Three years ago, network access control was the big buzzword in security.
NAC’s goal was to ensure PCs and other devices knocking on the network door had the latest patches, anti-virus and spyware upgrades before allowing entry, thus blocking dangerous malware.
Call it the firewall behind the firewall. Some even thought NAC was the way to unify all endpoint security. It hasn’t turned out that way.
“It’s a slow uptake,” acknowledges James Quin, a senior research analyst at Info-Tech Research of London, Ont., who specializes in security. “I wouldn’t say there are a large number of organizations that are implementing NAC. They’re certainly not implementing it with any fervour.”
NAC proved to be a lot harder to implement than network technicians realized for a number of reasons, says Phil Hochmuth, a senior analyst with the Yankee Group.
“The issues of how do you protect all the different types of machines that can plug into a corporate network – IP phones, printers, non-Windows-based machines, Macs – made things more complicated.”
A lack of standards has hurt – there are versions from Cisco, Juniper, Microsoft, the Trusted Computing Group and one in the works from the IEEE. And there were reliability problems, such as false positives, which inhibited rather than increased productivity of users knocked offline.
A recent study by Hochmuth of three early appliance-based NAC adopters found two of them praising the technology for policing access to secured segments within the enterprise, but less enthusiastic about using it for blocking questionable devices. Yet Forrester Research found that only four per cent of enterprises it surveyed that had started NAC projects actually finished them.
Network managers and vendors haven’t given up on NAC, but its problems demonstrate the ever-changing landscape of endpoint security.
NAC has ended up being swallowed by some of the leading endpoint protection names as part of a new generation of security platforms.
It’s not hard to see why. According to Gartner, even the best malware signature databases can miss threats as much as 10 per cent of the time, and most have less than a 50 per cent chance of catching completely new threats. Then two years ago, McAfee Total Security emerged, unifying these and other weapons under its ePolicy Orchestrator console. Other security firms ¬responded, the latest September’s release of Symantec Endpoint Protection 11.0.
As Gartner observed in a recent report on what it calls enterprise endpoint protection platforms, the number of competitors is expanding. Joining the traditional trio that has 85 per cent of the market (McAfee, Symantec and Trend Micro) are newcomers like BigFix, Bit9, eEye Digital Security, as well as Microsoft and IBM. Also expanding are their features to include encryption, data loss prevention tools and NAC.
Now, alongside device compliance, NAC fits in with a host of defence weapons such as advanced firewalls with audit capabilities and protections to ¬ensure that the firewall policy is active, detailed event logs, co-ordination with malware protection for the rapid defense of unpatched vulnerabilities and wireless firewall policies, such as enforcing one active network interface card (NIC) to avoid LAN-to-wireless-LAN bridges.
Advanced intrusion protection capabilities in these platforms include deep packet inspection, protocol anomaly detection, comprehensive buffer overflow and program flow control protection and the ability to isolate potentially malicious code. For network managers, some of these multi-layered solutions are a mixed blessing. Many have been stitched together from rapid acquisitions, not all of them smoothly. It’s a hindrance that buyers have to watch for.
For example, Gartner report co-author Neil MacDonald notes that while Microsoft’s latest desktop clients include a firewall, it isn’t managed through its ForeFront suite but through Windows Server, which he calls “a huge oversight.”
Derick Wong, Microsoft Canada’s (NASDAQ: MSFT) senior product manager for security and management products disagreed, saying all security and network management tools run through WinServer’s Systems Centre operations manager.
The Gartner report also said McAfee needs to ¬integrate its acquired technologies into a more ¬cohesive solution, and criticized Symantec EP 11.0 for overlap with Symantec Critical System Protection and Symantec Compliance Manager, which use a separate management and reporting console.
With NAC part of many of these solutions, organizations may take a second look at it. And NAC’s popularity may increase now that it’s integrated with the just-released Windows Server 2008 in a component called Network Access Protection.
However, NAP only protects Windows Vista clients, although a plug-in for Windows XP clients will be out soon. Which leaves two views on network access control’s future.
After examining his case studies, Hochmuth ¬believes most organizations see NAC today as a technology that protects the network after a user has been authenticated.
But Forrester Research argued in a report last year that NAC does belong on the endpoint. Done right, the report says, it can give both pre- and post-admission device and user control.
NAC today has too many silos of policy, the authors wrote, resulting in disjointed policies. Despite the work of vendors, NAC still needs to be enforced by a multitude of infrastructure components – a policy for the VPN for external users and one for the WLAN or Ethernet switch for users inside the organization. Forrester also says today’s NAC is too focused on prevention and not handling newly-emerging threats.
In Forrester’s view host or software-based NAC, such as those found in the endpoint platforms, provide the best solutions because they can leverage other weapons in the defence arsenal. This comprehensive, rather than network-focused approach, will be the heart of NAC 2.0, it says.
There is still a role for NAC at the endpoint, agrees Patrick Wheeler, senior manager of endpoint compliance at Symantec. “NAC in some ways has grown up from the initial view that it was about endpoint compliance and broadened its view,” he says.
Perhaps this year hardware and software makers will add features to let it mature even more.