Network access control (NAC) has been one of the most hyped security technologies on the market but enterprises were slow to deploy it. Industry analysts, however, say the hype is subsiding and that companies are embarking on NAC projects.
"We now see a more mainstream set of enterprises whetting their appetites and preparing to deploy NAC in large, production networks," Robert Whiteley, a principal analyst and research director at Forrester Research Inc., wrote in a recent report.
Financial services firms in particular are moving towards NAC, said Lawrence Orans, a research director at Gartner: "Anyone that has a lot to lose is concerned with NAC, and financial firms fall into that category."
In a March report, Gartner said it has seen strong growth in NAC deployments during the past two years with NAC revenues growing 87% from 2006 to $225 million in 2007. The firm forecasts NAC revenues of nearly $450 million this year.
Still, issues remain with NAC, which aims to mitigate risk by restricting network access to endpoints that comply with security policy. Here are some of the top challenges associated with deploying the technology:
A report last year by Current Analysis showed cost as the top barrier to adoption of NAC solutions, closely followed by complexity. Companies' concerns over cost and complexity stemmed from their expectations that NAC required significant changes to the infrastructure, the firm said.
One way to deploy NAC is to take the infrastructure-based approach of Cisco Systems or Juniper Networks, which requires a combination of technologies including VPNs, firewalls and a centralized policy server, said Chris Rodriguez, a research analyst at Frost & Sullivan. Upgrading an infrastructure for NAC can be expensive.
The appliance-based approach also can be costly, said Gartner's Orans. "We call that sprinkling boxes everywhere. If you do that, it gets expensive."
In addition, many organizations overlook the burden placed on underlying components such as DHCP, DNS and RADIUS services, according to Whiteley. "Implementing NAC will dramatically increase utilization of these components, so make sure they're up to snuff and don't rely on open source software running on outdated hardware," he wrote in an April 23 report.
Companies that tackle NAC can run into touchy political and operational issues when it comes to quarantining machines that are noncompliant with security policy. "Say there's a C-level executive and that person's endpoint is not compliant. Do you quarantine that person, and if you do, is that problematic to the business?" Orans said.
Then, there's the problem of having the resources to deal with a deluge of helpdesk calls from employees with quarantined machines on a Monday morning. To avoid those issues, many organizations deploying NAC aren't yet quarantining noncompliant systems, Orans said. Instead, they're using NAC in a monitoring mode, to learn about the compliance levels of their endpoints.
Whiteley describes automated remediation of noncompliant endpoints as "one of the greatest fallacies surrounding NAC." Most products don't natively push down the latest patches and antivirus updates; instead they direct a user to an internal Web site with a list of actions and links. Consequently, companies still complain about increased help desk calls and poor end-user experiences, he said.
Lack of comprehensive control
While many organizations embark on NAC with the notion that a single technology will manage both access for both non-employees (guests) and employees, segmenting access is complex and requires integration with an identity and access management tool, according to Whiteley. Most NAC products lack this integration or just provide limited capabilities by integrating with Active Directory or equating user identity with machine identity, Whiteley said.
Financial services firms have unique user scenarios, which require flexible architectures that provide identity integration and ease of use, Whiteley said in an email. For example, many have "high-powered users" like traders who need special access, which requires role-based access control. They also have guest users such as contractors and auditors that have varying degrees of trust and access privileges, he said.
Orans said guest networking is the first priority for most of the organizations his firm has spoken with, adding that guest networking is phase one for NAC but not true NAC. "It doesn't become true NAC until you turn your attention to your internally managed machines and are able to assess the health level of those endpoints."
NAC certainly doesn't lack for standards efforts. There's Cisco's Network Admission Control (NAC) program, Microsoft's Network Access Protection (NAP) initiative, and the Trusted Computing Group's Trusted Network Connect (TNC) consortium. While Cisco and Microsoft have pledged interoperability, they haven't delivered on it yet, Orans said. Part of the problem was that Microsoft was slow to ship Windows Server 2008 – an integral part of its NAP initiative, he said.
The problem with all of the standards efforts, according to Whiteley, is that they only address a low-level of NAC interoperability and don't look at how to create an extensible policy framework that works with any vendor. "The bottom line: Enterprises need to manually glue NAC components together, and many mainstream organizations are leery of painting themselves into a corner with proprietary, obsolescing technology," he wrote.