Shifting ‘power’ from the network to the desktop

NAC matures and gains momentum, but firms struggle with complexity as Robert Whiteley, Senior Analyst, Forrester Research points out

Enterprise security and network architects are eager to deploy NAC solutions to build a proactive security framework right into the network fabric. Specifically, Forrester defines NAC as “a mix of hardware and software technologies that dynamically control client systems’ access to networks based on their compliance with policy.”

Why all the buzz? Because, done right, NAC enables pre- and post-admission compliance checks which effectively stop the bad guys from getting on the network in the first place, as well as kicking-off legitimate users if they don’t comply with company policy. Enterprises crave this level of control and granularity. It not only helps combat regulatory pressures like the Payment Card Industry (PCI) Data Security Standard and the Health Insurance Portability and Accountability Act (HIPAA), but also allows firms to realistically enforce security policies rather than having them simply gather dust on HR department shelves.

Forrester believes that 2006 will bring greater awareness around NAC and a significant number of real implementations. In fact, anecdotally, we’re already seeing enterprises dedicate IT budget line items to NAC. As a network analyst at one large healthcare organisation put it, “2006 is the year of NAC for us. We’re dedicating about $250,000 to get started—which includes the cost of new equipment as well as upgrading our current switch infrastructure.”

NAC adoption will remain steady at 40 percent in 2006

To better understand where firms are with NAC, Forrester recently surveyed 149 technology decision-makers at North American companies about their approaches. We learned that

• 40 percent of companies already have or will deploy NAC in 2006. While just 4 percent of the surveyed companies have already deployed NAC, 36 percent plan to purchase or implement the technology in 2006. This is consistent with previous years’ surveys where NAC adoption levels have stayed consistently between the 30 and 40 percent. Not surprisingly, roughly half of Global 2,000 enterprises (20,000 or more employees) have moved to NAC—the highest of any group—followed by large enterprises (1,000 to 19,999 employees) at approximately one-third, and small and medium-size businesses (less than 1,000 employees) with around one-quarter having adopted it.
• Companies deploying NAC seek control across all access technologies. NAC provides the holy trinity of secure connectivity: a universal access control policy across wired, wireless and remote-access media. This way, security gurus can enforce policies independent of the users’ location and without costly point-solutions. So it’s no surprise that 53 percent of the companies that are planning to deploy NAC solutions in 2006 are primarily looking to increase security across all three access technologies—more than the sum of all the individual media combined.
• The remaining companies feel that NAC solutions are costly and too hard to manage. NAC’s primary disadvantage is that today’s solutions are complex. They require the manual integration of several ‘moving parts’ at the endpoint, within the network, and in the back-end with policy servers. As a result, cost and manageability, at 23 percent and 14 percent respectively, are the primary reasons why 60 percent of the 149 companies have no plans to purchase or implement NAC products in 2006. Yet we see a silver lining. The next generation of NAC solutions, from vendors such as ConSentry Networks and Applied Identity, focus on simplicity, thus driving down costs and integration woes.

Firms should deploy NAC appliances and software while upgrading switches

Enterprise environments are complex, to say the least. Most firms will find a very diverse user and device population, including unmanaged PCs for guest users, contractors and consultants, as well as IP-enabled phones and printers. For adequate NAC coverage, we recommend that firms deploy a mix of technologies, including

• Ethernet switches for granular quarantining. Ethernet switches like those from Cisco, HP (ProCurve Networking), Nortel Networks and Enterasys provide strong port-level authentication coupled with granular Layer 2 mechanisms like VLANs and MAC address filtering to quarantine non-compliant users.

  Best used for: Managed devices in a tightly-controlled network. When deploying Ethernet switches, we recommend enabling 802.1X for port-level control. The downside? 802.1X is most suitable for managed PCs with the proper supplicants.

• Appliances for less-intrusive network deployments. Appliances from vendors such as Caymas Systems, ConSentry, InfoExpress and Nevis Networks provide in-line and out-of-band NAC solutions. Meaning? You can put one in the network path for the same granular lockdown capabilities of a switch, or you can hang one off a switch’s spanning ports to provide a more scalable and less invasive option.

  Best used for: Unmanaged devices with older network gear. Appliances often work in a ‘clientless’ mode (that is, they don’t require a supplicant or endpoint agent) and gracefully handle unmanaged or unknown devices. Appliances are ideal for firms that want to avoid the hassles of a network upgrade or wish to deploy an interim solution before a switch overhaul is complete.

• Software for scalability at lower costs. The last option is a pure overlay to the network with quarantining at the software layer. It is available from vendors like Endforce, McAfee, Symantec and Check Point Software Technologies. These solutions often provide several access control mechanisms, but typically sacrifice granularity because they are not in the network fabric.

  Best used for: Managed devices with heterogeneous networks. Firms with extremely complex switching environments or highly distributed topologies often look to avoid hardware-based NAC solutions altogether. It is important to note, however, that most solutions still require some kind of agent (even if embedded in a client security suite) to be installed on PCs and servers to provide access control. We’ve also found that software-based approaches are popular if IT security or desktop folk are operating the NAC deployment.

What’s the best mix? We recommend that firms spend 12-18 months upgrading their switching hardware, and deploy either an appliance or software solution in the interim.

Debunking the myth: Network upgrades are already underway to support NAC

Most vendors—besides Cisco—are marketing their solutions as avoiding the hassle of a network upgrade. Sounds good, right? Recent data proves this point moot.

The biggest NAC drawback is upgrading edge switches to support 802.1X, the dominant underpinning for switch-based solutions. But when we asked folk about their upgrade plans, we found that almost half of the companies with no plans to deploy NAC in 2006 are likely to upgrade at least some of their switching hardware in 2006 anyway. In fact, 10 percent of them are already underway. Just 23 percent of the companies that we surveyed are not at all likely to upgrade in 2006.