NAC: Hot technology for 2008

Not a cakewalk

There are things we can with certainty about network access control. One, NAC is hot. Two, NAC is hard.

IT execs want to make sure that users don't come back from a business trip and infect the entire company. IT execs want to make sure contractors with visitor access to the network aren't able to do damage or get access to confidential information. And IT execs want to make sure that users are properly authenticated and that they only access applications they need to do their jobs.

The difficult part is figuring out how to accomplish all that. Or any single part of that.

There are so many competing standards and approaches that you may be tempted to simply give up. After all, you've got the Trusted Computing Group with its Trusted Network Connect architecture. Lots of vendors offer point products that support the TNC architecture. But not Cisco.(Compare network access control products.)

Cisco has its own CNAC framework. Cisco has products that support the framework as well as separate point products. Amazingly, Cisco's current NAC appliance and its NAC framework use different client software to evaluate the security posture of network endpoints. It got so confusing for customers that Cisco in August tried to unify its own two-track strategy by launching something called oneNAC.

Then there's Microsoft. Microsoft doesn't even use the term NAC. Microsoft felt compelled to come up with its own term – Network Access Protection or NAP. Microsoft came up with the term quite a while ago, but actually coming up with products has proven a bit more challenging.

Microsoft's NAP policy server won't arrive until Windows Server 2008 ships. So, you couldn't deploy a full-blown Microsoft NAP architecture today, even if you wanted to.

So, what's a customer to do? Go with TCG. Go with Cisco. Wait for Microsoft?

The good news is that Network World has conducted several tests of NAC products and we can report that they do work and that they do interoperate. If you need NAC now, there are viable options.

First, we tested NAC solutions based on Cisco's architecture and TCG's. We tested 30 products for end user authentication, end-point security, enforcement of security policies and for management. Bottom line: Whether you choose TCG or whether you choose Cisco, you can get the job done.

If you're not ready to go down the route of deploying a full-blown NAC framework and you just want to plug in a NAC appliance, you have plenty of options. We tested 13 NAC point products and found that while each product has certain strengths and weaknesses, as a general category, NAC point products are ready for prime time.

The questions that IT execs need to focus on are: What am I trying to accomplish with NAC? And what is the best way to get there?

NAC promises pre-admission controls – in other words, making sure infected machines don't get on the network and making sure unauthorized users don't get on the network. But a more interesting use of NAC tools is post-admission controls – making sure endpoints stay in compliance while connected to the network and making sure users are doing what they're supposed to be doing.

IT execs need to analyze their needs, examine their timeframe and then make a decision on whether to go appliance or framework. And, if framework, which one. Like, we said, it's not an easy decision to make. But it's something IT execs need to address sooner rather than later.

< Return to main page: Eight technologies for 2008 >

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022