Comments on: Is NAC stuck in the mud? http://itknowledgeexchange.techtarget.com/networkhub/nac-matures-innovation-slows/ A SearchNetworking.com blog Thu, 31 Jan 2013 15:39:47 +0000 hourly 1 By: Pelle http://itknowledgeexchange.techtarget.com/networkhub/nac-matures-innovation-slows/#comment-5 Pelle Mon, 15 Oct 2007 20:31:29 +0000 http://itknowledgeexchange.techtarget.com/networkhub/nac-matures-innovation-slows/#comment-5 After some experience implementing 802.1x NAC with agent based system scan, NAC Appliance with agent scan and other pure switch-based 802.1x installation, I have the following experience.

– Full NAC implementation is not a network technology, it’s an IT technology. It’s more how to handle PC-patch, Virus update, user control and standard policy. NAC have been pushed by different network companies as a solution to security problem. But security problem does not have its source in the network, it’s the host who are the source. Therefore, anything else then pure 802.1x authentication ‘NAC’ function are more likely to depend on the server, security or client-PC department, then on the network department.

– When the organization is large enough to have ‘different’ department handle servers, clients, network, security, user support . . . it start to be very hard to implement real NAC with all nice features of scanning each PC before it’s allowed to join the network. This is mostly not a technology problem, it’s an organizational problem, sometime a ‘religious’ problem :-) .

– My recommendation is to go slow and only add one function each time or at least as few as possible. Make it as transparent as possible and tight it up harder and harder over the time. All this should be done after a real deep analyze before you choose a NAC system. How do you support a PC which is ‘logged out’? How will you push out virus update when all your PC’s are ‘off-line’? How will your system really handle VLAN-‘jumping’ if you implement such a system? My conclusion is that you will have surprises from people or system you don’t expect. . . and how about system you did not even think about, like VoIP, heat control system connected to the IP network, survey cameras? Do you know how many ‘strange’ communication product you really have connect at your production line?

– To me, NAC looks more and more as a tool for the client and virus department. What kind of tool will they have in the future? Tools like MS NAP will probably look much more familiarly to them then any of today’s NAC tools. How will your NAC tool fit with NAP in the future? Maybe you don’t want to be compatible at all with NAP to have some sort of shield against any upcoming NAP-hack? Its question you have to answer before you choose a NAC product.

– NAC, any sort of NAC incl. NAP, will tight the connection between different IT department in your company. In some way, the troubleshooting will be harder and you will need to keep your documentation more up-to-date then today (most likely :-) If all this fits and you start to get your different IT department to really work together, pick one NAC which suit your need. But if you don’t bring all parts of your IT organization on top of NAC, you will fail. This is not the same situation when you choose switches, routers or routing protocol. It’s not like when you choose virtualization software or server. It’s not like when you choose what client or trouble ticket system to use. NAC will tie most IT groups together for real, are your organization ready for it?

Good luck with NAC. Prepare well, let it take time and you will have your NAC up.

Best Regards
Per Håkansson
SpeedApp AB
per[you know what char]speedapp–se

]]> By: Michelle McLean http://itknowledgeexchange.techtarget.com/networkhub/nac-matures-innovation-slows/#comment-4 Michelle McLean Fri, 12 Oct 2007 21:29:23 +0000 http://itknowledgeexchange.techtarget.com/networkhub/nac-matures-innovation-slows/#comment-4 While I agree with you and Andrew Braunberg that the majority of the feature set has been well defined, I definitely don’t agree that this means the market has reached commodity status. Why not?
1) huge disparity amongst products – there’s still really big differences in the capabilities of various products, including who can really do much post-admission control at all – endpoint software- and out-of-band appliance-based approaches cannot see the user traffic and therefore cannot enforce based on what the user is currently doing (the application in use, the destination they’re trying to reach, etc.)
2) lots of vendors making noise – the number’s getting smaller, thankfully, but it’s still an overly crowded space
3) it’s not about pricing – when a market hits commodity status, you compete on price – that’s not happening in deals – customers are definitely having feature set rule the day, which is totally appropriate for something that’s this important (security) and that’s not a commodity

So here’s the funny part – despite thinking NAC’s not close to commodity status, I also don’t think it’s a long-term market. This functionality is critical to the LAN – enterprises of all types need to control who can do what on the LAN. But because the functionality is that fundamental, it won’t stay standalone – instead, these kinds of user-based controls must get built into the fabric of the LAN. Access switches, because they sit close to the user and protect the full scope of the LAN, are the ideal place for this technology. One of our customers, for example, just dumped Cisco Clean Access after struggling with it for a year. The alternative they picked from us? Not our appliance but our switches – they bought more than 50 wiring closet switches to get the control embedded directly in the LAN. You can read more about it here: http://www.networkworld.com/news/2007/100407-cisco-schools-switch.html?t51hb

The future of NAC is as a feature on a switch. And for some enterprises, the future’s already here.
–Michelle

Michelle Rae McLean
ConSentry Networks
mmclean-at-ConSentry-dot-com

]]>