Gartner: NAC to Move to Top Gear

Network access control in appliances and client-side applications will become the industry norm within two years, but a lack of open standards in network protocols may hinder the quick adopters.

Almost every organization will go down the network access control (NAC) road for security, access control and network bandwidth management. Cisco and Microsoft, with the release of Vista and Longhorn, will have a serious impact on the uptake, according to Gartner Research Director Steve Bittinger.

Niche players in the NAC market, Bittinger said, will be quickly eaten up by the “800 pound gorillas” within the near future, using Cisco’s recent purchase of network security specialist Meetinghouse Data Communications as a prime example.

Speaking at the Gartner IT Security Summit in Sydney on Tuesday, Bittinger warned extensions to code made by Cisco to the 802.1x (Layer 2) network protocol, as used in some wireless access points and switches, features a proprietary extension to the existing standard; however, all new infrastructure gear should be checked for 802.1x compatibility.

“802.1x is the network protocol now found in a lot of switches and wireless points, which helps implement Layer 2 blocking but does not do everything required in network access control, but it actually does the blocking part,” Bittinger said.

“Meetinghouse, another specialist player in the 802.1x software space, helped Cisco phase up the overall NAC picture; now we have AV vendors, software configuration management, and Microsoft at the operating system level offering something to do with NAC.

“But not every switch and network component works with 802.1x. … If you have some legacy equipment in your environment that may be a few years old, chances are it may not have .1x capability.

“Today 802.1x itself needs extra code extensions, and Cisco has put extensions of a standard for authentication and to move information between end points, policy and remediation servers across the network.”

Bittinger said the existing standards cannot do what is required, and the extension has yet to be accepted as a valid open standard, adding that in some recent deployments of voice over IP (VoIP), the 802.1x network has broken down.

“Both VoIP and NAC have to play well together to make it work, and with Cisco telephones and networking gear [it’s] not a problem, but with non-Cisco phones using the 802.1x gear, it breaks.”

Bittinger emphasized the overlap between Cisco and Microsoft is obvious with NAC, as both will offer policy servers and end point agents (Cisco through the Cisco Trusted Agent and Microsoft in Vista).

“Microsoft Network Access Protection is meant to work with future versions of active directory, domain isolation, but the problem with the Microsoft solution is it only works with Microsoft,” Bittinger said.

“Certification authority is the approach it is using with its suggested mechanism, and it might not come in until Longhorn, but Microsoft has ideas of issuing certificates, without which you cannot get access to anything, and which will control who can access within the whole Microsoft-type of environment.

“But we don’t really know all the details as yet, and it is not able to be tested.”

-Michael Crawford, Computerworld Today (Australia)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.