NAC offtrack

Most vendors state that NAC is the next big thing in security. However, with prevailing confusion, multiple standards and an evolutionary path that will see it integrated into the network fabric, enterprises might continue to shy away from any investments.
NAC offtrack
By Sathya Mithra Ashok
Mon 03 Dec 2007 04:00 AM

If you were to believe most vendors in the security industry, network access control or network admission control (NAC) is the next big thing in securing enterprise networks.

"It's a recent phenomenon, two years back people were still talking about it, last year people started looking at NAC as a viable way of conducting end point security, this year they have started evaluating it and next year we will see a huge amount of people buying. So the market for tomorrow is definitely NAC," says Anand Choudha, security product manager at FVC, distributors of Tipping Point products.

"Worldwide, there is a heightened interest in NAC solutions. There is a lot of buzz and a lot of concern about how enterprises can incorporate them because there are a variety of methodologies in the market. I would expect to find more and more organisations adopting some form of NAC soon," says Franchesca Walker, director of enterprise solutions at Foundry Networks.

"The growth in the demand for NAC solutions in the region is there as part of an increased awareness among end users to protect their networks on the inside. This is well in line with the global increase in this market which is expected to average US$ 3.5 billion for the access control and management based on reports by market analysts," says Bashar Bashaireh, Middle East regional manager for Fortinet.

It is inevitable that NAC will be integrated into the network fabric and that the network will take on the functions that are currently done by NAC.

That is pretty much the extent to which any vendor who predicts a bright future for NAC solutions is ready to stretch. However, the reality might be a much less rosier picture than what one can hope for. With several products and solutions in the market in multiple forms, in conjunction with new vendors appearing almost every month, along with at least two standards followed by bigger vendors, the truth is that many an enterprise in the region remains confused about NAC, what it can do and whether at all it is necessary in an increasing security spend.

Fixing it up proper

In its simplest form, NAC is about protecting the endpoints of an enterprise and not its perimeter. In other words, it is about protecting an organisation from any possible internal attacks rather than external elements.

"In today's world, the endpoints of an enterprise are becoming more widespread what with increased mobile devices among employees. And then there are the enterprises which entertain a lot of guest users. In all these situations, systems have to be assessed and a thorough health check has to be done before they can be allowed into the network. If not, there is a strong possibility of them bringing in infections," says Choudha.

NAC products and solutions are geared to address the area of endpoint access, that is verifying users and testing the system for vulnerabilities or lack of updates and allowing access, blocking the system or quarantining them as applicable. All this would need to be verified with the backing of a structured security policy.

In more recent times, NAC has evolved to inspecting traffic to and fro systems that connect to the network to track any unconventional or potentially dangerous behaviour.

Currently, NAC can be bought and deployed by enterprises in three different forms - by way of appliances or inline devices, by way of software solutions or by investing money and effort in implementing an all-encompassing framework.

Many vendors, including Fortinet and Tipping Point, offer devices or appliances which integrate NAC as one of the functions on offer.

"Unlike many other NAC devices and solutions, Tipping Point's product checks systems not only during the time of access but also inspects traffic in a continuous stream," says FVC's Choudha.
Symantec's Endpoint Protection, which was released earlier this year, is one of the software NAC solutions available for enterprises in the Middle East.

"Our solution can be both agent-based as well as agent-less. It is what can be termed as dissolvable or on demand agent. The agent can be downloaded to a machine that IT administrators do not physically control. For companies that host a lot of guests, the best way to give them all a secure desktop is to provide a weblink and ask them to download it," says Khaled Chatila, senior systems engineer for the Middle East and North Africa at Symantec.

Chatila also states that when an organisation chooses an enterprise antivirus solution from Symantec, the NAC agents are also deployed and the firm only needs to switch it on when the need is felt.

Beyond all these products is the framework method, which is largely spearheaded by Cisco. However, the overall NAC framework has not had many takers, globally or in the region, since it involves an enormous amount of infrastructural changes and an upfront investment from an enterprise.

"The appliance is not different from the overall NAC framework. It was part of the framework and has always been an integral part of the plan when rolling out a full blown NAC," says Ahmed Etman, security business development manager at Cisco Middle East.

He does agree though, that enterprises look at the framework and the appliance at different points in their maturity cycle and as per their individual needs. He also states that due to the dynamics of the market, as well as the fact that Cisco has been investing in building more ‘character upgradation and features into the appliance itself', these devices have been far more popular in the market than the framework.

