NAC still drawing crowds at RSA

Demise of two NAC vendors doesn’t bode ill for the technology, panel says

SAN FRANCISCO -- At this year’s RSA Conference, there were fewer sessions and displays devoted to NAC than at previous conferences, but interest in the technology still seemed to run high among 2008 attendees.

A panel about NAC’s future packed a 250-seat meeting room to capacity, with most audience members indicating by a show of hands that they want Microsoft’s version of NAC -- network access protection (NAP) -- to interoperate with Cisco’s because they already use key products from both vendors.

The recent availability of all components of NAP is triggering renewed interest in the technology, which Microsoft and other NAC players looked to exploit at the show.

One NAC vendor, Bradford Networks, announced that it has a new appliance that imposes NAC on guest machines trying to gain network access. Great Bay Software made a similar announcement this week. (Compare NAC products.) 

Also at the show, Microsoft hosted a booth with other vendors whose NAC gear either interoperates with NAP or makes NAP compatible with client machines running other-than-Windows operating systems. Cisco, which promises its NAP-compliant NAC gear will be out in a month or so, did not participate in the booth, which Microsoft dubbed “The 2008 NAP World Tour.”

Yet despite the apparent interest at RSA, there is a wider impression that NAC isn’t catching on, fueled by the demise of two NAC vendors (Lockdown Networks and Caymas Systems) over the past year and the repositioning of a third (Vernier Networks). 

“There is a perception that NAC is struggling,” says Lawrence Orans, an analyst with Gartner. He quotes sales of NAC gear for 2007 at $225 million. He notes sales of IPS equipment was $700 million and sales of firewall/VPN gear was $3 billion. “NAC is not there, but a couple of hundred million is not bad,” he says.

As NAC technology matures, it is becoming more widely deployed and better understood, and the major forces behind it -- Cisco, Microsoft and to some extent Juniper -- are getting their stories straightened out, says Phil Hochmuth, an analyst with Yankee Group.

“The window of opportunity that was open to NAC start-ups is closing because of this,” Hochmuth says. “There won’t be a long, glowing obituary for the overall NAC market, just a bunch of small death notices for vendors who cannot differentiate or interoperate with larger NAC standards or architectures. What’s happened is that NAC is becoming what it’s always been: a feature of enterprise infrastructure, not a stand-alone product or market itself.”

As the market shakes out, one thing is clear: Rolling out NAC is difficult, according to Microsoft and Cisco panelists.

Microsoft has deployed NAP to 150,000 devices, and discovered that a large number of them don’t meet NAP policies. “It’s a lot harder to get to a state of compliance than you might think,” says Khaja Ahmed, director of Microsoft’s enterprise security group.

Still the benefits can be great, Ahmed says. “It’s probably the biggest bump up in security you will get,” he says, because devices will be forced into compliance each time they log on. “It’s like a continuous audit.”

Cisco has deployed NAC for guest users at executive briefing centers and is using 802.1x

enforcement at five sites, but has no timetable for making Cisco 100% NAC enabled, says Russell Rice, Cisco’s director of product management.

One IT executive from a car manufacturer said his company is interested in NAC but that he is just starting to research the options and it’s likely the carmaker won’t fund the project until the next fiscal year. The IT executive (who asked that his name not be used because his company had not cleared him to talk to the press) is primarily considering NAC to impose policies on remote access users and guests.

Meanwhile, NAC standards that should speed the interoperability of different vendors’ NAC gear may be ready in a year, says Steve Hanna, a Juniper distinguished engineer who co-chairs the IETF working group developing the standards. The group has agreed to a single set of proposals to work from. They were submitted by Trusted Computing Group, an industry vendor alliance that has already declared them an informal standard.

Panelists agreed that NAC vendors need to establish a common set of criteria to certify the security of their gear.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)