INTEROP NEW YORK -- It's called Interop, but this week's show might as well be called NAC Expo. Everywhere you look, vendors and standards groups are announcing new products, doing demos, and singing the praises of Network Admission Control, the "hot technology" that's designed to keep users off the corporate infrastructure unless they comply with predefined security requirements.
Quietly, however, some experts, users, and even vendors are openly wondering whether NAC will live up to its hype in the near term -- or maybe ever.
There have been at least a dozen NAC-related announcements distributed at Interop in the last two days, each promising to add new functionality to the policy-driven security environment. AEP Networks, Lockdown Networks, NeoAccel, and StillSecure all launched new NAC products at the show. Eight vendors -- including Extreme Networks, Infoblox, Meru Networks, Patchlink, Q1 Labs, RSA Security, Trapeze Networks, and Vernier Networks -- announced plans to support the Trusted Computing Group's (TCG's) Trusted Network Connect (TNC), a proposed set of industry standards for NAC.
But that isn't all. More than 20 vendors -- including Cisco, Microsoft, Juniper, and Symantec -- are participating in InteropLabs' NAC interoperability exhibit, the first live demonstration to show all three of the key NAC architectures (Cisco's NAC, Microsoft's Network Access Protection, and the TCG's TNC) at work side by side. Even more vendors are attending birds-of-a-feather meetings operated by the TCG.
"NAC absolutely will be widely deployed -- it has to be," says Steve Hultquist, principal at Infinite Summit and team leader for the InteropLabs NAC project. "To build a secure environment, you have to protect the network from the devices." NAC technology is ready for testing in the development lab and could be deployed today in single-vendor environments, he notes.
With so much hoopla and activity (and so many major vendors) revolving around a single security idea, you'd think that NAC, or NAP, or TNC, or some permutation of the three, would be a foregone conclusion for most enterprises. But some experts say that's not the case yet, and some wonder if it ever will be.
"[NAC] reminds me of what we went through with enterprise management a few years ago," said one IT executive during a NAC conference session yesterday. "Everybody was saying that they were going to do it, and all the vendors were doing it, and $100,000 later, we had a big system that nobody used." The IT executive declined to identify himself or comment further for this story.
One of the members of the InteropLabs NAC demonstration team noted that there still are major differences between NAC, NAP, and TNC which prevent the disparate NAC environments from working together. "We've got [Cisco's] NAC, which doesn't really work with TNC, and we've got [Microsoft's] NAP, which is running on products that aren't even shipping," said the demo staffer, who asked not to be identified. "The vendors are showing how they can work with one or the other, but it's not like a user could plug it all in together." Cisco and Microsoft have promised to integrate their NAC technologies, but the two have been noncommittal about TNC. (See Getting Ready For NAC/NAP.)
There are some real questions about whether NAC can work in a real-life, multivendor enterprise environment, said Joel Snyder, senior partner at Opus One and member of the InteropLabs NAC demonstration team, in an Interop conference session yesterday.
One of the chief problems with NAC is it requires IT fiefdoms to agree on a common set of policies for configuring the security of network devices and end points -- and a common method of enforcing the policies. Networking people look at NAC much differently than desktop managers, and it will be difficult for them to agree on the very specific configuration rules required by NAC for each device, he said.
In order to work, NAC also may require a complete definition of authentication and identity management technologies and practices, experts assert.
"We're talking about changing the entire network and the way it works," Snyder said. "This is a really big deal. It's not a small task, and it's not going to be easy."
IT departments may also have some trouble proving the return on investment on NAC initiatives, Snyder observed. "The ROI on NAC is a big unknown," he said. "If, after you deploy NAC, a virus is prevented, is that because of NAC? Or is it just because of the antivirus software? Conversely, what if a virus hits? Is that NAC's fault? It's going to be a hard thing to quantify."
Vendors continue to paint a pretty picture of NAC. "We believe that customers will ultimately benefit from open, industry standard solutions that incorporate the richest NAC features, enabling organizations to better defend their networks against the increasing number of internal threats," said Rod Murchison, vice president of marketing for Vernier Networks, in a statement that was typical of most of the vendor announcements at the show.
But NAC isn't a foregone conclusion, and it may not be right for every enterprise, Snyder said. "If you're just doing it because it's the ATM or VPN of 2006, then maybe you shouldn't do it.".
Tim Wilson, Site Editor, Dark Reading