4/9/2008 -- The market and technology for network access control (NAC) is maturing, but the offerings from vendors exhibiting their wares at this year's RSA Security conference show that it is still far from being a commodity.

"The NAC space has now got enough gravity that the definition is clear," said Greg Stock, chief executive officer at Austin, Texas-based Mirage Networks. That definition is to scan endpoints connecting to a network to confirm their conformity with security and configuration policies and monitor activities once connected.

But there are still a lot of choices about how to go about doing it. The Mirage offering is a network appliance that works without agents. Enterasys Networks of Andover, Mass. announced an appliance that works with or without agents in addition to having switching and routing capability to give it greater insight into the network. Bedford, Mass.-based NetClarity is touting a NAC-wall -- as in firewall -- appliance that does not use agents, and ranges from a handheld size for small offices to a rack-mounted unit for protecting networks of more than 2,000 IP addresses. Boston's Sophos has incorporated NAC into its endpoint protection product, an agent that works with a central management console but no network appliance.

And then you have to decide whether you want your NAC to work in-line, out-of-band or virtually in-line.

The good news is that there is a trend toward interoperability in NAC so that new solutions can be plugged into networks from any vendor -- or from multiple vendors -- without upgrading routers and switches.

The job of defending the network traditionally has been done by establishing a perimeter of anti-virus protection, firewalls, intrusion detection and prevention, and other gateways and filters. But with the increased mobility of users, growing demand for remote access and the expanded use of software and applications hosted on the Internet, the perimeter has all but disappeared as a defensible boundary. So there is a growing emphasis on ensuring that users and devices connecting with the network are authorized to do so and comply with policies for security and configuration.

"In the last couple of years, network access control has emerged in the evolution of network security," Stock said. "We're starting to see one person taking responsibility for access to the network," leveraging traditional perimeter tools such as firewalls and anti-virus in addition to NAC systems. "It is now budgeted in the enterprise."

In the past five years Mirage has seen the size of its average deal increase from about $20,000 to around $100,000.

Not everyone is in the same place on the NAC curve, however. "I don't think the evolution of NAC has hit the federal government," Stock said. "They are a little behind." State and local governments tend to be ahead of the feds on this curve. "It is moving very quickly" in that market, he added.

A primary reason for the lag is that the federal budget cycle slows the implementation of new technology, Stock said. But Mirage is in the process of getting Common Criteria certification for its NAC appliance. "We see signs it is going to be big" in the federal market, he said.

The Mirage appliance does not require an agent, software installed on the user endpoint that tracks the health and configuration of the computer connecting to the network. This means that IT administrators do not have to install and manage another application on desktop and laptop PCs. On the other hand, the burden of scanning each device is placed on the network appliance. The Mirage appliance works in Layer 2, so it is network-agnostic, and although it is not in-line -- that is, it does not intercept the connection and approve the endpoint before passing it on to the network -- it acts as a gateway for the endpoint. Mirage calls that being virtually in-line.

Enterasys' Network Access Control offers agentless scanning by default but will support third-party agents. Many customers opt for agentless scanning because the network operations team, which typically deploys NAC, does not have to bother the desktop operations people with agent deployment.

"An agent can give you a faster ability to evaluate the health posture," said Trent Waterhouse, marketing vice president at Enterasys. When NAC does not use an agent, users typically are allowed to connect to the network -- at least in a limited way -- while the appliance scans the endpoint, which can take 20 to 60 seconds. If the endpoint is not up to snuff, the NAC can then remove it from the network. Risks to the network during that 20- to 60-second window can be mitigated by limiting the endpoint's access to the network and by traditional tools.

The latest version of the Enterasys product, version 3.1, was announced at the RSA show and has switching and routing capability, which lets it identify rogue devices on the network that might not be apparent to other scans.

"You listen to all the switching and routing messages and all the routing protocols, so you can understand when something unauthorized gets attached," Waterhouse said. Large customers who have been using the version also like the IP-to-ID mapping feature on Enterasys, he said. It binds together the username, IP address, MAC address and physical port of each endpoint, letting administrators see, identify and track for forensics use every user on the network.

Microsoft has implemented its own version of NAC, Network Access Protection, as a network policy enforcement platform for Windows Vista and Server 2008. At least one vendor, Santa Clara, Calif.-based McAfee, has announced that its products will support NAP beginning with the beta release of its Network Access Control 3.0. McAfee NAC will perform a health check of 600 factors on connecting devices with custom checks also available.

Another concept gaining acceptance is NAC as a managed service. Several companies, such as AT&T, Network Vigilance and several regional providers, offer this service so that enterprises do not have to invest in the infrastructure, training and administration of access control.

"We're seeing a lot of uptake on this," said Mirage's Stock.

With a managed service, the appliance -- which the customer can buy or pay a fee to use -- still resides on the network, but it is managed centrally by the service provider. The largest enterprises will continue to manage their own NAC, Stock said, but smaller organizations tired of keeping up with the latest security technology will be able to take advantage of this opportunity to outsource. --William Jackson, courtesy of GCN.com