Here or there?

According to Etman, Cisco witnessed a 80% growth in NAC-based revenues over the last year and is expecting nothing less next year.

Cisco is one of the few vendors who claim such a huge rate of growth. According to most others in the market, the NAC market is expected to really take off only in 2008. However, in spite of their positive predictions, NAC solutions are still plagued by several factors that could restrict their potential.

For one, enterprises still remain confused about NAC products because of the huge number of vendors and the variety of solutions available, all claiming to do similar things. Additionally, some work on open standards and other work on proprietary ones are causing problems of interoperability which remain a sizeable block for most enterprises.

Moreover, NAC's evolutionary path predictions are that it will be absorbed into the network layer.

"It is inevitable that NAC will be integrated into the network fabric and that the network will take on the functions that are done by NAC. However when that is likely to occur is anybody's guess," says Symantec's Chatila.

While these conditions continiue to exist and cause potential obstacles for NAC's market growth, the Middle East also witnesses scenarios where enterprises buy and implement NAC at huge expense and resource spend, only to not use it at all or use it only up to a part of its potential. This leads to low utilisation rates, thereby creating the impression of a mature market when that might not be the case.
One of the reasons for this is that some enterprises do not have an effective security policy and even if they do have one, they are not deployed well.

"Many companies end up not using NAC to its full potential because of immature policies. In these cases, network managers do not have all controls defined or lack responsibility for implementing them," says Walker.

However, there are some in the industry who believe that is not the case.

"We do not witness too much of a lack of policy among enterprises. For the most part, when we go in for installation, customers are aware of what they are getting and design policies beforehand," states Choudha.

Many small vendors in the market have another interesting reason for the low utilisation of NAC products. They accuse bigger vendors like Cisco of often bundling NAC solutions as add-ons to their major wins and offering it to customers. This results in two things - one, the bigger vendor grabs more of the market share in that segment and two, the solution is taken on by an enterprise which might not be really ready for it or in need of it.

When asked about this, Etman replies, "Yes, we have a market we capitalise on - we definitely have an advantage because of the installed base we have in the networking space. However, I do not believe this affects the utilisation rate in the negative. Customers who are very mature know how to make their own decisions. And often the security decision maker is different from the network decision maker so that story cannot make any sense. Moreover, if anybody wanted to accuse Cisco of such tactics, it would apply to anything like mobility, unified communications, TelePresence, datacentre solutions - everything."

Etman though agrees that utilisation rates can vary among enterprises and this will depend on the specific requirements of the organisations themselves. He points out that we do not end up using all the features even on most personal mobile devices and therefore enterprises cannot be pulled up for not using some features within their NAC solutions.

A NAC future

NAC as the next sure step in security implementation has been predicted by industry watchers and vendors for over three years now. However, the technology looks more and more like one whose heyday has come and gone and one which, in all likelihood, will be absorbed into the network layer, leaving enterprises free from the need to look for, deploy and maintain an independent solution.

"We are seeing convergence in general, where more security is being built and integrated into the infrastructure level. Infrastructure in the network is going to be absorbing more of the NAC features. And we believe this makes sense because the network is the only piece that is touching every single component in your infrastructure," states Etman.

If that is the case, then the expected market for NAC solutions, which is predicted to open up in 2008-2009, might never materialise.

Things to watch out for with NAC

1. Policy -ensure you have a proper set of policy guidelines before going in for NAC.

2. Mobility -remember that NAC does not make any sense unless you have a large group of travelling executives within the enterprise or visitors.

3. Plan and prepare -make a checklist of the things that you want a NAC solution to do for you before testing out the available solutions.

4. Check and pilot -conduct beta runs or do minor tests in internal IT environments with different solutions before picking the vendor.

5. Standards -be aware of standards and interoperability issues. These can become potentially big problems if not accounted for early.

6. Network impact -especially with devices, check the latency and performance issues that can cause problems in your network.

7. Train -invest the time and effort to educate your IT workforce on the reasons for NAC and the ways it can be used and needs to be maintained.

8. Overall solution -always remember that NAC is just one aspect of securing an enterprise. Integrate it well with other solutions and always be prepared for a future when NAC might become a part of your switches and routers.

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.