Understanding the NAC universe

That is the core of NAC. Some companies call themselves NAC vendors, but what they really mean is that their products fit into a broader NAC environment.

For example, CA says it has joined Cisco's NAC plan, which it has, by virtue of its eTrust antivirus and antispyware software being able to deliver status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network.

Similarly, IBM's Tivoli Security Compliance Manager is compatible with Cisco's NAC because it scans machines coming onto the network. By itself it can't enforce whether the device gains access. It still needs infrastructure from Cisco or some other vendor to enforce policy.

ETrust and Security Compliance Manager software fit into NAC architectures but can't create NAC environments on their own. Cisco, Microsoft and TCG list scores of partners whose gear fits in their NAC schemes and can claim to be NAC vendors. Customers must find out what a vendor means by "NAC support."

Another major complicating factor is that Microsoft has its own NAC architecture called Network Access Protection (NAP). Because it involves Microsoft and its pervasive server and desktop software, NAP is a major factor in the NAC universe. The problem is that key components aren't available, making interoperability impossible to test beyond limited beta versions of Microsoft's NAP platforms.

On the upside, 75 vendors have pledged to make their gear interoperable with Microsoft NAP components when they become available. This includes Cisco, with which Microsoft is developing NAP and Cisco NAC interoperability. Cisco, which is pushing the IETF for NAC standards but does not participate in TCG, has about 30 partners shipping Cisco NAC-compatible gear and another 27 developing such products.

Figuring out NAC requirements

Regardless of vendor choices, enterprises must know what network challenges they are trying to solve before they embrace NAC, says Joel Snyder, senior partner at Opus One and a member of the Network World Lab Alliance. Surprisingly, many businesses are leaping into NAC without first defining the business need that will warrant the investment, he says.

One early NAC adopter with specific goals is Colorado State University College of Business in Fort Collins. It wanted to control visitor and student access to network resources but keep the infrastructure as open as possible, says Jon Schroth, director of technology at the school. He also didn't want to rip out hardware or be responsible for installing software on user devices, he says.

Schroth chose Vernier's EdgeWall appliance, which authenticates users, scans their machines and imposes policies based on data drawn from the school's Active Directory servers. "We are a Microsoft shop, and we like to be able to leverage that when we can," he says.

Because EdgeWall sits between access and core switches to enforce policies, it works with the school's mix of HP ProCurve and 3Com switches without altering network topology.

Other NAC schemes, such as Cisco's and TNC, use 802.1X port authentication on switches to enforce policies, and Schroth says he eventually may adopt one of those architectures. For now EdgeWall works and probably will be sufficient until the school's next switch upgrade in two years. "Maybe then we'll look at [a broader NAC architecture] if it's integrated in the switch," he says.

Another early NAC adopter says it was critical to protect a recent $250,000 investment in new Extreme Network switches when he added NAC. "I can't afford to rip out a quarter of a million in switches just to meet the needs of one project," says Robert Lemm, IT supervisor for KAMO Power, a power company serving Kansas, Arkansas, Missouri and Oklahoma and based in Vinita, Okla.

When looking for NAC gear to protect KAMO Power's network better from harmful traffic coming from energy co-op affiliates, Lemm says he considered but rejected Cisco NAC gear because it required Cisco switches. Even if he already had them, it would have cost extra to implement NAC on them, he says. "If we had had Cisco switches out there, we would have had to buy a license for each switch," he says.

Short of that, Cisco could have put CiscoSecure Access Control Server (ACS) NAC devices inline with KAMO Power's Extreme switches to enforce access policies, but that would have made each ACS device a single point of failure. "That's not very smart from a network reliability point of view," he says.

Lemm also ruled out Extreme's access-control system based on its Sentriant devices. At the time he looked at it last year, it screened at Layer 3 but not all the way to Layer 7, which is what he was looking for, he says.

He chose Juniper's Infranet Controller policy engine in conjunction with Microsoft Internet Authentication Service authentication server to determine what kind of access end devices should get. Extreme switches and Juniper Integrated Security Gateway devices combining firewall, VPN and intrusion detection serve as enforcement points.

The deployment prevented a lot of switch replacement, but it's not ideal, he says. Juniper needs an enterprise-wide management system for all the pieces of its NAC system to save administrative time. Now he uses Web interfaces to directly manage individual machines or the NetScreen Security Manager to manage the Infranet Controller.