2/21/2006 -- Give Cisco Systems Inc. credit: It was onto a good thing with Network Admission Control (NAC), its endpoint security, policy enforcement and network access management program that made a NAC of a different kind -- i.e., Network Access Control -- a household acronym almost 30 months ago.

Since NAC first went live in November 2003, Cisco has signed up a who's who of industry heavyweights -- including IBM Corp., Network Associates Inc., Microsoft Corp., Symantec Corp. and Trend Micro Inc. -- to deliver (or go through the motions of delivering) NAC-friendly solutions. The result? Even though some industry watchers have derided Cisco's network self-defense strategy as hopelessly scattershot, they've typically given NAC itself much better reviews.

Success inspires imitation, and Nortel Networks Inc. recently threw its hat into the NAC ring with SNA, a Secure Network Access program (not to be confused with the mainframe-centric SNA of old, Systems Network Architecture) that the company hopes will rival Cisco's prescient NAC scheme. Last week, Nortel announced its first SNA deliverable -- the Secure Network Access Switch, which (in true Machiavellian fashion) it positions as compatible with the Microsoft Network Admission Control (NAP) program and the Trusted Computing Group's Trusted Network Connect (TNC) initiative -- but not Cisco's NAC.

Analysts like what they see, but say that as a late comer to the NAC arena, Nortel has to make up a lot of ground. "Nortel is shrewdly leveraging its existing assets in combination with best-of-breed industry partner solutions to ensure that it can respond to competitive threats and present customers with a complete end-to-end architecture for enterprise access both inside and outside the enterprise perimeter," says Joel Conover, a principal analyst for enterprise infrastructure with consultancy Current Analysis.

At first glance, Nortel's new SNA switch appears to deliver the goods. It can support pre-admission posture assessment and post-admission proactive monitoring to ensure compliance with access policies, Conover says, and -- in time -- will be able to interoperate with firmware on Nortel's LAN switches, routers and VPN platforms to enforce policy-based access. Conover acknowledges, however, that Nortel is still in the midst of delivering SNA firmware support on its Ethernet switches, which might engender "some concern that Nortel is jumping the gun on the SNA announcement."

But Nortel faces an uphill struggle, Conover says. "Nortel is jumping into the frenetic circus that is the Network Admission Control market, and while this technology is absolutely critical to Nortel and its success in the enterprise market, Nortel is late, and needs to have validation and market differentiation to distinguish its solution clearly in a very busy market."

It's also crucial that Nortel doesn't oversell SNA, he argues. "Nortel is couching SNA in promises including critical support for its Ethernet switching platforms as well as tighter integration with its SSL VPN access solution. Nortel needs to be very clear and upfront about how its solution can be leveraged today, and what customers will gain when Nortel completes its firmware implementation in the near future." Conover says Nortel should consider establishing "hard, external-facing time deadlines" to demonstrate to customers that it's committed to delivering SNA features in a timely manner.

Given marketplace confusion over Cisco's NAC, Microsoft's NAP, TCG's TNG and other NAC solutions, new entrants such as Nortel must tread carefully. "There is a great deal of uncertainty in the market as the result of Microsoft, its NAP initiative, Cisco and its NAC initiative, and the TCG/TNC, and dozens of implementations coming from small and large competitors alike in the market," Conover concludes. "Nortel is attempting to straddle the NAP and TCG/TNC issues, but needs to bring credibility to its solution through demonstrations of actual partner-enabled integrations." -Stephen Swoyer