Shifting power from the network to the desktop
matures and gains momentum, but firms struggle with complexity as Robert
Whiteley, Senior Analyst, Forrester Research points out
Enterprise security and network architects are eager to deploy NAC solutions
to build a proactive security framework right into the network fabric. Specifically,
Forrester defines NAC as a mix of hardware and software technologies that
dynamically control client systems access to networks based on their compliance
Why all the buzz? Because, done right, NAC enables pre- and post-admission compliance
checks which effectively stop the bad guys from getting on the network in the
first place, as well as kicking-off legitimate users if they dont comply
with company policy. Enterprises crave this level of control and granularity.
It not only helps combat regulatory pressures like the Payment Card Industry
(PCI) Data Security Standard and the Health Insurance Portability and Accountability
Act (HIPAA), but also allows firms to realistically enforce security policies
rather than having them simply gather dust on HR department shelves.
Forrester believes that 2006 will bring greater awareness around NAC and a significant
number of real implementations. In fact, anecdotally, were already seeing
enterprises dedicate IT budget line items to NAC. As a network analyst at one
large healthcare organisation put it, 2006 is the year of NAC for us.
Were dedicating about $250,000 to get startedwhich includes the
cost of new equipment as well as upgrading our current switch infrastructure.
NAC adoption will remain steady at 40 percent in 2006
To better understand where firms are with NAC, Forrester
recently surveyed 149 technology decision-makers at North American companies
about their approaches. We learned that
- 40 percent of companies already have or will deploy
NAC in 2006. While just 4 percent of the surveyed companies have already
deployed NAC, 36 percent plan to purchase or implement the technology in 2006.
This is consistent with previous years surveys where NAC adoption levels
have stayed consistently between the 30 and 40 percent. Not surprisingly,
roughly half of Global 2,000 enterprises (20,000 or more employees) have moved
to NACthe highest of any groupfollowed by large enterprises (1,000
to 19,999 employees) at approximately one-third, and small and medium-size
businesses (less than 1,000 employees) with around one-quarter having adopted
- Companies deploying NAC seek control across all access
technologies. NAC provides the holy trinity of secure connectivity: a
universal access control policy across wired, wireless and remote-access media.
This way, security gurus can enforce policies independent of the users
location and without costly point-solutions. So its no surprise that
53 percent of the companies that are planning to deploy NAC solutions in 2006
are primarily looking to increase security across all three access technologiesmore
than the sum of all the individual media combined.
- The remaining companies feel that NAC solutions are
costly and too hard to manage. NACs primary disadvantage is that
todays solutions are complex. They require the manual integration of
several moving parts at the endpoint, within the network, and
in the back-end with policy servers. As a result, cost and manageability,
at 23 percent and 14 percent respectively, are the primary reasons why 60
percent of the 149 companies have no plans to purchase or implement NAC products
in 2006. Yet we see a silver lining. The next generation of NAC solutions,
from vendors such as ConSentry Networks and Applied Identity, focus on simplicity,
thus driving down costs and integration woes.
|Forrester predicts that 2006 will be
a big year for network access control (NAC), also known as network quarantine,
which provides a framework for proactive network security.
Just how big? In January 2006, Forrester surveyed 149
technology decision-makers at North American companies and found that
more than one-third already plan to adopt NAC this year. Organisations
want NAC for increased security across all access technologies: wired,
wireless and remote-access alike. Companies with no plans to deploy NAC
in 2006 feel that cost and manageability are the primary obstacles.
However, those same companies with no NAC adoption plans
are still looking to put the NAC building-blocks in place; 49 percent
are likely to upgrade their switching hardware to port-based authentication-capable
switches in 2006.
Firms should deploy NAC appliances and software while upgrading
Enterprise environments are complex, to say the least. Most firms will find
a very diverse user and device population, including unmanaged PCs for guest
users, contractors and consultants, as well as IP-enabled phones and printers.
For adequate NAC coverage, we recommend that firms deploy a mix of technologies,
- Ethernet switches for granular quarantining. Ethernet
switches like those from Cisco, HP (ProCurve Networking), Nortel Networks
and Enterasys provide strong port-level authentication coupled with granular
Layer 2 mechanisms like VLANs and MAC address filtering to quarantine non-compliant
Best used for: Managed devices in a tightly-controlled network.
When deploying Ethernet switches, we recommend enabling 802.1X for port-level
control. The downside? 802.1X is most suitable for managed PCs with the
- Appliances for less-intrusive network deployments.
Appliances from vendors such as Caymas Systems, ConSentry, InfoExpress and
Nevis Networks provide in-line and out-of-band NAC solutions. Meaning? You
can put one in the network path for the same granular lockdown capabilities
of a switch, or you can hang one off a switchs spanning ports to provide
a more scalable and less invasive option.
Best used for: Unmanaged devices with older network gear. Appliances
often work in a clientless mode (that is, they dont require
a supplicant or endpoint agent) and gracefully handle unmanaged or unknown
devices. Appliances are ideal for firms that want to avoid the hassles of
a network upgrade or wish to deploy an interim solution before a switch
overhaul is complete.
- Software for scalability at lower costs. The last
option is a pure overlay to the network with quarantining at the software
layer. It is available from vendors like Endforce, McAfee, Symantec and Check
Point Software Technologies. These solutions often provide several access
control mechanisms, but typically sacrifice granularity because they are not
in the network fabric.
Best used for: Managed devices with heterogeneous networks. Firms
with extremely complex switching environments or highly distributed topologies
often look to avoid hardware-based NAC solutions altogether. It is important
to note, however, that most solutions still require some kind of agent (even
if embedded in a client security suite) to be installed on PCs and servers
to provide access control. Weve also found that software-based approaches
are popular if IT security or desktop folk are operating the NAC deployment.
Whats the best mix? We recommend that firms spend 12-18 months upgrading
their switching hardware, and deploy either an appliance or software solution
in the interim.
|NAC will shift power
from the network to the desktop
Any vendor will tell you that NAC solutions are budgeted,
deployed and maintained by the networking staff. Ask any enterprise and
the answer will differ. During the past three years weve found that
NAC prevents a significant challenge to the average IT shop.
Why? Because it requires that desktop operations, networking
and security folk collaborate. Ultimately, we feel that the vendors have
it half right: network architects and engineers will operate and maintain
NAC gear, but we predict that enterprises will shift policy creation (the
heart and soul of the NAC deployment) to the desktop security and operations
expertan IT buyer who understands deploying large-scale, policy-based
Debunking the myth: Network upgrades are already underway
to support NAC
Most vendorsbesides Ciscoare marketing their solutions as avoiding
the hassle of a network upgrade. Sounds good, right? Recent data proves this
The biggest NAC drawback is upgrading edge switches to support 802.1X, the dominant
underpinning for switch-based solutions. But when we asked folk about their
upgrade plans, we found that almost half of the companies with no plans to deploy
NAC in 2006 are likely to upgrade at least some of their switching hardware
in 2006 anyway. In fact, 10 percent of them are already underway. Just 23 percent
of the companies that we surveyed are not at all likely to upgrade in 2006.