Home » Data Protection » Network Security

NAC: Now? Or Never?

New tech gadgets and a highly mobile workforce have raised the security stakes for corporate networks. Network Access Control to the rescue? Perhaps, but experts debate the value and users face a confusing morass of options.

By Stacy Collett

Page 2

Gartner Research Director Lawrence Orans says there are three issues causing network managers to delay deployment of network access control solutions.

1. The waiting game. "People tell us they think the technology is too immature," Orans says, but that's not entirely true. "There are some very strong proven solutions from small companies, and you have some of the big players out there making the biggest noise." For starters, Microsoft in February began shipping its Network Access Protection (NAP) solution with Windows Server 2008.

"It is a product and a framework," says Robert Whiteley, a senior analyst at Forrester. "The framework has been around, so there are bits and pieces" that companies have been deploying, but they couldn't fully commit until now, he says.

Cisco's Network Admission Control solution has also been released but hasn't lived up to some analysts' and users' expectations. "That combination of events has caused people to view the technology as not mature," Orans adds, but it has also created a window of opportunity for the little guys. (Gartner tracks 18 of them.)

But some companies can't afford to wait. MedicAlert, a provider of medical emergency information services, needed to secure the health records of some 450,000 customers while granting safe access to employees, caregivers and the patients themselves to update information. The nonprofit organization thought about waiting to see how the market would play out, and it experimented with some homegrown, open-source solutions, but ultimately decided to go with a Web access control solution in a services-oriented architecture.

"What convinced me was the cost of not doing it," says Martin Fisher, vice president of IT at Turlock, Calif.-based MedicAlert. "While it is relatively expensive, the cost of not doing it in terms of reputation lost if we actually had a breach would be enormous. While my background in development leads one to think about building everything oneself, it was also clear that we would be better off going with experts in the field rather than building it ourselves."

2. Money matters.
"We also hear objections about expense" in deploying NAC solutions, Orans says. "There are many ways to do NAC; not every one is expensive." There are three categories of NAC solutions—endpoint software that is installed on all desktops and laptops, appliances that attach to the network and NAC embedded in the infrastructure.

The most economical way to deploy NAC, according to Orans, is to look at the capabilities in existing infrastructure, networks and security products. "See if your current vendors have some embedded NAC functionality that you can turn on," he says. "That can be your IPS (intrusion prevention system) vendor or Microsoft's embedded NAC support on the Vista platform with Windows server. Endpoint protection software, such as McAfee, Symantec and Sophos, also has NAC capabilities."