Microsoft's network access control client in Vista and now in Windows XP has a lot of IT executives excited, according to an informal poll of about 250 attendees of an Interop Las Vegas NAC seminar who are actively considering deploying the access technology.
About a third of them say they would use the NAC support in the Microsoft client software rather than pay more and deal with deploying and maintaining a client with more features that they have to pay extra for. Microsoft calls its NAC technology Network Access Protection (NAP)
Slightly fewer said they would pay extra and deal with the additional work needed to deploy a better client. About a fifth of the group didn't respond to the call for a show of hands when asked by the session's instructor, Joel Snyder a partner in Opus One consultancy and a member of Network World Lab Alliance.
Many vendors make gear compatible with Microsoft NAP, including Cisco and vendors that follow the standards set by the Trusted Computing Group (TCG).
But NAP didn't escape unscathed by a panel during the Interop NAC session. Participants noted that in order to support non-Microsoft machines, customers have to deal with third-party vendors that make software that can report the status of Linux, Unix and McIntosh machines to NAP severs.
Sophos, which makes such a NAP client that also interoperates with Sophos' own desktop security software, says it's more convenient to get all the data about the endpoint in one place rather than have separate clients. "You look in one place and get all the information -- from the firewall, NAC, [desktop security software]," says Chester Wisniewski, product specialist for global sales engineering at Sophos.
"Our APIs are available to any partner," says Manlio Vecchiet, a group product manager in the Windows server division of Microsoft.
One of the knottiest problems with NAC technology remains how to get data about devices that can't run NAC clients such as phones and printers, panelists say. The best way to deal with it is checking the behavior of devices continuously after they are admitted to the network to flag and block them when they stop acting like printers and phones. "If these devices do things they shouldn't, you need to know," says Brendan O'Connell, a senior product manager at Cisco who also was on the panel.
To that end the TCG announced at Interop that it has a new standard that lets other security devices share network security data with NAC platforms. The data is posted centrally and can be tapped by any of the devices. That way firewalls, intrusion detection/prevention systems and the like can contribute to ongoing monitoring of devices' behavior.
Vendors acknowledged in response to questions from attendees that setting up NAC is a slow, methodical process and may in its initial phases require significant work. That is especially true of networks lacking updated infrastructure to support the form of NAC chosen, says Cisco's O'Connell. "When you put NAC on your network, you probably are going to have a fair amount of spending on your hands," he says. "If you've ignored your wiring closet in the last 10 years, you're going to have some work to do."
The upside is that the investment will be worth it because the network will have a needed overhaul.
Other vendors noted that phasing in NAC in monitoring mode first to find out just how many devices would be rejected is the best way to deploy. Once the majority of endpoints are remediated to pass NAC inspection, enforcement can be turned on without disrupting business, they say.
Interest seemed high in NAC, with the workshop selling out to about 250 attendees who had to come a day early to pay for the class.