NAC: Surging Ahead
Gone are the days when an organization could install an antivirus (AV) solution on each machine, and become safe from security attacks. The irony of the security market is that the adage “Prevention is better than cure” cannot apply to IT security. “Security market is not static. As we come out with solutions to prevent security threats, the cyber villains come out with new and more sophisticated threats,” says Prasad Babu, Director – SE and Operations, Juniper Networks.
The buzzword among security aficionados for quite some time has been Network Access Control (NAC), which uses the network in place of the desktop to protect users from malicious security threats. NAC virtually allows you to lock down your network and find out who gets access to it. “Network Access Control takes a proactive approach to identifying insecure and possibly corrupted computers quickly—before they get permission to connect to your network,” says Niraj Kaushik,”Country Sales Manager, Trend Micro India.”“Instead of applying strict controls only to connections coming from outside the corporate firewall, proponents of NAC say every network plug in every cubicle and conference room ultimately should be treated with the same suspicion and scrutiny,” adds Trend Micro.
NAC, which resides in a box at or near the network switch, promises to be a huge market. Security experts are of the view that NAC can ultimately simulate or embed the functionality of many desktop security products, including antivirus, personal firewalls, malware protection and intrusion prevention. According to research firm IDC, the endpoint security market, comprising mostly of NAC, will grow to $6.2 billion by 2009, up from $4.4 billion in 2005.
Of late, there has been a rise in the mobile employees, workers and contractors. Laptops and handheld devices are used by them to log on to corporate networks. This has resulted in the increasing significance of network as the focal point for the security needs of the company. “In today’s business requirement, employees need to work from multiple locations like corporate network, homes and while travelling. While working in unprotected environment, laptops getting infected are being carried back to the corporate network and attacks are spread widely to the enterprise network,” says Anand Naik, Director – System Engineering, Symantec India and SAARC.
“NAC is ideal for corporations and agencies where the user environment can be rigidly controlled,” says Kartik Shahani, Director – Sales, India and SAARC, McAfee Inc.–A recent survey conducted by the Enterprise Strategy Group has found that employee laptop is a major concern for spreading internet worm attacks.–“Network Access Control is a process designed to reduce security incidents and increase compliance by enforcing IT security policies as a prerequisite for network access,” adds Anand Naik.
The proponents of NAC underline the absolute necessity of NAC. Guerrero says, “Security appliances currently protect networks at the networks. In other words, they protect a network that can consist of one or thousands of users. In today’s LANs, and with the rapid growth of wireless networks, this is simply not enough.”
“Enterprises today face many IT challenges. The key among these are combating evermore frequent security incidents and striving to maintain regulatory compliance. Misuse, misconfiguration and malicious access to critical corporate systems have reached epidemic levels. A common thread among these challenges is the need to ensure protection and control of the endpoint,” says Anand Naik.
NAC is implemented in networks that require user-level security for both wired and wireless networks. A typical customer of NAC is one that requires selected access to key parts of the network by local users, remote users and users connected to the network via wireless networks.
NAC solutions work with network access infrastructure to ensure that systems are in compliance with the IT policy before they are allowed to connect to LAN, WLAN or VPN. This protects the network and increases productivity and network availability by keeping non-compliant systems off the network. NAC solutions of Symantec fully automates the process of remediating systems that are out of compliance, thereby reducing the burden on helpdesk staff.
“With today’s sophisticated security challenges, perimeter defence alone and traditional products working independently are no longer sufficient. Therefore, traditional security products such as intrusion detection and prevention (IDS/IPS) technology, antivirus measures and firewalls are no longer adequate,” says Mohammed Hayath, National Business Development Manager – Security, Cisco India.
Organizations need more comprehensive, multi-layered, pervasive and tightly integrated information security solutions. It is here that Cisco’s Network Admission Control (NAC) provides a powerful policy enforcement mechanism tailored to meet the new challenges faced by the network.”
Cisco NAC allows organizations to enforce their security policies on all devices (managed and unmanaged) as they enter the network, regardless of their access methods, ownership, device types, application configurations and remediation models. It provides proactive protection for infrastructure and greatly improves network resiliency allowing pervasive and in-depth security defences throughout an organization’s infrastructure with multiple points of protection,” adds Hayath.
