Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:20 AM
Connect Directly

NAC Market Retrenches at RSA

Vendors try the appliance approach, scaling back from larger vision of enterprise-wide deployments with hundreds of end points

SAN FRANCISCO -- RSA 2008 Conference -- Roiled in equal parts by a troubled economy and a market sector in retrenchment, network access control vendors are regrouping with cheaper options to entice IT users to buy.

NAC "appliances" are now the order of the day, essentially smaller scale boxes for authentication and access priced under $10,000 apiece, and a far cry from the grander schemes of health checks via multi-vendor end points that comprised a security management framework.

The once high-flying NAC sector has fallen on harder times of late. NAC vendor Lockdown Networks shut its doors late last month; Caymas Systems went out of business last year. Vernier Networks, is reportedly going to relaunch itself outside the NAC market. (See Lockdown Networks Shuts Down.)

"Lockdown had strong technology, but I guess the market for NAC didn't take off as fast as people expected to," says Amith Krishnan, Microsoft's senior product manager for network access protection (NAP), Redmond's flavor of NAC. "But I think the market has started to mature and people understand it's not just enforcement that’s going to drive NAC."

The issues are actually larger than that, according to Thomas Ptacek, principal with Matasano Security. "Are we surprised when people don’t rush to adopt products from companies with an 'A' round of funding and a $60,000 product?" the consultant says. Customers aren't sold on NAC, nor are they about to buy hundreds of boxes for deployment across the enterprise, he adds. "The capital expenditure is too great for the value you get from it -- NAC would have to eliminate antivirus software or scanning or host IPS, and that's not happening."

For its part, Microsoft recently added NAP capabilities to Windows Server 2008 and introduced a NAP client for Linux, Krishnan says. In both instances, Krishnan says the company's improved on ease of deployment -- where everything used to have to be manually configured. "Now setting up policies and connecting them to a switch or wireless access point has all been automated."

Thus far during the show here, Bradford Networks and Extreme Networks introduced NAC appliances with an emphasis on affordability. (See Bradford Secures Guest, Contractor Access and Extreme Showcases NAC at RSA.) Microsoft, in addition to running the NAP pavilion at the tradeshow, is showcasing recent NAC/NAP additions to its operating systems. And while they're not strictly a NAC product, Quest Software Inc. unveiled an Active Directory-based single sign-on for Unix and Linux desktops, as well as Java-based applications. (See Quest Expands ID, Access Management.)

Bradford says its appliance-based NAC Director is a subset of its flagship product with new capabilities for authorizing access and rights for guests and contractors who work on-site, short-term or sporadically over a longer period.

"Enterprises of all shapes and sizes have contractors and strategic partners who access the network every day," says Jerry Skurla, vice president of marketing at Bradford. And customers can use the same license when they want to move up to full NAC capabilities, so there's no changeout of hardware needed, Skurla adds.

NAC Director with guest-contractor services costs $7,995 and can accommodate about 250 users total, 20 percent of which can be guests or contractors, the vendor says.

Extreme has also gone the appliance route with NAC and its Sentriant AG200, an upgrade from its software-only NAC product. The smaller scale NAC platform supports diverse policies for user communities and locations, and is available for Windows PCs and Apple Macs. Extreme did not release any pricing information on the Sentriant AG200.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Bradford Networks
  • Caymas Systems Inc.
  • Extreme Networks Inc. (Nasdaq: EXTR)
  • Microsoft Corp. (Nasdaq: MSFT)
  • Quest Software Inc.
  • Vernier Networks Inc.

    Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-02-23
    An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
    PUBLISHED: 2020-02-23
    An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
    PUBLISHED: 2020-02-23
    An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
    PUBLISHED: 2020-02-23
    An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
    PUBLISHED: 2020-02-23
    danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.