Skip Links

NAC: What went wrong?

After five years, still no easy way for IT managers to achieve network access control

By , Network World
May 24, 2010 12:03 AM ET

Network World - After spending four months in the lab testing the 12 leading network access control products, we've come to this conclusion: Five years of hype, buzzwords, white papers, product launches, standards battles and vendor shakeouts have resulted in very little in the way of clarity. Agreement on what NAC really means and the right approach to NAC remain as elusive today as in 2005, when the first NAC products burst on the scene.

Cisco's approach to NAC leaves customers confused |
Standards wars end, replaced by uneasy truce

Our head-to-head comparison of specific NAC products from industry heavyweights such as Microsoft, Cisco, HP, Juniper, McAfee and Symantec, will appear in the June 21 issue of Network World. In this report, we analyze the barriers that have impeded the deployment of NAC within enterprise networks.

Network access control, which we're defining as a combination of authentication, end-point security checking and access control, emerged in response to the problem of mobile end users plugging infected laptops back into the enterprise network. NAC was intended to solve real problems and answer real questions: who is connecting to my network? Are they healthy? Can I control where they go? Can I shut them off if they misbehave?

Typically in our industry, products tend to coalesce over time towards common approaches and common feature sets. For example, today's Ethernet switches from different vendors are largely substitutable. Swap out an HP ProCurve switch for Enterasys and the switch is probably going to work in your network. But NAC hasn't worked out that way. The products bear very little similarity to each other. With very close inspection, a network manager might be able to find two or three products that can be compared head-to-head. But finding comparable products is difficult, and doing so pre-supposes that the network manager already knows the feature set and capabilities that they want.

There's no such thing as "best of breed" in NAC, because for the 12 vendors we evaluated, there are nearly 12 different "breeds" of NAC product.

Barrier No. 1: Politics gets in the way

A particularly difficult issue is finding a product that will be compatible both politically and technically with the network. Because NAC combines features of security, network management and desktop management, a NAC deployment faces significant organizational challenges on top of any technical challenges.

To accommodate this, NAC vendors often build their products to minimize the need for cross-team cooperation, usually by making significant compromises. However, every NAC vendor makes these compromises in different places, and to different degrees. For example, Symantec's NAC offering is entirely focused on the desktop team, while HP's NAC product is designed to be installed, configured and managed by the network team.

All this adds up to a significant barrier for network managers who want to deploy NAC. Forget the cost of the products —just figuring out which product will do the job that's needed, and whether the product can be made to work in the organization is significantly more difficult and time consuming with NAC than with switches, firewalls or servers.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News