Cisco, Microsoft and the Trusted Computing Group for the third year in a row sat down and alternately hugged, kissed and politely swatted at each other. This is the second year I've attended the RSA session on the future of NAC -- which is intentionally not spelled out because the acronym means different things to Cisco and the rest of the world.
The bottom line is that NAC (network access control or Network Admission Control) is a noticeable but still relatively undersized part of the security market, despite years of media and marketing attention. According to Lawrence Orans, an analyst at the Gartner Group who has spent the last five years tracking NAC, the market in 2007 was estimated at about $250 million compared with about $3 billion spent on firewalls and about $750 million spent on IDS (intrusion detection systems). The theme set forward by Orans was "overcoming obstacles to NAC adoption."
There has been some news in the NAC space -- Lockdown Networks went out of business in March and Caymas Systems submerged beneath Citrix. But as far as greater cooperation between the vendors goes, there isn't much new to report. In May 2007, Microsoft donated its NAP client and server protocol to the TCG. This year on the show floor a group of vendors in the Microsoft NAP pavilion were (unsurprisingly) able to work with Microsoft NAP servers. I should note that Microsoft officially entered the NAC space with the shipment of Windows Server 2008 two months ago in February.
Based on the panelists' remarks, it's clear that NAC still remains largely confined to wireless networks where 802.1x security is likely to be found. Guest offices and conference rooms were also the object of some discussion. But as for widespread deployment in the established wire-line network, the obstacles to NAC implementation remain plentiful.
Here's what I learned at the workshop that IT managers should think about when considering NAC. First, bear in mind the large number of endpoint devices that don't have a user account, such as printers that will likely have a real problem getting a NAC agent installed on them. Second, remember that NAC as it exists today can have a significant negative impact on network architecture, including those where PXE (Preboot Execution Environment) boot is used.
Even with these obstacles, or even because of them, there are still a large number of NAC products out there right now. The demises of Lockdown and Caymas still leave a large group of security tools that offer some kind of admission control technology along with products from the big guns who were sitting on the panel I attended today.