Jeff Wilson
Jeff Wilson
Protecting the average corporate network from attacks is incredibly complicated and expensive. By the mid 1990s, complex toolkits had been supplanted by pre-built firewall software packages and intrusion detection systems. As performance and usability requirements increased, software moved to hardware, and by 2000, the number of companies buying and deploying perimeter security skyrocketed.

Features were integrated, costs came down, and technologies improved; today you can buy a top-of-the-line, stateful-inspection firewall at the local home electronics store. So has security technology innovation stopped? Are there no longer any threats?

Year after year, the CSI/FBI Computer Crime Survey shows that organizations experience roughly equal numbers of external and internal attacks. Yet the makers of early network security products largely ignored threats from the inside because there were no easy, product-based solutions. Instead, they targeted the boundary between the corporate LAN and the internet – because they could build products to do that, and because this was the most obvious point at which to defend against attacks from the outside. Now, thanks to distributed internet connectivity, VPNs, wireless technology, network-connected PDAs, and extranets, most large enterprise networks no longer have borders. While this increase in connectivity is great for employee productivity, it is a security nightmare.

On top of real security threats, IT shops at many organizations are increasingly challenged by the requirement to demonstrate compliance, for regulatory purposes, business license acquisition and renewal, business insurance, and a host of other reasons. Companies no longer just need to be secure to protect their assets and business – they also need to demonstrate that security on an ongoing basis to a third party or face stiff penalties.

Finally, every company connected to the internet faces the problem of lost revenue or productivity due to downtime associated with security threats; in our study The Costs of Network Security Attacks: North America 2007, we found that organizations lose an average of 0.5 percent to 2.5 percent of annual revenue due to security-related downtime. This threat is horizontal, as companies of all types and sizes are plagued by downtime associated with security attacks regardless of the value of their data or regulatory or compliance requirements.

The birth of NAC
Early attempts to solve the access control problem in the network did not fare very well (Directory Enabled Networking and COPS come to mind); enforcement technology was not in place yet, and all the vendors building solutions were in the network management space, so it was difficult to gain attention and build momentum for network-based access control.

Over the last three years, network access control (NAC) has been the topic of much discussion. NAC promises to offer an intelligent network infrastructure that can identify users, identify and run integrity checks on the computers they are using, grant users conditional access to specific locations or resources, and set policies. This architecture represents a monumental step forward in network security infrastructure, but implementing it is no simple feat, as it will impact all types of products, including client software, security appliances, network infrastructure, and the backend authentication, policy databases, and other identity stores. Increasingly, the definition of NAC is expanding to include not just posture checks but also scans of current system health as well as post-admission security, such as doing intrusion detection and prevention once clients pass the screening process.

Most NAC solutions encompass three main components: clients, enforcement and the backend. NAC enforcement (the location where access to the network and resources is unconditionally or conditionally allowed or denied) is the largest area of product development. Enforcement can happen in the client itself, or in the network, with policies typically served from the backend.

NAC enforcement: the end-user perspective

NAC enforcement is available in a variety of flavors, from host-based solutions to out-of-band, in-line, and Ethernet-switch-based solutions. We asked respondents to our study User Plans for Network Access Control, North America 2007 if they plan to enforce NAC at the client or in the network; 80 percent plan to enforce NAC in the network (the center of the diagram above). We also asked if respondents plan to buy an in-line or out-of-band NAC solution. Fifty-five percent plan to buy in-line solutions, and another 11 percent are not sure if they will buy an in-line or out-of–band solution. Even if respondents are not sure they will use in-line functions right away, many will plan to buy in-line solutions as a way to future-proof their NAC investment.

The future of NAC
In the short term (over the next year), host-based-only solutions will begin to fade away, and most companies deploying NAC will invest in out-of-band or in-line appliances due to the cost, availability, and ease of deployment of these products. In the next two to three years, we believe most appliance solutions will be in-line or in-line capable (similar to what happened in the IDS/IPS market), and that purely out-of-band solutions will begin to fade away, due to the ability of in-line solutions to provide real-time security after a secure connection has been established. For example, with an in-line device, an organization could automatically restrict new contractors to reaching only the devices they are onsite to service.

We also expect that in 2010 and beyond, client-only NAC solutions will be completely off the market, and many companies will have gone through a network infrastructure refresh cycle, placing 802.1X-based secure switches (with inline security functionality) in the network with centralized control infrastructure in place to handle NAC policies, augmented by a sophisticated application-layer access control solution.

Jeff Wilson is principal analyst for network security at Infonetics Research, Inc.