NAC Attack: Today's Products Will Fail, Report Says

Apr 07, 2007

Vendors say modern NAC products will fall by the wayside in favor of software-based technologies that manage risk by integrating endpoint security, access control, identity and risk management.

Forrester Research analysts are urging corporations to prepare for a shift in the Network Access Control market in the years to come, as NAC vendors move toward new software-based tools that leverage endpoint technology to proactively manage risk.

In a report titled "Client Management 2.0," Forrester analysts Natalie Lambert and Robert Whiteley forecast the death of modern NAC products, which they say feature too much complexity and not enough interoperability. Operations management teams want a unified solution, Lambert said in an interview with eWEEK.

"They feel they deploy tools to solve business problems but then find themselves with more solutions than they can handle," she said. "They want to consolidate, but they aren't seeing any compelling solutions that bring together the functionality they need."

The report also contends that many NAC products focus solely on compliance with security policies instead of the remediation problematic machines, and are not able to defend against newly emerging threats.

In addition, the researchers stated that existing NAC systems often result in multiple policies being established to control the same processes.

Lambert and Whiteley's answer to the situation is policy-based software technologies that manage risk by integrating endpoint security, access control, identity and risk management.

They dub this new generation of client and network security products "proactive endpoint risk management," or PERM.

Proactive endpoint risk management benefits enterprises from both an operational and technical standpoint, Lambert said.

Most firms, she said, are evolving their security teams to focus on risk and higher-level regulatory compliance issues, she said.

As threat protection and systems compliance mature, they will get thrown over the fence to IT operations functions. She called it a mistake for NAC solutions to focus on the network operations team.

"Network ops staffers typically don't focus on dynamic, policy-intensive tasks that require the management of tens of thousands of devices," Lambert said. "We think that desktop operations - which has been working with policy-intensive security and management tools for years - is a much more suitable home for defining NAC policies."

From a technical perspective, it's a more complete management solution, she added.

"Securing an endpoint means managing its entire life cycle," Lambert said. "But today's current NAC solutions don't focus on a complete life cycle. Instead, they specialize in either pre-admission scans or post-admission monitoring - some solutions - do - both - but don't focus on remediation."

Before PERM becomes a reality in the marketplace, however, Lambert foresees widespread product and vendor consolidation - a process she said has already begun, with vendors such as McAfee integrating traditional client security with information leak prevention and vulnerability management.

For their part, several vendors said NAC products will change. However, not all said they would change in the way Forrester predicts.

At Cisco, company officials said Forrester used too narrow a definition of a NAC product because it only includes a health check of an endpoint.

Brendan O'Connell, product marketing manager within Cisco's NAC unit, said many NAC providers focus solely on whether or not a computer has the latest anti-virus software, and he called that a "mental blind spot."

NAC, he continued, should be composed of four things: authentication, quarantine, posture assessment and remediation.

"There are a lot of other NAC products out there that may have only a subset of those components," O'Connell said.

Contrary to the report's conclusion that the network needs to be de-emphasized, Cisco NAC Marketing Manager Irene Sandler said NAC has to be a network enforcement product - and that the network is where the bulk of the decision-making must lie.

Microsoft executive Mike Schutz said policy has a home in the network, though he said NAC products will evolve beyond the network device-centric approach commonplace today.

"Customers today deploy multiple point security products such as AV and patch management, but these products rely on the end user to keep these solutions running and up-to-date," said Mike Schutz, director of security and access product management at Microsoft.

"It's easy for users to fall out of compliance, and NAP - Network Access Protection - addresses this problem by pushing IT policy into the network."

Lambert, however, said firms should de-couple their network access policy from their network hardware.

"This policy should then be mapped to the current security and management technologies that can do the heavy lifting and leave the enforcement to the network," she said.

In addition, she advocated realigning IT organizations so that those responsible for endpoint operations are security and IT ops professionals who know how best to create policy to secure and manage the environment.

Copyright 2007 by Ziff Davis Media, Distributed by United Press International

Explore further: Android gains in US, basic phones almost extinct

add to favorites email to friend print save as pdf

Related Stories

Juniper and Microsoft Hook Up for NAC Work

May 22, 2007

Juniper Networks jumped into the NAC lovefest at Interop on May 21, announcing that it's working to get its Unified Access Control NAC server to interoperate with Microsoft's Network Access Protection standard.

Microsoft, TCG, Juniper Tie the NAC Knot

May 22, 2007

A lot of vendors selling a lot of components that have to agree on how to measure a lot of things have to come together to make an effective Network Access Control system.

Cisco Expands its Integrated Services Router Portfolio

May 03, 2005

Cisco Systems today announced new wireless-enabled integrated services routers, delivering highly secure concurrent services for broadband access to small and medium-sized businesses (SMBs), enterprise small offices and teleworkers. ...

Recommended for you

Android gains in US, basic phones almost extinct

9 hours ago

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

LinkedIn membership hits 300 million

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

Impact glass stores biodata for millions of years

(Phys.org) —Bits of plant life encapsulated in molten glass by asteroid and comet impacts millions of years ago give geologists information about climate and life forms on the ancient Earth. Scientists ...