NAC Is All the Rage at Interop NY

Labs trolls the floor to find the best and brightest at the New York show

Interop New York, held the week of Sept. 18, continued a theme sounded at Interop Las Vegas in May: Network access control is in play.

At the show, eWeek Labs saw evidence that there are many products ready today that can provide secure, authenticated, policy-controlled network access. Based on our initial evaluations of these products, IT managers should consider them in addition to the "big three" NAC solutions: Cisco Systems NAC (Network Admission Control), Microsofts NAP (Network Access Protection) and Trusted Computing Groups TNC (Trusted Network Connect).

Given increased regulatory and business requirements to control access to the data available via a network connection, there are two major decisions that IT managers at organizations large and small are faced with today: What forms of access control can be implemented? And, can products implemented today be integrated into the grand architectures that predominate much of the NAC discussion?

The short answer to the first question is that most forms of NAC can be effectively implemented today. The answer to the second question depends on many factors, including the brand of network hardware and the eventual availability of Microsofts Longhorn Server platform, but many NAC solutions will likely find a home in the one- to two-year time frames envisioned for most enterprise NAC implementations.

The implementation time frame for NAC is also an important consideration. For the long term, it may be that Cisco, Microsoft, and TCGs architectures and products may offer a workable approach for organizations that use their respective equipment and operating systems. For the short term, and for those organizations that have networks built from heterogeneous equipment, NAC likely will be provided by integrated point solutions.

NAC In Action

New here was one such product—AEP Networks NACpoint. At the show, we looked at a preview of the NACpoint, a 1U (1.75-inch) appliance. The NACpoint integrates with managed switches from vendors including Cisco, Enterasys Networks, Extreme Networks, Hewlett-Packard and 3Com. The product is expected to be released in mid-November.

Integrating a NAC appliance with a managed switch has certain advantages. Because the appliance is out-of-band, it doesnt create a single point of failure. Meanwhile, it controls network access using changes to policies that are implemented at the network level. As is fairly typical of these types of products, the NACpoint can create VLAN (virtual LAN)-based quarantine network segments to which out-of-compliance systems are sent for remediation.

Another advantage to the methodology used by the NACpoint is that the appliance is fairly transparent to the network.

However, one fairly obvious drawback to integrating a policy appliance with a managed switch can be recalled from the early days of network IPSes (intrusion prevention systems). The amount of configuration change on the managed switch can itself start to cause problems with other management tools that track configuration changes in network infrastructure. In addition, an organization may not have a supported switch in all the subnets that require protection.

Another approach to the NAC problem uses trusted agents in the protected subnet. InfoExpress announced at Interop Las Vegas the CyberGatekeeper with Dynamic NAC, and the product was demonstrated here. eWeek Labs finds Dynamic NAC interesting because it uses trusted workstations to create network enforcement points inside the protected subnet. These enforcers run on Microsoft Windows-based systems or on a CyberGatekeeper appliance. While the product runs on Windows, it can protect environments populated with Linux and Macintosh systems.

Basically, when a new system is detected on the network, the enforcers check to ensure that the machine is allowed and up-to-date with all required firewall and anti-virus software. In addition, Dynamic NAC performs continuous checks to ensure that the endpoint stays in compliance during the entire connection.

While the idea of using only existing IT assets to enforce a NAC environment is tempting, the InfoExpress solution requires that an agent be installed on each system entering the network. While the agent can be lightweight and based in a browser, it still must be present to help the enforcers check on endpoints compliance.

Agents are not uncommon in the NAC world, however, and nearly every NAC vendor uses some software on the endpoint to perform in-depth checking to ensure the correct security posture is maintained before and during the network connection.

Technical Director Cameron Sturdevant can be reached at