NAC has a virtual problem

Virtual networks pose problems for NAC

Cloud Security Alert By Tim Greene, Network World
March 18, 2008 12:05 AM ET

Clarifying issues surrounding this emerging security architecture

Virtual machines offer a lot of utility to networks, but could pose problems for NAC.

The problem would most likely arise in the case where centralized hardware is used to run virtual desktops as well as servers.

First off, it will be tough for an in-line NAC appliance to enforce policies on virtual machines communicating directly within a single piece of hardware. The traffic isn’t passing through the device, so the NAC gear can’t see it or do anything about it.

Routing traffic from a virtual machine, out of the physical server, through the NAC appliance then back into the physical server to another virtual host is inefficient. Efficiency is something virtualization is supposed to improve, not make worse.

Related Content

At the moment, the problem is pretty much theoretical. The most common use of virtual environments is for servers, not desktops, and the predominant use of NAC is for enforcing access rules for desktops and laptops not servers. Those businesses that are using virtual desktops know it and will have to address the problem, but it won’t come up in most NAC deployments.

In cases where it arises, one alternative would be to put NAC software on each virtual machine, but so far vendors aren’t saying their software would be compatible.

Virtual machine vendors themselves might take a look at this problem and implement NAC within their virtual machine monitors. But they might find it simpler to team up with NAC vendors to work out the kinks and present multivendor packages that have been certified to work.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.