Net access control: Ready? … Or not?

LAS VEGAS – Network companies at Interop last week pushed a clear message about how network security should work: Hardware devices identify users at the network port level, provide virus scanning and authentication services, then allow or deny network access based on strict role-based policies. Whether this actually works or when it will be widely available is less clear.

Network access control (NAC) demonstrations and product offerings were in the booths of established network vendors such as Cisco, Nortel, Enterasys and Extreme Networks; start-ups such as ConSentry, Lockdown Networks and Nevis; and security companies such as Internet Security Systems and BlueCoat Systems. But observers at the show said the industry is a long way from agreeing on how best to handle and build NAC systems.

Attendance for Interop’s 20th-anniversary spring show was up around 2,000 from last year to an estimated 18,000, with some previously missing big names – Microsoft among them – returning to the Mandalay Bay Convention Center this year.

Video: The skinny on NAC

Senior Editor Denise Dubie talks with Steve Hultquist of Infinite Summit and the iLabs NAC lead about the current state of Network Access Control technologies.

Despite the business-like tone, there were livelier activities such as free beer in the booths on Tuesday afternoon and interactive exhibits such as flight simulator and hockey slap shot kept the mood on the exhibit floor lively. Abundant technical content balanced off the suds and fluff, with a lineup of live product demos of security, VoIP and wireless gear.

Security and the trend toward access control-based products were core to the show.

Within 18 months to two years, Microsoft’s Network Access Protection, Cisco’s Network Admission Control and the Trusted Computing Group’s (TCG) Trusted Network Connect will establish themselves; and SSL VPN vendors will defer to whichever ones prove viable and popular, said Joel Snyder, senior partner at technology consulting firm Opus One and a member of the Network World Lab Alliance, who ran the Interop SSL VPN Day. Meanwhile, SSL VPN vendors offer a broad range of endpoint-checking software that varies widely in its capabilities. He said most vendors won’t spend a lot more effort on these protections in anticipation of the separate network access initiatives.

“Here’s a prediction – endpoint checking won’t ultimately be in the VPN box,” he said. “It will be in a NAC box. There will be just a thin layer of endpoint checking [in the SSL VPN gateway] that punts off to policies that are defined on a different box.”

One network professional said the days of putting network ports on desktops and managing security issues after the fact are over.

“I really want role-based security in place,” said Peter Hricak, senior manager, network operations for Lucasfilm, the entertainment firm behind the “Star Wars” series and a creator visual effects for other films. “That’s something that we’re seriously looking at – to get authentication-based policies applied. I want to know who a user is, and give them rights only to what they’re allowed to do.”

Forcing all clients to authenticate to a LAN switch port, and enforcing network access policies based on user identities, is the direction Hricak wants to go. On the Lucasfilm network, in San Francisco, Hricak manages multiple 10G Ethernet trunks and widespread Gigabit Ethernet to the desktop for high-end digital editing. While the Foundry-based infrastructure provides plenty of bandwidth, securing users via the network is one of his challenges. Rudimentary controls such as virtual LANs (VLAN) or access control lists now on network hardware are not enough.

“It’s not good enough to just lock a port to a particular VLAN,” he said. “That port should really just be vanilla, until you authenticate; then you turn the port into what you need it to be.”

Another user examining policy-based network access control sees the technology as a first line of defense against the primary entry point for viruses and worms into a network, the desktop switch port.

Policy-based networking “is going to help us alleviate worms, bugs, viruses, stuff like that, and protect the network,” said Jeff Sandbridge, IS specialist with the state of West Virginia’s MIS Office. “It’s something that has to happen. . . . You used to just have hubs and switches and then your security boxes. It’s come to the point now with all the easy ways and multiple ways of attacking a network, you have to be able to provide all the features that were inside those security boxes down at the port level.”

Sandbridge plans to deploy Enterasys LAN switches along with the vendor’s Atlas Policy Manager server. The server software can detect activities on ports that are out of bounds for individual users on the network. The switches can take directions from the server to shut down or limit network access to traffic flows that the server identifies as breaking policy rules.

But a standard technology to scan PCs before they are allowed network access will not be fully developed for two years, according to other experts who spoke at Interop sessions on NAC.

“Right now, most NAC [offerings] are really single-vendor solutions,” said Steve Hultquist, principal analyst at Infinite Summit. “You have the client/server approach that Microsoft is taking and it’s not even available yet. There’s Cisco’s approach, which is all-Cisco hardware,” and the TCG’s effort, which is standards-based but also not yet available. “I would be hesitant to do a full-scale enterprise implementation, given the products that are available today.”

Even SSL VPN vendors, which already supply a version of this endpoint-checking software, acknowledge it has a way to go before it is fully featured and flexible, network executives were told at the SSL VPN Day session.

“It’s relatively early in the development of that technology,” said Reggie Best, vice president of marketing for AEP Networks, which makes SSL VPN equipment. “There’s a lot of work that needs to be done on that.”

Senior editors Phil Hochmuth, Tim Greene and Denise Dubie, and Multimedia Editor Jason Meserve contributed to this report.