Network access control promised a much-anticipated, multi-faceted set of tools that could check endpoints for compliance, fix machines that flunked, define and enforce user access rights, and monitor user activity to assure continued compliance.
So, why are most NAC deployments targeted at the most basic task of keeping guest users off the corporate network?
Read how NAC secures U.N. agency between security gurus Joel Snyder and Richard Stiennon. On July 22 they argued the merits of NAC with Snyder defending NAC and Stiennon dissing it.
See slideshow on What is confusing about NAC.
Read the transcript from a live chat debate
Plus, read an earlier chat with Snyder on NAC.
The short answer: NAC turned out be far more difficult to roll out across a large enterprise than customers imagined.
"It was supposed to be what people have been looking for - the weaving together of infrastructure and security," says Yankee Group analyst Phil Hochmuth. "It turned out to be a lot harder than anyone thought it would be. A lot of stuff didn't work or wasn't delivered for a long time."
Forrester analyst Rob Whitely says NAC's reputation has taken a beating of late perhaps because users misunderstood the complexities of deploying it successfully. Businesses installed NAC appliances for guest access then tried to expand to screening for security compliance and controlling access for all managed corporate endpoints, he says. That increased the load on the NAC machines to the point where the gear can't handle it.
"Now you're probably spending more time and energy retrofitting your environment than you ever did on the initial deployment," Whiteley says.
Making NAC work for you
Of course, NAC isn't an all-or-nothing proposition. There are plenty of useful things that companies can do with NAC that fall between guest access on one end of the spectrum and a full-out deployment that takes advantage of all of NAC's capabilities.
"Companies are beginning to get a little more savvy about how they approach network access control and as a result they're getting out what they put in," Whiteley says.
In fact, Gartner predicts that sales of NAC gear will double this year. Gartner's long-term view is that sales of NAC-specific products will continue to increase in 2009 and 2010, then flatten out and begin to decline as other NAC options - installing it on endpoints, embedding it in switches, servers and computer operating systems - start to take hold as the preferred methods of deploying the technology.
These non-appliance methods of deployment scale better and will shepherd in use of more NAC features, Whiteley says. For now, many who have tried NAC focus on a single use.
For instance, Harvard University's Kennedy School of Government deployed NAC just to identify machines on its network that were causing trouble and cut them off, says Kevin Amorin, and information security manager at the school.
He wasn't interested in having NAC automatically tell users how to remediate their machines because those instructions generated more help-desk work than they prevented. "All I needed was a process that would identify and isolate," he says.
American Bancard, in Boca Raton, Fla., uses StillSecure's SafeAccess NAC software to help meet requirements of the payment card industry standards, says the company's CTO Steven Scop. His company processes credit card claims from merchants, so it must comply with PCI and be able to prove that compliance to auditors.
StillSecure's NAC can help with part of that, he says, because the tools have compliance reporting features that are designed to address specific aspects of PCI. So the software can demonstrate that only certain machines gained access to sensitive data and that they were given a health check before they were allowed to.
And the reports also help American Bancard identify its PCI shortcomings and correct them. "There's different things that it looks for, and based on the different PCI auditing questions, it says this has hit the mark and this hasn't," he says. "There's a lot of things it finds that we needed to change."
The United Nations Population Fund (UNFPA), uses NAC to screen managed laptops that come and go from the agency's network and that were bringing in viruses, says Douglas Concepcion the network infrastructure/security specialist at UNFPA headquarters in New York City. (See how NAC is helping secure UNFPA.)
The ForeScout gear the UNFPA uses now checks for Symantec antivirus updates and current Windows patches before allowing the machines on the network, he says. If they fail the scan, the user is denied access and directed to call the help desk.
The agency is opening 11 sites worldwide and plans to install a ForeScout CounterACT NAC appliance at each. That will help protect the headquarters network from infection as remote workers access via the UNFPA VPN, Concepcion says.
Double-checking on other security platforms is another NAC capability that is attractive to potential users. "NAC can backup vulnerability scanning and patch management," says John O'Connor, vice president of management information systems at BankFive in Fall River, Mass., who is shopping for NAC to provide overlap protection in the bank's network. "It's an extra layer and can evaluate devices for patches, for example," he says. "If a patch has been distributed and not applied, NAC can pick up on it." In that way it could backstop the bank's patch management software.
Pick and choose
Businesses should recognize the varied uses of NAC and pick the ones they want, says Joel Snyder, senior partner in Opus One consultancy. "NAC is not a thing you can buy and drop into your network," he says. "Not everybody has it or needs it but it's a set of useful tools you can choose from if it's on the table." (Read a transcript of a chat Snyder had on NAC.)
He says that standards will encourage this picking and choosing by making it possible to plug in gear from different vendors that make products that fulfill certain aspects of NAC - endpoint checking, endpoint posture evaluation, policy decision making, enforcement, remediation and ongoing behavior monitoring. Businesses will be able to create the NAC environment they need without having to buy all NAC's capabilities, he says.
Those standards talks are still ongoing at the IETF, which so far is following the standards mapped out by the industry consortium Trusted Computing Group. While standards will help ease the use of NAC, the technology faces continuing challenges.
For example, with the advent of desktop virtualization, NAC faces further criticism, says Forrester's Whiteley. If a NAC appliance is being used, it will be tough for it to enforce policies on virtual machines that are communicating with each other inside a single physical piece of hardware. The traffic never passes through the NAC device, so the NAC gear can't see it or do anything about it.
Vendors are starting to issue NAC software specifically for virtual machines, but that won't halt attacks from those who bought NAC appliances and are frustrated because they don't help in virtual environments, he says.
"Because virtualization has a lot of buzz behind it, if it invalidates your NAC design, companies might say, 'Huh, NAC failed,'" Whiteley says. "It's not that it failed, it just wasn't designed with that scenario in mind."
NAC has matured to some degree, but still has a way to go, says Gartner's Lawrence Orans. At the moment, NAC is in a low spot in its evolution, but he expects that it will emerge better understood as a network security tool. "This is a natural thing for all technologies," he says.
Bottom line: NAC is becoming a tool that businesses are starting to understand and deploy and over time will come to rely on, just as they rely on firewalls, intrusion prevention and VPNs, which are practically ubiquitous technologies.