Not too long ago, NAC meant one thing: Cisco Systems Inc.s Network Admission Control technology. No longer.
With Cisco moving slowly to introduce NAC (network access control) features across its product line and the price of upgrading to NAC-compliant Cisco hardware steep, the ranks of NAC technology vendors are also set to swell, as a slew of small companies and startups bring NAC products to market.
Vernier Networks, of Mountain View, Calif., has seen sales of EdgeWall, its network access management appliance, soar since introducing the device in March. Revenue from EdgeWall sales doubled between the second and third quarters of this year, and the company has already shipped more than 400 units to 70 customers, said CEO Simon Khalaf.
In October, Vernier will release a new version of EdgeWall that allows the device to be placed behind VPN (virtual private networking) concentrators to screen VPN connections for malicious code or other violations of corporate security policy, he said.
Vernier initially targeted industries like health care, education and insurance, but said that demand has come from across the economy, including high technology, financial services and professional services companies.
Lockdown Networks Inc., a Seattle-based maker of appliance-based vulnerability management technology, is seeing the same demand for its Lockdown Enforcer, a switch-based NAC product that the company debuted last week.
The hardware, which the company is promoting as a “turnkey” NAC solution, plugs directly into a companys switching infrastructure and scans systems that attempt to log on to the network for vulnerabilities, firewall configuration and compliance with user- and group-based security policies. Noncompliant systems are quarantined using VLANs (virtual LANs) created through the switch by Enforcer, company officials said.
While most NAC players enforce security policy at the network perimeter, still other companies are looking to bring NAC-like security policy checks onto the LAN.
ConSentry Networks, of Milpitas, Calif., will announce a new line of secure LAN controllers Monday that can control user access and malware outbreaks within internal networks, said Tom Barsi, president and CEO of ConSentry.
And Nevis Networks, a Santa Clara, Calif., startup, is preparing to release its first product later this year. The ASIC (Application Specific Integrated Circuit) appliance will allow enterprises to create a “personal DMZ” on each networked system to enforce security policies and prevent outbreaks, said Bill Scull, a former Sygate executive who is now senior vice president of marketing at Nevis.
NAC technology at the perimeter and on the LAN is hot because traditional LAN security products such as intrusion detection and prevention (IDS/IPS) technology and firewalls arent addressing the security threat posed by contractors, consultants and mobile workers whose actions cant be monitored or controlled, Scull said.
While Ciscos name is most closely associated with NAC, the companys NAC solution, which requires expensive upgrades to routers and switches and a separate desktop client, is far too costly and hard to implement for most companies, Khalaf said.
In fact, some executives are happy to credit Cisco with driving customers to their door.
“[Cisco] NAC has been great for us,” said Khalaf. “Cisco has done a lot of education and raised awareness about the [NAC] issue, but [Cisco] NAC is a solution that requires significant infrastructure changes.”
Schlumberger Ltd., an oil-field services company in New York, did a four-month evaluation of Ciscos NAC technology but decided to go with Lockdown after Ciscos Security Agent software conflicted with applications Schlumberger was running internally, said Mario Chiock, a senior IT security adviser at Schlumberger. “Cisco promised a lot last year, but they havent delivered yet,” Chiock said.
Even when it is mature, Schlumberger would have to replace the bulk of its Cisco networking infrastructure to take advantage of the new NAC features.
“We have 1,900 [Cisco] switches that will never be upgradable. Cisco will never bring NAC down to those old switches, so that makes it very expensive,” he said.
Ciscos NAC already does, or will, support nearly every router and switch platform the company sells, including products it no longer sells, according to Russell Rice, director of product marketing in the companys Security Technology Group. Cisco is also planning to standardize its NAC technology through an open forum, likely next year, and deliver an agentless NAC technology in NAC2, an upcoming release, Rice said.
Rice countered the charges that his company is moving too slowly to make NAC a reality for companies, noting that the Cisco Clean Access product is an appliance-based network access control product that addresses “pain points” such as securing high-risk areas of a companys network, similar to products by Vernier and others.
Cisco has already shipped Clean Access gear to around 400 customers since it acquired the technology with Perfigo in October 2004, Rice said.
But Rice admitted that the Clean Access product is overshadowed by what Cisco calls the “NAC Framework”—NAC technology running on Cisco switches and routers—and that the company doesnt have easy answers to questions about cross-vendor support or the cost of upgrading switch and routing infrastructure to do NAC.
“[NAC] isnt a small activity. There are fundamental things organizations have to undergo, no matter how you slice it,” he said.
“Youve got to get into the network design side of things to provide different levels of access and make that work. Those are really big nuts, but is [Cisco] doing things that make the burden even larger than any technology would require? I dont think so,” he said.
To ease deployment, Cisco is working with third-party companies to build NAC support into client software from a number of vendors, so that the separate Cisco Trust Agent software doesnt have to be installed on every system, Rice said.
As for the cost of upgrading a companys networking infrastructure, Cisco is counting on organizations standardizing on Cisco NAC-compliant hardware as they refresh their networking infrastructure in the coming years. For those companies that elect to use other networking gear, the company plans to standardize its NAC communications protocol through the IETF, beginning in 2006, which will allow other vendors to support those standards as well, he said.
But at Continental Airlines, which is a major Cisco customer, those are considerations that are too far out in the future, said Andre Gold, director of information security at the company.
Continental is deploying ConSentrys product in a controlled environment and is keeping an eye on Cisco NAC, as well as alternatives like Microsofts Network Access Protection (NAP) program and the Trusted Computing Groups Trusted Network Connect, while the company considers changing its network architecture to support broader solutions.
In the months to come, that story may become a familiar one to executives at Cisco.