All I needed was a process that would identify and isolate," he says.