Open source NAC on track

Symantec is leading a group that aims to create an open source NAC client for 802.x networks.

If you want to protect your networks and data centers from laptops and other mobile devices, network access control (NAC) software may well be on your shopping list.

NAC authentication clients "“ called supplicants "“ are small pieces of software that run on mobile devices and request permission to connect from an access-control server, which can enforce security policies and update antivirus or other security applications on the client, before granting the device an IP address.

A NAC supplicant is built into Windows XP and Vista, but most implementations rely on software of varying abilities purchased from third-party networking companies.

That inconsistency has seen Symantec lead an effort to create a consistent, cost-effective alternative, allying with TippingPoint, Trapeze Networks, Extreme Networks, Identity Engines and Infoblox in a consortium called the Open Secure Edge Access Alliance to develop it.

Working with Jon Oltsik, a senior analyst with Enterprise Strategy Group, and JANET/UKERNA, the group is building an open source 802.1x supplicant that will authenticate network devices before they are assigned IP addresses.

Alliance members hope the open-source supplicant will help proliferate 802.1x technology much in the same way that OpenSSL did for the Secure Sockets Layer protocol. In turn, that will bring more opportunities to their channel partners, Oltsik said.

"Having an open-source supplicant guarantees some degree of interoperability, and that's where it will most affect the channel," said Brian Smith, chief architect for TippingPoint.

"We all see that 802.1x technology is offering a lot of promise to customers," said Paul Sangster, a distinguished engineer for Symantec and executive director of the OpenSEA Alliance.

"This will support an open environment," he said. "It doesn't matter whose back end is involved. The OpenSEA Alliance supplicant will work."

Most customer organizations do not authenticate endpoint devices in any way, leaving them susceptible to attacks launched from desktop and laptop computers, USB drives, MP3 players and other portable devices. Those that do can either rely on the supplicant in Windows XP or buy third-party products from Cisco, Juniper and some smaller vendors.

"That can get pretty expensive," Smith said. "It's $US20-$US25 a head."

Furthermore, most third-party supplicants do not work well -- or at all -- on non-Windows platforms, Sangster said.

But the biggest reason organizations do not purchase 802.1x is the cost and hassle of upgrading their network infrastructure to be compatible, Maslowski-Yerges said.

Although the OpenSEA Alliance's supplicant won't directly do anything to change that, "it'll be a lot easier for folks to invest in a new architecture on the back end knowing there is a standard that will be supported on the front end," he said.

Those factors spurred the planning of the OpenSEA Alliance, which began last year.

"It really started to look like 802.1x was going to be a proprietary standard rather than an open standard," Oltsik said.

"Creating something around open source made the most sense," Sangster said.

Having the backing of six vendors will make customers more comfortable with using open source software, Smith said. Oltsik said the alliance's supplicant will be "Firefox-like" in terms of its wide availability, robustness, compatibility with multiple platforms and -- hopefully -- its success.

The OpenSEA Alliance, an incorporated nonprofit organization, will demonstrate the supplicant at Interop Las Vegas later this month. There is no timeline for its public release, but "we'll have something that is enterprise class sometime soon," Oltsik said.

The alliance may go on to develop other open source security products, but members are focusing solely on 802.1x now.

"We want to get the first one off the ground," Smith said.

Read more on Network security management