The battle for network access control
Dear Vorticians,
One of the more interesting 'battles' in the IT industry today is unfolding on the landscape of network access control. I put quotation marks around the word 'battle' because in this fight there is not only the customary clawing for high ground and accumulation of weapons (technology, marketing hype, etc), there is also an extraordinary alliance-building effort underway - one that involves virtually every major player in the IT eco-system as well as dozens of smaller companies. Companies are placing - and hedging - their bets on the key network access control architectures vying for customer attention.
At its core, network access control is a pretty simple concept. The idea is that the infrastructure should be able to control your access to resources (applications, information) depending on who you are and whether your access device conforms to your security policies. If, for example, you come back from vacation with a virus-infected laptop, the network would know enough to keep you quarantined until the virus was removed.
At a finer-grained level of control, the network access system would open up some resources and not others. Case in point: I'm a visitor at your company and I plug my laptop into an Ethernet port. You might let me browse the Web, but not access any internal resources.
Network access control is a critical step forward in security as our applications become more inter-enterprise in nature and the traditional network perimeter dissolves. But here's the problem. If you're an enterprise customer, which network access control scheme are you going to implement? On whose architecture are you going to bet the future of your company? Today, Cisco, Microsoft, Juniper and an organization called the Trusted Computing Group, among others, are promoting network access control schemes that are more or less incompatible and more or less complete, although none is very complete. Good luck picking a path.
For example, Microsoft's approach is, as you would expect, more client focused, while in Cisco's network devices play a bigger role. (Network World newsletter author Andreas Antonopoulos of Nemertes Research does a nice job in this piece explaining the differences in approach between Cisco and Microsoft.)
Juniper, which doesn't sell switches, puts more emphasis on the role of security gear in the network access equation. The TCG's Trusted Network Connect program is the only truly open approach to network access control, with the group working on fairly comprehensive standards for a variety of network access components that any company could implement. But TCG still has a ways to go in fleshing out its entire plan.
If you want to learn a lot more about this, Joel Snyder, a senior partner of Opus One consulting and one of Network World's Lab Alliance members, did an outstanding job detailing the differences among these network access control approaches in this article. (Note that I am not using the acronym NAC in this article because it might cause the reader confusion regarding Cisco's Network Admission Control program.)
As I mentioned above, all of these organizations are building strong partnerships around their network access proposals. As of this writing, Cisco has 22 supporters listed on its Web site, 14 of which are also among the 60 supporters Microsoft cites as backers of its Network Access Protection architecture. Juniper boasts close to two dozen backers of its Enterprise Infranet "unified access control solution."
What's interesting is to note the differences in the ranks of supporters. For example, Microsoft counts Cisco rivals Enterasys, Extreme Networks, Foundry Networks, F5, Juniper and Nortel among its backers. Surprised?
While major security vendors Computer Associates, McAfee, Symantec and Trend Micro support both Microsoft and Cisco, Check Point is notably absent from Cisco's ranks while IBM doesn't show up on Microsoft's list.
All the players claim to support integration of these programs and make all the right noises about avoiding closed approaches to the network access control problem/opportunity. But reality intercedes. For example, Microsoft and Cisco have publicly pledged to support each other's schemes, but the two companies have made little progress on that front (as Joel S. writes in the piece cited above, why won't Cisco just embrace the Microsoft client approach?).
On the TCG Web site, the group says: "Microsoft is a TCG member and has announced the alignment of the NAP architecture with TNC with planned interoperability among products." Compare that to the description for John Chambers and company: 'NAC is an initiative by Cisco with similar goals, requiring the use of Cisco components in a Cisco network environment.'
Gee, could you Cisco have worked Cisco the word 'Cisco' in there again?
On the one hand it's all nice-nice, yes we support the common good. On the other . . . well, it won't be. Make no mistake - because network access control will be one of the great battles of the next decade. We'll explore that in more depth in the next installment.
Bye for now.
Back to Vortex Blog
Comments
Post a comment
