End-to-end NAC remains difficult

Network access control is a phrase on everyone's lips, but InteropLabs' testing shows that completely interoperable, enterprise-class NAC products are not here yet - though they could be just around the corner.

Click to see: InteropLabs logo

The InteropLabs NAC team built three demonstration areas, each devoted to a single architectural model: Trusted Computing Group's Trusted Network Connect (TCG-TNC), Microsoft's Network Access Protection (NAP) and Cisco's Network Admission Control (C-NAC). Our goal was to bring together interoperable products in each NAC silo and build a complete, end-to-end deployment. Overall, we did find interoperable products within each silo, but no NAC architecture is completely filled out with products at this time.

TNC, the simplest of our demonstration areas, came up in just a few hours, but NAP and C-NAC took several engineers and a very long weekend to get to a stable state. In both these tough cases, we would not have been as successful as we were without substantial onsite advice from vendor engineers who had been through the exercise in their own interoperability labs.

The world of NAC is full of all-in-one solutions from vendors that offer to solve some of a company's NAC problems most of the time. The whole point of InteropLabs is interoperability, and we looked for products from multiple vendors that plug into open architectures.

Unfortunately for the enterprise buyer, InteropLabs' focus throws a blinding spotlight on the lack of interoperable solutions in the NAC marketplace.

For example, Lockdown Networks came in to integrate its product into the NAP demonstration area. Lockdown offers a "complete," end-to-end NAC system, but it's complete only if you use its product and its strategy for everything from the server to the client and every enforcement technology in between.

We tried to bolt the Lockdown system into the NAP policy decision point (the place in the network where NAC policy decisions are made. But Lockdown quickly pulled back from full participation, but promised to come back at Interop for another grab at the NAP ring.

In other cases our implementation was stalled merely by the fact there were no vendors from which to choose. In the NAP silo, for example, not a single vendor came forward with client-posture data-collection and validation add-ins for the Microsoft client.

This may not be such a big surprise, seeing that we are a nine months out from the release of Vista/Longhorn - the version of Windows that will fully support NAP- but it is evidence of how new and untested this technology is. In the TNC test network, we had three integrity-measurement validators available - but only because engineers at Juniper Networks had written all three.

Click to see: Where NAC schemes break down