With current and advanced security products and technologies, Cisco NAC integrates and serves as a critical component in an organization’s overall security strategy to meet the present and future challenges.
The NAC market in India is still at a nascent stage. “To date, the leading security analysts have yet to begin tracking market forecasts and share sizes,” says Frank Guerrero, Vice-President”– Marketing, NeoAccel. “They’ve spent the past year, or two, understanding what vendor’s definitions and implementations of NAC actually are. They are now predicting that 2007 will be the year of NAC and we will soon see formal market forecasts,” says Guerrero.
Guerrero feels that India will be a high-growth market for NAC. “With the steep rise in deploying networks in India, the rise for securing those networks will rise along with it. And, the size of these networks will force the issue of taking network security beyond its traditional place at the networked edge all the way down to the user-level, which is what NAC provides,” notes Guerrero.
Symantec also shares the same opinion. “In India, the network access control market is showing a substantial growth, especially with the changing scenario of increased mobile workforce,” says Anand Naik.
According to the research firm Frost & Sullivan, the endpoint security market in India is expected to grow at a 19.8-per cent CAGR from 2004 to 2011 touching $964.1 million, and this includes network admission initiatives by the key players.
It really does not cost much to own and implement NAC. Customers can look at a phase-wise deployment of implementing a NAC solution for Remote workers, followed by Wireless users and then the LAN users.
For example, small organizations can look for the NAC Appliance “Lite”. The Lite can manage up to 3 Clean Access Servers a
nd each Server can support up to 2,500 users. Hence, the solution is cost-effective as well as scalable.
Shahani of McAfee is of the opinion that it is difficult to say what the TCO of NAC would be as it would depend on network requirements.
“However, it would be substantially cheaper than a hardware-based solution,” adds Shahani.
Over the couple of years, a number of new players have forayed into the NAC segment. With the advent of NAC as a technology, venture backed start-ups have emerged. A rugged battle between these start-ups and firmly entrenched players is in the offing. Networking behemoth Cisco has been developing NAC for many years, while security giant Symantec introduced an NAC product in at the beginning of this year.
The Cisco NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers and PDAs, for example) and can restrict the access of noncompliant devices. With the proliferation of mobile workforce, NAC can effectively secure the network from any rogue device or user.
Cisco NAC is delivered in the form of the Cisco NAC Appliance (formerly known as Cisco Clean Access). The appliance can be rapidly deployed everywhere in an organization’s network, or it can be deployed in the focussed areas (such as remote access or wireless access networks) to resolve critical security concerns. The Cisco NAC Appliance delivers endpoint compliance assessment, user identity authentication, policy management and enforcement and remediation services in all types of network environments. Symantec NAC was developed by Sygate that was the trailblazer in the early NAC market, long before it was a recognized solution segment. Symantec NAC is the industry’s first complete Network Access Control product designed to deliver the promises of NAC to real-world networks, driven by customer experience in the world’s largest enterprises. SNAC provides a central location (the Symantec Policy Manager) for the configuration of all security policies used to determine network admission, and configure the appropriate actions needed to bring systems into compliance.
“Leveraging over 24 years of security experience and four years of NAC-specific experience, Symantec’s NAC offering provides companies with tried and true, comprehensive end-point security solutions,” says Anand Naik.
“McAfee NAC, called the McAfee Policy Enforcer, gives medium to large businesses anywhere, anytime access to corporate networks for their employees, guests and contractors, while protecting valuable assets from the risk of endpoint malware and misconfiguration,” says Shahani.
“McAfee’s comprehensive NAC strategy aims to deliver the most complete and flexible NAC solution to suit any customer environment,” says Shahani. He adds, “McAfee allows customers to deploy a NAC solution today on their existing heterogeneous network, while providing a foundation for future network upgrades.
” McAfee’s Network Access Control (NAC) has lots of products, which fall under Risk Management and Compliance Solutions, including MPE, Foundstone, Prevensys and Citadel. Under each of these broad Products, there are various sub-products.
