Everyone wants NAC ... kind of

The industry agrees that Network Access Control is a good idea. Network administrators want it too. So why is there no agreement on how to do it right?

Network Access Control (NAC) remained a key discussion point at the Interop show int the US this week.

But this year, NAC talk has taken a different tack. Vendors now tout interoperability and the potential for standardization in response to users' feeling uneasy about NAC because of possible vendor lock-in.

At the panel discussion "The Truth About NAC," representatives from Cisco, Juniper, McAfee and Microsoft -- along with the Cybersecurity Association, a body that tests and certifies network security products and has plans to test network access control in the very near future -- discussed where NAC is today, where it's going, and what users are demanding.

"Users say NAC is complex," said Vimal Solanski, a senior director with McAfee. "It's a pill that's hard to swallow. The solution must be practical to the point that it coexists with what you have today." Solanski later added that users now say, "I need NAC, but I need something that works with what I've got."

All vendors on the panel agreed that interoperability in most environments is a necessity for network access control, highlighting Cisco and Microsoft -- working together with their Network Admission Control (NAC) and Network Access Protection (NAP), respectively -- and this week's announcement that Microsoft's NAP is sharing an NAC specification for interoperability with the Trusted Computing Group (TCG)'s Trusted Network Connect (TNC) consortium of NAC vendors and products. The vendors also admitted, however, that a true NAC standard is still a far-off ideal.

The lack of an NAC standard in the near future was no surprise to John Pironti, chief information risk strategist with Getronics.

"[Standardization] has to happen," Pironti said. "But vendors also still need to differentiate themselves from the others. The vendors say, 'We'll play together, but you should use us instead.'"

Many of Pironti's clients are still on the fence about NAC, he said. They meet with vendors but end up deciding they're not ready. That wait-and-see attitude is common in the still-emerging NAC market, mainly because Microsoft's NAP won't be fully operational until the release of Longhorn Server next year.

"Most people are waiting for Microsoft," Pironti said.

What's more, he said, many Getronics clients aren't swayed by talk about NAC interoperability. They hear the chatter but are still fearful to commit because of vendor lock-in. Current interoperability efforts will no doubt work, he said, but making multi-vendor solutions work isn't as easy as vendors make it sound.

"It'll work, but it's not as simple as flipping the switch at this point," Pironti said.

Paul Mayfield, program director for Microsoft's networking group, agreed that users and customers are keeping their fingers crossed for standardization and said Microsoft customers often say that NAP "has to work with what we already have."

Interoperability is a level of insurance with an NAC deployment, Mayfield said, and it should alleviate some user fears of being painted into a corner with the NAC solutions they choose today.

Cisco's Russell Rice, director of security product marketing, agreed.

"People want to deploy technologies that don't introduce changes," he said.

Still, when Pironti raised the question of standardization, most vendors fell back on their NAC partnerships and interoperability specifications, saying that standardization efforts are under way but are still a long way from completion.

"We've barely scratched the surface," said Karthik Krishnan, product line manager for Juniper's Unified Access Control NAC solution, while Mayfield and Rice agreed that there is still more work to be done, pointing out that the IETF is still evaluating possible NAC standards.

"The industry is showing promise toward interoperability," Mayfield said.

Cybersecurity Associations director Paul Hoffman called interoperability a step in the right direction and praised TNC and the IETF for trying to create NAC standards, despite the slow progress.

"There's interoperability, but no standards," he said. "But we have a market today with a fairly reasonable interoperability strategy."

Solanski said, however, that although moves toward interoperability and new NAC specifications are important, NAC will suffer until a true standard is reached.

"We're down from three to two standards," he said. "But that's still one too many."


Read more on Data centre networking