NAC Leaders: Technology Has a Long Way to Go
Modernizing Authentication — What It Takes to Transform Secure Access
With a growing number of IT security companies and infrastructure specialists pushing network access control systems to market, vendors that are recognized as leaders in the space concede that the tools available today still need a lot of improvement.
During the past year, the marketing of NAC technologies to enterprises has increased aggressively, with software, networking equipment and appliance makers pitching their products for purposes ranging from keeping hackers off corporate systems to adding a new layer of authentication to internal IT applications.
And while Cisco Systems, recognized as an early inventor of NAC technologies, already claims 1,500 installations of its own appliance productsthe largest customer base referenced by any vendor in the segmentanalysts at the San Jose, Calif.-based networking giant, and some of its biggest rivals, admit the industry remains somewhat fragmented and immature.
NAC may be sold as an elixir for purposes such as real-time threat monitoring and integrated SSO (single sign-on) for enterprise applications, but most companies presently using the systems are doing so with much simpler goals, said Russell Rice, director of marketing for Cisco.
"Wireless access, [virtual private networks] and guest networking are the first areas where people are concentrating, although we continue to see a lot of interest in using NAC for maintaining the risk and health status of machines," Rice said.
"From an enforcement perspective, companies still want to ensure that users have a smooth transaction and minimize the impact of quarantine; the vast majority of our customers are using NAC in some enforcement mode, but that's a fundamental problem that needs to be solved before we see NAC deployed more broadly."
In essence, the executive is saying that most of Cisco's NAC customers aren't using the features advertised as the systems' greatest strengths because the tools remain somewhat unwieldy.
By using NAC to scan users' devices to see if they meet all of an organization's security requirements, and sending any machines that don't make the grade into a restricted access or quarantine mode, the technology can serve as a stronger first line of defense for enterprise networks, advocates claim.
However, as Cisco's Rice and other industry watchers observe, most businesses remain too unsure of the harsh implications that may come along with a security system that could block vital workers from being able to log on and get their work done.
That lack of more pervasive adoption is a sign that existing NAC tools need further refinement, said Lawrence Orens, analyst with Stamford, Conn.-based Gartner.
"The [NAC] frameworks themselves are still relatively immature," said Orens. "Things have played out so far a little differently than what we thought would happen; we thought more customers would want to use NAC to ask if a machine is dangerous, but people are still reluctant to do enforcement. It's hard to tell workers they will be kept off the network because their patches are out of date, and we still see a lot of political resistance to that approach."
Another problem that could be retarding the adoption of NAC is a lack of sufficient industry standards that will allow for simpler integration of technologies made by different vendors, industry players concede.
While there are a handful of NAC standards efforts already under way, including the TCG (Trusted Computing Group)'s TNC (Trusted Network Connect) effort and the IETF (Internet Engineering Task Force) NEA (Network Endpoint Assessment) Working Group, each of those projects, and several others that have been organized, have their own combinations of participants and backers.
Unless better collaboration can be fostered among technology vendors, such as convincing Cisco to participate in the TNC initiative, the market risks turning off customers by producing large numbers of different technologies that won't easily work together, according to Steve Hanna, a distinguished engineer with infrastructure gear maker Juniper Networks, Sunnyvale, Calif.
"Customers don't want to have lots of different competing proprietary products, it's already too confusing with too many names for the same things," said Hanna, who is also co-chair of the TNC group.
"They want vendors to agree on standards to allow NAC technologies to work together, and the only way to get there is through cooperation. More backroom deals don't help."
Hanna's reference to behind-the-scenes deal-making by vendors is likely a shot at the partnership that has been established between Cisco and Redmond, Wash.-based software giant Microsoft, which will roll out its own flavor of NAC, known as Network Access Protection (NAP) with the introduction of its Longhorn Server package, slated for arrival before the end of 2007.
Despite the call by standards groups, and smaller vendors, for the massive industry players to make their NAC-NAP development work more public, officials with the companies appear firmly rooted to the notion that they may be better served to continue with more proprietary product designs.
"Interoperability is only of interest when things actually work, so we'd much rather figure out what works and then address interoperability, there's always the danger of developing standards that no one will adopt," said Khaja Ahmed, architect for Windows networking security at Microsoft.
"We started with product because that's how Microsoft works, at the end of the day we know that the desktop has to work with multiple vendor switches, and it will interoperate, we're not worried, we believe the market will drive and extract standards from us."
Some smaller vendors believe that the apparent lack of cooperation on the part of the larger vendors will only serve to hurt growth of the NAC market in general.
Rob Ciampa, vice president of business strategy at NAC software and appliance maker Trusted Network Technologies, based in Alpharetta, Ga., said that the messaging he's hearing from influential companies including Cisco and Microsoft is largely self-serving, although he's not sold on any one of the existing standards efforts either.
From a customer's perspective, he said the larger players are trying to downplay the fact that many existing NAC tools, specifically those made by Cisco, one of his companies' rivals, demand that organizations replace much of their network infrastructure for installation.
"No one is talking about the infrastructure upgrade that's needed with these productsthat's the dirty little secret," Ciampa said. "And even if one or two standards solidify, it will still be a long, drawn-out process, and we still might not end up with something that really helps enterprise customers get what they want from NAC systems."