A Confusing Proposition

NAC technology has grown in fits and starts since around 2001. Cisco was first out of the gate with technology that allowed companies to vet systems prior to admitting them to a network. Its technology resides in the switching and routing infrastructure. Others soon followed. One of those was Microsoft, which took a different approach by adding the technology to the operating system layer, via its Network Access Protection (NAP) offering. Other pureplay vendors have since joined the fray, including Forescout, Mirage Networks, Bradford Networks and Vernier Networks.

To make matters more confusing, each of these vendors comes at NAC in different ways. But to boil it down, there are basically two options: Inin-Band band and Outout-of-Bandband. In-Band band (sometimes called Inin-Lineline) systems are installed between users and the rest of the network; that is, between access layer switches and core switches. This method prevents systems that don't comply with company policies from entering the network. Examples include Edgewall from Vernier Networks, LANenforcer from Nevis Networks and LANShield Controller from ConSentry Networks.

In-Band band systems are good choice when companies are forced to allow machines of unknown origin to connect to their network, says John Pescatore, a vice president at Gartner.

"When a contractor machine connects, he might have software you don't like, but you can't tell the contractor to delete the software from his company PC. But if you had something in-line between the contractor and the network and the contractor started sending out dangerous things, you could just block it."

The other option is out-of-band NAC. These products, which use the existing network architecture, allow networks to communicate with the switching infrastructure and block things anywhere on the network. That's especially useful for complicated network architectures, Pescatore says. Vendors with out-of-band NAC options include Mirage Networks and Bradford Networks.

Which way you go, and which vendor you settle on, will depend on several factors. The first step, Roberts says, is determining your immediate needs. Based on the answer, you'll know whether you need to deploy NAC now or later, and you'll know whether to consider an in-line or out-of-band solution.

The next step is looking at your existing vendors to see if that vendor has a compatible NAC solution. If you're a pure Cisco shop, for example, it would make sense to go with Cisco's Network Admission Control (C-NAC). Similarly, if you are planning to upgrade to Microsoft Vista or Longhorn soon, you should strongly consider Microsoft's NAS solution.

Heterogeneous environments are probably better off with a pureplay vendor, Pescatore says. Yet another option might be Trusted Computing Group's Trusted Network Connect (TNC), which was developed using open standards.

But whether you choose to wait or move forward, chances are that your company will be using some type of NAC solution before too long. According to Gartner, the NAC market reached US$225 million last year and is expected to grow to US$440 million by the end of 2008. Growth will continue until 2010, when it is expected to reach US$700 million, and flatten after that as NAC becomes more of a standard offering in all types of technology.