Today's NAC is kNACkered
Users will struggle and look for alternatives, say analysts.
By Matt Hines, InfoWorld | InfoWorld | Published: 01:00, 13 April 2007
Today's NAC (network access control) technologies will fail and disappear as companies move to device authentication systems that operate on the end point, according to a report issued by Forrester Research.
Enterprise companies desperate to improve their security systems in the wake of high-profile malware attacks and systems intrusions have bought into the current crop of NAC technologies, Forrester analysts said. However, those firms have struggled to install and maintain their existing NAC tools and will seek alternatives in the coming years, according to the report.
NAC systems -- marketed by a wide array of security software makers, as well as infrastructure vendors including Cisco Systems and Juniper Networks -- promise to scan devices as they attempt to log onto a network to test their overall security posture.
Once a device has been proven to be authorised for systems access and NAC tools have verified that the machine has required security applications and patches in place, it is allowed on the network. Some products also promise to provide so-called post-admission NAC protection, whereby they continue to monitor device behaviour after granting network access to protect against hidden attacks.
In addition to confusion about all the various products that individual vendors are marketing as NAC tools -- which range from complex end-to-end systems to simple authentication applications -- Forrester highlighted a number of reasons why its experts believe that today's technologies will fail.
The report contends that one of the most significant problems with existing NAC systems is that they lead to the creation of too many policies that aim to control the same processes.
For instance, the researchers said they frequently see customers using Symantec's Sygate remote and wireless access technologies alongside Cisco's product for local user access, which results in "disjointed" policies that don't give users a consistent experience when trying to log-on in the office or remotely.
In another dig, Forrester claims that there is too much complexity and too little compatibility among the many NAC technologies, even those made by companies backing standards efforts, including guidelines proposed by Cisco, Microsoft and the Trusted Computing Group (TCG).
The report maintains that too many current NAC products are "purely preventative," lack the capability to defend against newly emerging threats, and too often offer users advice on how to make their computers compatible with security policies instead of helping them to remedy any problems.
Perhaps the biggest issue with the technologies is that most NAC systems today lack the ability to remediate potential problems, such as having the wrong version of an anti-virus package or lacking the latest Microsoft security patches, and merely quarantine devices that fail to comply, said Natalie Lambert, one of the report's authors.
"The way that NAC works today, it forces duplicate efforts to create policies at the network and at the end point, and most often these systems cannot handle the remediation aspect that is necessary to make the process effective and blind to end users," Lambert said. "Today's NAC vendors can't pull the whole process off. Why not have these tasks handled as part of a security and management solution whereby if you don't meet the policies you can't get fixed?"
Even though companies are very concerned about fighting intrusions and threats, most remain tentative with their NAC security plans over fears that important users will not be able to gain access to needed content because their devices have been quarantined, she said. If enterprises can handle the problem without as great a risk of barring authorised users, they will move to products that allow it, according to the analyst.
This trend will favour more end point, or device-based applications for managing network device authentication and security testing, Lambert said.
"We believe that it will be the end point, not the network, where the intelligence of these technologies lives," Lambert said. "In many cases, companies already have underlying security and management infrastructure that can handle this work; it's really a matter of enhancing what they have in place."
In order for major vendors to get all the pieces necessary to create products that can work in such a manner, the analyst said there will be continued consolidation in the end point security and network authentication space. Lambert pointed to McAfee's acquisition of DLP (data leakage prevention) vendor Onigma for US$25 million in October 2006 as emblematic of the type of deals that are likely to follow.
In addition to such end point-oriented technologies, the analyst cited tools that de-couple network security policies from network hardware as another area where larger players may look to invest. Smaller players in the NAC space will increasingly find themselves under pressure to branch out and offer more sophisticated products if they intend to remain in the market, Lambert said.
"Customers should spend the next year or so making sure they are laying the security and management framework, and start creating policies for a well secured end point. As solutions converge, they can bring them together to create full network access policies," Lambert said. "They can use existing NAC technologies as a stop-gap over the next several years to get secure access, especially for mobile workers, but they need to prepare to migrate policies to the end point as these new technologies emerge."
NAC vendors responded to the report with some confusion, pointing out that the research appears to demand greater simplicity and complexity from NAC systems at the same time.
At the heart of the discord, according to Cisco, appears to be a difference in opinion over what the analysts and the vendor define as necessary elements of NAC.
"Their definition of NAC only includes a health check; we include scans for the machine type, OS status, user information and authentication rolls," said Irene Sandler, marketing manager with Cisco's NAC Appliance Business Unit. "They're only looking at posture assessment from the perspective of anti-virus and patches, and we define it a lot more broadly."
Cisco officials pointed out that other research reports have found favourable perceptions for a more network-based approach to device authentication.
For instance, a recent survey published by Infonetics Research found that 80 percent of IT professionals polled regarding NAC indicated that they wanted technologies that were at least partially enforced on the network, with 51 percent expressing a desire for some control on the end point. Respondents were able to select more than one answer if they favoured a mix of the strategies.
Cisco experts said that as NAC products become more mature, some of the processes highlighted as unwieldy for end users by Forrester may become more streamlined, affording the type of seamless interaction that Lambert contends end users will demand.
With more than 1600 existing NAC customers, the networking company believes that its current approach is in fact being validated by the market.
"Our data has pointed to customers wanting a more complete system than what we're hearing about here, but we do want the features to be easy to run and the policies simple to create and manage. ... We don't see it as a matter of excluding things from the product to do that," said Brendan O'Connell, senior product manager for Cisco's NAC appliances business. "Cisco's spirit is about making the pie bigger, and considering any reasonable question to ask before granting network access; that's what we want NAC tools to answer."