Juniper has recently released a new version of its Unified Access Control (UAC) network access control (NAC) system that integrates technology from its acquisition of Funk Software, which the Comms vendor bought just less than a year ago. Called UAC 2.0, the Juniper NAC acts as a complete Layer 2/3 access control system that runs on its Infranet Controller 4000/6000 systems. It integrates Funk’s Steel Belted Radius server with its 802.1x-based Odyssey supplicant, allowing wired or wireless policy enforcement using 802.1x and Layer 3 firewall enforcement.
Trend Micro has launched Network VirusWall Enforcer that integrates all aspects of NAC with anti-worm capabilities into one simple appliance. “Its superior automation of the NAC flow, including agent-less remediation, reduces administrative burden and increases user productivity,” says Kaushik of Trend Micro Micro.
Deployable easily and with minimal IT burden in large enterprise networks around the world, Network VirusWall Enforcer’s agentless policy enforcement helps ensure that employees, contractors, partners and visitors connect to corporate networks using a secure, virus-free device. Network VirusWall Enforcer scans devices for security software, critical patches and current updates. It evaluates the security profile of networked devices, including information about hundreds of versions of antivirus software from over 20 antivirus vendors, signature updates, and Microsoft vulnerabilities, and then administers precise security policies automatically, without end-user intervention. Non-compliant devices are quarantined and undergo automatic remediation. Once a device is cleaned and meets corporate security requirements, it is allowed to access the network. Network VirusWall Enforcer combines granular policy enforcement with automatic worm prevention. Because many worms can spread instantly upon connection – before policy enforcement takes effect – Network VirusWall Enforcer provides immediate protection by filtering network traffic to detect and block worms, bots and other threats. The integrated plug-and-protect appliance is ideal for enterprises that have multiple network segments and mixed Windows environments. The appliance offers flexible centralized management options for efficient enterprise-wide administration. Businesses can utilize the appliance’s built-in Web console or leverage Trend Micro Control Manager.
Mumbai-based NeoAccel offers NeoAccel NAM-Plus Gatekeeper offers granular network access control, endpoint security, remediation and authentication, managed by a policy manager, to make up a superior and comprehensive NAC solution.
NAM-Plus Gatekeeper is one of the two complementary NeoAccel network solutions. This means that NeoAccel is focussed on the NAC market, rather than its NAC be one of dozens of products in a large vendor’s product line. And, as the NAC product evolves by early adopters, NeoAccel’s nimbleness will be able to meet the market’s needs. The company wants to establish NAM-Plus as a leader in the nascent Indian NAC market.
McAfee and Cisco have collaborated to deliver a comprehensive NAC solution, which provides the ability to Define policies, Detect endpoints, Assess endpoint compliance, Enforce network access, and Remediate the endpoint to be in compliance with the policies. McAfee Policy Enforcer integrates with Cisco NAC APIs for a complete policy enforcement solution in conjunction with your Cisco NAC-enabled network.
Symantec supports the use of Cisco NAC protocols as part of the network access control decision, but does not require C-NAC in order to enforce policy. In addition to C-NAC, SNAC uses a variety of proprietary and open standards solutions to enforce policy: 802.1x, DHCP, Integration into VPN Gateways and In-line appliances.
Since SNAC does not require C-NAC technology, these alternative methods eliminate the need for expensive network upgrades. They also eliminate the need for a specific hardware vendor. In fact, Symantec tests with network products from nearly every large vendor, including Cisco, Nortel, Foundry Networks, HP Procurve, Aruba Networks, Extre
me Networks, Enterasys and Alcatel.
Since NAC is an emerging and young technology, the importance of partners cannot be soft-pedalled. “We have a good number of Security Specialized partners across the country that has the capabilities to design and implement Cisco’s NAC Solutions,” says Cisco. The networking giant has its Customer Advocacy arm that can get involved in such requirements and projects.
The critics of NAC opine that NAC is more of hype than anything really impressing. “But the users do not seem to agree. Network access solutions are critical to enterprise customers, and, according to customer polls by McAfee, virtually all major organizations in the Asia-Pacific are planning to implement NAC in the near future,” says Shahani.
However, some administrators have expressed doubt about the practicality of NAC deployment in networks with large numbers of diverse users and devices, the nature of which constantly changes. An example is a network for a large university with multiple departments, numerous access points and thousands of users with various backgrounds and objectives.