Interop: NAC Gets Explained … Again

May 21, Las Vegas–At the NAC Day session at Interop, a member of the 350-plus audience stood up and said that he considered NAC, even after two years of existence, to be an emerging technology. Another attendee asked if he couldn’t just wait until the nirvana of vendor standardization was achieved and in the meantime go without any NAC solution. This question was undoubtedly prompted by the news today that Microsoft and the TCG (Trusted Computing Group) have announced that the Microsoft client/server protocol for Microsoft’s NAP (Network Access Protection) is an alternative that can be used with the TCG’s Trusted Network Connect. The Microsoft-TCG announcement basically means that where there were three major contenders for a NAC standard, Cisco, Microsoft and the TCG, now there are two. The Microsoft/TCG “standard” is currently supported in every Vista Windows client and will soon be supported in the Windows XP service pack. That’s a lot of clients that will be able to communicate with policy validators, and certainly a development that should cause network and desktop managers to sit up and take notice. The question for Cisco (which I will ask Russell Rice when I speak with him here at Interop on Wednesday) is, Will Cisco join the “standards” crowd? The NAC battlefield is shaping up much like the e-mail or network protocol wars of 10 years ago. Today we all use SMTP and IP because the protocols do most of what is needed and they are ubiquitous. Similarly, some standard version of NAC may become the common platform used to admit endpoint devices to the network, with vendors extending the platform with all sorts of extra add-ons to differentiate their security products. It is important to keep in mind, however, that controlling endpoints by putting a gatekeeper in the network is not a forgone conclusion, even if the freight train of popular thought at Interop seems headed in that direction. See my technical analysis of NAC or Jason Brooks’ column, “Is NAC Whack?” to get a sense of the alternatives, which are based on securing the endpoints and opening the network wide. Over the next couple of days, I’ll be hanging around the big NAC players (Microsoft, Cisco, TCG/Juniper) and the host of “NAC right now” players, including Mirage, Vernier, ConSentry, Lockdown and Sophos, just to name a few. What happens in Vegas is going to get played out here at Permit/Deny.