Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Vendors Get the NAC, But Will Users?

While vendors rolled out product after product for NAC at Interop, experts are wondering how enterprises will make the technology work

INTEROP NEW YORK -- It's called Interop, but this week's show might as well be called NAC Expo. Everywhere you look, vendors and standards groups are announcing new products, doing demos, and singing the praises of Network Admission Control, the "hot technology" that's designed to keep users off the corporate infrastructure unless they comply with predefined security requirements.

Quietly, however, some experts, users, and even vendors are openly wondering whether NAC will live up to its hype in the near term -- or maybe ever.

There have been at least a dozen NAC-related announcements distributed at Interop in the last two days, each promising to add new functionality to the policy-driven security environment. AEP Networks, Lockdown Networks, NeoAccel, and StillSecure all launched new NAC products at the show. Eight vendors -- including Extreme Networks, Infoblox, Meru Networks, Patchlink, Q1 Labs, RSA Security, Trapeze Networks, and Vernier Networks -- announced plans to support the Trusted Computing Group's (TCG's) Trusted Network Connect (TNC), a proposed set of industry standards for NAC.

But that isn't all. More than 20 vendors -- including Cisco, Microsoft, Juniper, and Symantec -- are participating in InteropLabs' NAC interoperability exhibit, the first live demonstration to show all three of the key NAC architectures (Cisco's NAC, Microsoft's Network Access Protection, and the TCG's TNC) at work side by side. Even more vendors are attending birds-of-a-feather meetings operated by the TCG.

"NAC absolutely will be widely deployed -- it has to be," says Steve Hultquist, principal at Infinite Summit and team leader for the InteropLabs NAC project. "To build a secure environment, you have to protect the network from the devices." NAC technology is ready for testing in the development lab and could be deployed today in single-vendor environments, he notes.

With so much hoopla and activity (and so many major vendors) revolving around a single security idea, you'd think that NAC, or NAP, or TNC, or some permutation of the three, would be a foregone conclusion for most enterprises. But some experts say that's not the case yet, and some wonder if it ever will be.

"[NAC] reminds me of what we went through with enterprise management a few years ago," said one IT executive during a NAC conference session yesterday. "Everybody was saying that they were going to do it, and all the vendors were doing it, and $100,000 later, we had a big system that nobody used." The IT executive declined to identify himself or comment further for this story.

One of the members of the InteropLabs NAC demonstration team noted that there still are major differences between NAC, NAP, and TNC which prevent the disparate NAC environments from working together. "We've got [Cisco's] NAC, which doesn't really work with TNC, and we've got [Microsoft's] NAP, which is running on products that aren't even shipping," said the demo staffer, who asked not to be identified. "The vendors are showing how they can work with one or the other, but it's not like a user could plug it all in together." Cisco and Microsoft have promised to integrate their NAC technologies, but the two have been noncommittal about TNC. (See Getting Ready For NAC/NAP.)

There are some real questions about whether NAC can work in a real-life, multivendor enterprise environment, said Joel Snyder, senior partner at Opus One and member of the InteropLabs NAC demonstration team, in an Interop conference session yesterday.

One of the chief problems with NAC is it requires IT fiefdoms to agree on a common set of policies for configuring the security of network devices and end points -- and a common method of enforcing the policies. Networking people look at NAC much differently than desktop managers, and it will be difficult for them to agree on the very specific configuration rules required by NAC for each device, he said.

In order to work, NAC also may require a complete definition of authentication and identity management technologies and practices, experts assert.

"We're talking about changing the entire network and the way it works," Snyder said. "This is a really big deal. It's not a small task, and it's not going to be easy."

IT departments may also have some trouble proving the return on investment on NAC initiatives, Snyder observed. "The ROI on NAC is a big unknown," he said. "If, after you deploy NAC, a virus is prevented, is that because of NAC? Or is it just because of the antivirus software? Conversely, what if a virus hits? Is that NAC's fault? It's going to be a hard thing to quantify."

Vendors continue to paint a pretty picture of NAC. "We believe that customers will ultimately benefit from open, industry standard solutions that incorporate the richest NAC features, enabling organizations to better defend their networks against the increasing number of internal threats," said Rod Murchison, vice president of marketing for Vernier Networks, in a statement that was typical of most of the vendor announcements at the show.

But NAC isn't a foregone conclusion, and it may not be right for every enterprise, Snyder said. "If you're just doing it because it's the ATM or VPN of 2006, then maybe you shouldn't do it.".

— Tim Wilson, Site Editor, Dark Reading

  • AEP Networks Inc.
  • Cisco Systems Inc. (Nasdaq: CSCO)
  • Infoblox Inc.
  • Juniper Networks Inc. (Nasdaq: JNPR)
  • Meru Networks Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • NeoAccel Inc.
  • Q1 Labs Inc.
  • PatchLink Corp.
  • RSA Security Inc. (Nasdaq: EMC)
  • Symantec Corp. (Nasdaq: SYMC)
  • StillSecure
  • Trapeze Networks Inc.
  • Trusted Computing Group
  • Vernier Networks Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Introducing 'Secure Access Service Edge'
    Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
    Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
    Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-09
    An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
    PUBLISHED: 2020-07-09
    In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
    PUBLISHED: 2020-07-09
    The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
    PUBLISHED: 2020-07-09
    A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
    PUBLISHED: 2020-07-09
    IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...