A pair of Harvard University IT staffers last week released a free virtual appliance that supports their open source network access control platform -- just one of many free NAC tools springing up to address security-hungry customers.
Called PacketFence Zero Effort NAC (ZEN), the Harvard-developed appliance consists of an operating system image that runs on Linux or Windows and performs policy checks of devices as they log on to networks.
PacketFence ZEN is the latest innovation among about a dozen free NAC packages, most them created at colleges in reaction to the same Sasser and Blaster worms that led commercial vendors -- such as Cisco, Microsoft and the Trusted Computing Group industry consortium -- to develop NAC for profit.
NAC has proven so popular that Infonetics projects commercial vendors will reap US$3.9 billion in NAC sales by 2008, but the open source alternatives probably won't share in the payday, says Rob Whiteley, an analyst with Forrester Research. "Open source NAC will be a catalyst that big vendors like HP or IBM will wrap around their own products and then support the heck out of it," for a fee, he says, but that will take some time and leave out the open source innovators.
That's OK with Dave LaPorte and Kevin Amorin, the two Harvard IT workers who develop PacketFence together in their off hours. "We're just doing it because it's fun, and we use it on our jobs, and it's useful to a lot of people," says LaPorte.
Their software authenticates users via any method supported by open source Apache Web servers. It performs vulnerability scans and can divert machines found lacking to remediation sites. It can isolate devices from the network using DHCP changes as well as manipulating Address Resolution Protocol caches.
Commercial vendors rely mainly on 802.1x port authentication to isolated devices, which is arguably more secure, according to analyses of various NAC architectures. But some open source projects embrace 802.1x as well.
While it may not be booming, PacketFence is making headway, says Ludovic Marcotte, chief systems architect at Inverse, a Montreal integrator that installs and supports PacketFence commercially. "Most of our clients are big universities or school boards or large companies where we normally have 2,000 up to 100,000 users," he says.
One of these is Williams College in Williamstown, Massachusetts, which is phasing out its homegrown access-control platform based on Cisco's VLAN Membership Policy Server (VMPS) that maps media access control MAC) addresses to virtual LANs, says Mark Berman, the school's director of networks and systems. "VMPS is not long for this world. Cisco is phasing it out," Berman says.
In addition, PacketFence supports DHCP distribution of IP addresses, which will be needed as Williams implements VoIP, he says. The VMPS alternative relied on static IP addresses.
Price and independence also play a role in the decision to use PacketFence. "The cost for us is a tiny fraction of what we would have paid Cisco, and I think that what we're getting is at least as good," Berman says. "One of the things that going with PacketFence gave us is it unties the knot that tied us to Cisco. We can run any switch we want at the edge as long as it supports SNMP."