NAC will make a splash at Interop

IT executives looking to control access to their networks should have two more options to consider after announcements this week at Interop Las Vegas.

InfoExpress and Vernier Networks are scheduled to introduce network access control (NAC) products that deny or allow network access based on whether users and their machines are qualified, and enforce policies they must follow once they are admitted.

Both companies are coming out with gear that delivers NAC today by adding hardware and software to existing networks but not requiring upgrades to network infrastructure, an expensive and disruptive downside to some other NAC schemes.

A sense of corporate urgency surrounds NAC, as shown by phenomenal sales projections for NAC equipment. Infonetics, for example, expects the market for NAC devices to grow from $323 million last year to $3.9 billion at the end of 2008. That growth is fueled by a desire to get NAC in place quickly, which in most cases means installing NAC appliances in networks, according to Infonetics. “The biggest [growth] is in NAC enforcement appliances, whose share of the market nearly triples,” says Jeff Wilson, principal analyst for Infonetics.

Infonetics breaks NAC designs into three components: clients that check end devices for compliance, enforcement points that impose policies and back-end servers that dictate policies to the enforcement points. NAC identifies and authenticates users and machines, ensures machines meet security policies, sets policies based on user and machine status, and grants access to specified resources.

An Infonetics survey recognizes Cisco’s Network Admission Control, Microsoft’s Network Access Protection (NAP) and the Trusted Computing Group (TCG) consortium’s Trusted Network Connect as the three NAC schemes best known among IT executives.

TCG is working on a standardized NAC implementation, while the other two are working on their own architectures with partners. Vernier and InfoExpress are members of TCG, and they support NAP. InfoExpress participates in Cisco’s NAC program.

At Interop, InfoExpress is set to announce Dynamic NAC (DNAC), software using existing servers and PCs as enforcement points on a network. Each end device is given a DNAC client that scans the machine to determine whether it meets security policies, including having a patched operating system, current virus-signature libraries and an operating personal firewall.

Whenever a user logs on, the DNAC client scans the machine, reports the results to a DNAC policy server and gives the machine access if it comes up clean. This access or denial is performed by another machine on that network segment – usually a server or PC – that has been designated the enforcer. Using capabilities contained in the DNAC client, the enforcer intercepts all traffic from machines logging on until they certify the policy server has cleared them. Then the enforcer allows them on the network.

Other NAC architectures place enforcement in access switches or in dedicated appliances, says Eric Ogren, an analyst with the Enterprise Strategy Group. “With DNAC, you don’t upgrade your network by putting more iron into your network. It’s using what’s in the network already,” he says.

DNAC is a feature of InfoExpress’s 5.0 software for its CyberGatekeeper Server NAC software and its CyberGatekeeper Policy Manage software. DNAC costs $49 per seat and is scheduled to be available July 1.

In contrast, Vernier makes a NAC appliance called EdgeWall, which sits between access and backbone switches to enforce access policies and monitor the behavior of endpoints on a network. The company plans to announce EdgeWall 8800, a modular, four-slot chassis that is faster than its existing EdgeWall 7000. The old model was based on Intel PC hardware, while the new platform is built around Octeum 16 MIP processors made by Cavium.

This gives the device 40Gbps of throughput, which is necessary to handle traffic coming from access switches on Gigabit Ethernet networks and pass it to 10Gbps core switches, says Dave Passmore, an analyst with the Burton Group.

The chassis supports six-port Gigabit Ethernet cards, giving the chassis room for 24 ports.

The 8800 also supports a new intrusion-detection and -prevention software engine that monitors the behavior of machines once they have been admitted to a network. If an engine detects behavior indicating, say, activity of a worm, it can shut down that port or isolate the machine on a subnet.

EdgeWall 8800 is scheduled to ship in the third quarter and cost $15,000 for the chassis plus $15,000 for each card.

Beyond these announcements, the show will highlight this hot technology with free NAC classes at InteropLabs and clustered exhibits by vendors in the show’s Security Zone.

Some see NAC products that work with existing network switches as a stopgap until customers are ready to upgrade their switches. “From a cost standpoint, it would be less expensive to put it in the switch. You already have QoS and network management in switches,” Passmore says.

In addition, the technology in switches eliminates extra devices on a network, reducing administrative burdens.

“It makes for a cleaner architecture. There are fewer parts to go wrong. These appliances are a potential failure point,” Passmore says.

Research by Infonetics predicts network switches will become the most commonly used enforcement point for NAC, employing 802.1X technology to enforce policies at individual switch ports.

Ogren says the road to NAC being embedded in switches could be long. “I don’t think people are going to do a lot of network upgrades just to get NAC. They will upgrade to get more [LAN] speed or add VoIP, but not for NAC,” Ogren says. When they do upgrade for whatever reason, then they will look to switches that support access enforcement. “But that will take years.”

For customers with network switches that don’t support the 802.1X standard used in most network-based NAC plans including Cisco’s Network Admission Control, the most likely place to install NAC-capable switches is in new locations where a network is being built from scratch, Passmore says.

He says in dealing with Burton Group’s corporate clients, he has learned Cisco customers like the idea of Network Admission Control but balk at having to upgrade their networks to support it. “There’s a lot of resistance to that,” he says.

Therefore, many customers, at least short term, are choosing NAC appliances, he says. “They present themselves as an alternative. It gives you a choice. You could use them for many, many years or you could replace them as you see fit,” Passmore says.