Vendor direction

So what are some of the vendors' positions on the NAC standards with regard to product development? Eric Stinson, Enterasys Networks' director of product management for NAC, explains that while Enterasys has been building NAC type functionality into its network equipment for some time, continuing to follow industry standards as they develop is an important corporate direction. "We remain committed to interoperability and investment protection through [NAC] industry standardization efforts."

As HP ProCurve Chief Security Architect Mauricio Sanchez elaborates, NAC is built on existing standards to an extent. "All of the NAC protocol frameworks have some underpinnings and usage of current standards, such as RADIUS, EAP, 802.1x, etc.," he says. "No one likes to reinvent wheels, so where existing [standards] made sense, there's no reason why they shouldn't be used."

It's through collaboration that a standard emerges -- be it by decree or de facto. Stinson sees movements in collaboration as indicative of the future direction of NAC. "Enterasys expects that TNC and NEA will eventually align with each other, but the fact that Microsoft has endorsed TNC will drive NAC adoption based on Microsoft's market presence in client computing," he says.

Alan Shimel, chief strategy officer at NAC producer StillSecure, agrees. "Microsoft Server 2008 will go a long way towards adoption of NAC" says Shimel, who adds that the proliferation of NAP "is going to really help the TNC standards course."

"Many customers are eagerly waiting to evaluate a complete NAP solution, so if anything, it will serve to solidify customer opinion on what and how they should proceed in addressing their endpoint integrity requirements," according to Sanchez. And that is the real dilemma many network and security administrators as well as CIOs and CISOs are facing: Wait for the standards to solidify, or deploy NAC now?

Customers have real problems now that need real solutions. "If they have a problem they are looking to solve [with NAC], they want to solve this problem," states Shimel. Stinson says, "The centralized visibility and control that NAC can provide to network operations teams today can deliver tangible improvements in efficiency and effectiveness while improving the overall security posture of the organization."

Industry spin ... or not?

It's obvious why manufacturers of NAC products would suggest that such products should be purchased now, despite the standards situation. IT has a long history of offering whiz-bang products that could be considered overkill at a significant cost.

However, consider how NAC has evolved. NAC started out in start-ups and small companies such as Perfigo, which was precursor to the Cisco NAC Appliance, and open-source projects such as NetReg. Usually, such initiatives come about mainly because of need, be it real or perceived. When the need is real, the "big boys" pick up on it and begin to incorporate it into their offerings.

That's exactly what has happened with NAC development. It was the need that drove the initial products, and it was the prediction of a much larger need that led to the marketplace that exists today. It should be no surprise that the standards are trying to catch up, because the need has existed for some time.

NAC vendors naturally suggest that it's appropriate to buy NAC products before the standards mature, but the flip side is that if the market leaders didn't feel there was a need for NAC, they wouldn't have invested as much in development as they have. Watch out for vendor marketing FUD (fear, uncertainty and doubt), but remember that IT exists to serve your business, not the other way around. That, and not the status of standards, should be the primary consideration when considering a NAC deployment.

Greg Schaffer is a freelance writer based in Tennessee. He has over 15 years of experience in networking, primarily in higher education. He can be reached at newtnoise@comcast.net