NAC Renaissance

Remember NAC? Cisco first introduced the concept of Network Admission Control back around 2004. Back then, NAC’s primary role was checking the security status of PCs before granting them access to the network. This type of functionality was really in response to a wave of Internet worms in the early 2000s that were infecting and clogging up corporate networks.

NAC became an instant network security fad that everyone wanted a part of. Microsoft introduced a competing initiative called Network Access Protection (NAP) for its “Longhorn” operating system (Vista) followed by a wave of long-lost startups like ConSentry Networks, Lockdown Networks, Mirage Networks, and Vernier. Heck, NAC was even highlighted at the RSA Conference during this timeframe.

Alas, the buzz around NAC faded away around 2008 or so. Why? Probably some combination of factors including NAC project complexity (based upon the 802.1x standard), the changing threat landscape, and the financial meltdown. 

Well, fast forward to 2014 and NAC is back and gaining energy – albeit with far less visibility than the heady 2000s. According to a recently published ESG research report on network security, 40% of enterprise organizations enforce network access controls “extensively across the enterprise,” while 44% use NAC to some lesser degree (note:  I am an ESG employee).

Organizations using NAC were asked to identify the biggest drivers for doing so.  According to ESG research:

• 43% of organizations are using NAC because they believe it can help them lower IT risk
• 42% of organizations are using NAC because of their increasing use of mobile devices and BYOD policies
• 42% of organizations are using NAC because of increasing user mobility and the need for remote access to the corporate LAN
• 38% of organizations are using NAC because of their increasing use of wireless networking (Wi-Fi) as the network access layer
• 38% of organizations are using NAC because of regulatory compliance requirements

Today’s NAC has a somewhat different role than NAC circa 2006, as it is really being used for things like granular access control and risk-based authentication. In fact, many organizations are now considering multiple factors including device type, user role, access activities, and device configuration to enforce granular access policies.

So NAC has pulled a technology about-face, and this momentum will only continue driven by cloud, mobility, and the Internet of Things (IoT). And while ConSentry Microsoft NAP and Nevis Networks are long gone, a number of vendors such as Aruba, Bradford Networks, Cisco, Extreme Networks, ForeScout, Hexis Cyber Solutions, and Juniper are happily dancing to NAC’s new wave. 

As the saying goes, “timing is everything.” The original NAC was the right idea but the wrong implementation. The new NAC may not attract Sand Hill Road money or hyperbole, but it is finally in the right place at the right time – driven by the dangerous threat landscape, mobile computing, and the increasing need to control network access at a granular level. SDN will likely play a supporting role here as well.