Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Get the NAC, But Will Users?

While vendors rolled out product after product for NAC at Interop, experts are wondering how enterprises will make the technology work

INTEROP NEW YORK -- It's called Interop, but this week's show might as well be called NAC Expo. Everywhere you look, vendors and standards groups are announcing new products, doing demos, and singing the praises of Network Admission Control, the "hot technology" that's designed to keep users off the corporate infrastructure unless they comply with predefined security requirements.

Quietly, however, some experts, users, and even vendors are openly wondering whether NAC will live up to its hype in the near term -- or maybe ever.

There have been at least a dozen NAC-related announcements distributed at Interop in the last two days, each promising to add new functionality to the policy-driven security environment. AEP Networks, Lockdown Networks, NeoAccel, and StillSecure all launched new NAC products at the show. Eight vendors -- including Extreme Networks, Infoblox, Meru Networks, Patchlink, Q1 Labs, RSA Security, Trapeze Networks, and Vernier Networks -- announced plans to support the Trusted Computing Group's (TCG's) Trusted Network Connect (TNC), a proposed set of industry standards for NAC.

But that isn't all. More than 20 vendors -- including Cisco, Microsoft, Juniper, and Symantec -- are participating in InteropLabs' NAC interoperability exhibit, the first live demonstration to show all three of the key NAC architectures (Cisco's NAC, Microsoft's Network Access Protection, and the TCG's TNC) at work side by side. Even more vendors are attending birds-of-a-feather meetings operated by the TCG.

"NAC absolutely will be widely deployed -- it has to be," says Steve Hultquist, principal at Infinite Summit and team leader for the InteropLabs NAC project. "To build a secure environment, you have to protect the network from the devices." NAC technology is ready for testing in the development lab and could be deployed today in single-vendor environments, he notes.

With so much hoopla and activity (and so many major vendors) revolving around a single security idea, you'd think that NAC, or NAP, or TNC, or some permutation of the three, would be a foregone conclusion for most enterprises. But some experts say that's not the case yet, and some wonder if it ever will be.

"[NAC] reminds me of what we went through with enterprise management a few years ago," said one IT executive during a NAC conference session yesterday. "Everybody was saying that they were going to do it, and all the vendors were doing it, and $100,000 later, we had a big system that nobody used." The IT executive declined to identify himself or comment further for this story.

One of the members of the InteropLabs NAC demonstration team noted that there still are major differences between NAC, NAP, and TNC which prevent the disparate NAC environments from working together. "We've got [Cisco's] NAC, which doesn't really work with TNC, and we've got [Microsoft's] NAP, which is running on products that aren't even shipping," said the demo staffer, who asked not to be identified. "The vendors are showing how they can work with one or the other, but it's not like a user could plug it all in together." Cisco and Microsoft have promised to integrate their NAC technologies, but the two have been noncommittal about TNC. (See Getting Ready For NAC/NAP.)

There are some real questions about whether NAC can work in a real-life, multivendor enterprise environment, said Joel Snyder, senior partner at Opus One and member of the InteropLabs NAC demonstration team, in an Interop conference session yesterday.

One of the chief problems with NAC is it requires IT fiefdoms to agree on a common set of policies for configuring the security of network devices and end points -- and a common method of enforcing the policies. Networking people look at NAC much differently than desktop managers, and it will be difficult for them to agree on the very specific configuration rules required by NAC for each device, he said.

In order to work, NAC also may require a complete definition of authentication and identity management technologies and practices, experts assert.

"We're talking about changing the entire network and the way it works," Snyder said. "This is a really big deal. It's not a small task, and it's not going to be easy."

IT departments may also have some trouble proving the return on investment on NAC initiatives, Snyder observed. "The ROI on NAC is a big unknown," he said. "If, after you deploy NAC, a virus is prevented, is that because of NAC? Or is it just because of the antivirus software? Conversely, what if a virus hits? Is that NAC's fault? It's going to be a hard thing to quantify."

Vendors continue to paint a pretty picture of NAC. "We believe that customers will ultimately benefit from open, industry standard solutions that incorporate the richest NAC features, enabling organizations to better defend their networks against the increasing number of internal threats," said Rod Murchison, vice president of marketing for Vernier Networks, in a statement that was typical of most of the vendor announcements at the show.

But NAC isn't a foregone conclusion, and it may not be right for every enterprise, Snyder said. "If you're just doing it because it's the ATM or VPN of 2006, then maybe you shouldn't do it.".

— Tim Wilson, Site Editor, Dark Reading

  • AEP Networks Inc.
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Infoblox Inc.
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Meru Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • NeoAccel Inc.
  • Q1 Labs Inc.
  • PatchLink Corp.
  • RSA Security Inc. (Nasdaq: EMC)
  • Symantec Corp. (Nasdaq: SYMC)
  • StillSecure
  • Trapeze Networks Inc.
  • Trusted Computing Group
  • Vernier Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-09
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
    PUBLISHED: 2019-12-09
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
    PUBLISHED: 2019-12-09
    Symantec Industrial Control System Protection (ICSP), versions 6.x.x, may be susceptible to an unauthorized access issue that could potentially allow a threat actor to create or modify application user accounts without proper authentication.
    PUBLISHED: 2019-12-09
    OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, whic...
    PUBLISHED: 2019-12-09
    nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the components \Presentation\Nop.Web\Areas\Admin\Controllers\NewsController.cs and \Presentation\Nop.Web\Areas\Admin\Controllers\BlogController.cs via Body or Full to Admin/News/NewsItemEdit/[id] Admin/Blog/BlogPostEdit/[id]. NOTE: the ...