Open source swarms around NAC

Universities lead the way, but wide acceptance may take awhile

A pair of Harvard University IT staffers last week released a free virtual appliance that supports their open source network access control platform -- just one of many free NAC tools springing up to address security-hungry customers.

Called PacketFence Zero Effort NAC (ZEN), the Harvard-developed appliance consists of an operating system image that runs on Linux or Windows and performs policy checks of devices as they log on to networks.

PacketFence ZEN is the latest innovation among about a dozen free NAC packages, most them created at colleges in reaction to the same Sasser and Blaster worms that led commercial vendors -- such as Cisco, Microsoft and the Trusted Computing Group industry consortium -- to develop NAC for profit.

NAC has proven so popular that Infonetics projects commercial vendors will reap US$3.9 billion in NAC sales by 2008, but the open source alternatives probably won't share in the payday, says Rob Whiteley, an analyst with Forrester Research. "Open source NAC will be a catalyst that big vendors like HP or IBM will wrap around their own products and then support the heck out of it," for a fee, he says, but that will take some time and leave out the open source innovators.

That's OK with Dave LaPorte and Kevin Amorin, the two Harvard IT workers who develop PacketFence together in their off hours. "We're just doing it because it's fun, and we use it on our jobs, and it's useful to a lot of people," says LaPorte.

Their software authenticates users via any method supported by open source Apache Web servers. It performs vulnerability scans and can divert machines found lacking to remediation sites. It can isolate devices from the network using DHCP changes as well as manipulating Address Resolution Protocol caches.

Commercial vendors rely mainly on 802.1x port authentication to isolated devices, which is arguably more secure, according to analyses of various NAC architectures. But some open source projects embrace 802.1x as well.

While it may not be booming, PacketFence is making headway, says Ludovic Marcotte, chief systems architect at Inverse, a Montreal integrator that installs and supports PacketFence commercially. "Most of our clients are big universities or school boards or large companies where we normally have 2,000 up to 100,000 users," he says.

One of these is Williams College in Williamstown, Massachusetts, which is phasing out its homegrown access-control platform based on Cisco's VLAN Membership Policy Server (VMPS) that maps media access control MAC) addresses to virtual LANs, says Mark Berman, the school's director of networks and systems. "VMPS is not long for this world. Cisco is phasing it out," Berman says.

In addition, PacketFence supports DHCP distribution of IP addresses, which will be needed as Williams implements VoIP, he says. The VMPS alternative relied on static IP addresses.

Price and independence also play a role in the decision to use PacketFence. "The cost for us is a tiny fraction of what we would have paid Cisco, and I think that what we're getting is at least as good," Berman says. "One of the things that going with PacketFence gave us is it unties the knot that tied us to Cisco. We can run any switch we want at the edge as long as it supports SNMP."

Page Break

FreeNAC

Meahwhile, Swisscom, the state-owned telecom in Switzerland, is hoping its open source NAC software will also have commercial appeal. The company has recently started marketing a commercial version of the software, called FreeNC, and has five customers, says Sean Boran, a Swisscom senior security consultant who is the project lead on FreeNAC.

The commercial version of FreeNAC includes some features not available via the open source version, and Swisscom charges a subscription fee that includes installation and support. Boran says the service is aimed at businesses that have aging, heterogeneous infrastructure, including switches that don't support 802.1x port authentication, which is required by many commercial NAC vendors as a means to enforce policies.

Like Williams College's VMPS-based NAC, FreeNAC started out using Cisco VMPS to enforce policies, but that has been expanded to include 802.1x, he says. That means FreeNAC can support networks that have a mix of equipment, and can help them transition to a commercial NAC platform as they upgrade their infrastructure over time.

"If you're a tightly managed Cisco shop with Windows [desktops] I don't see a need for what we're doing, but we'll work for you today with today's infrastructure," Boran says.

Page Break

More freeware

Open source NAC communities have two key advantages of all open source communities, says Russell Yount, the network architect at Carnegie Mellon University in Pittsburgh: It finds bugs quickly and expands features as demand for them arises. Carnegie Mellon has its own NAC software called NetReg designed for use specifically at the school, but it is flexible enough to be used at Worcester Polytechnic Institute, Duke University, the University of Alabama and Woods Hole Oceanographic Institute among others, Yount says.

Flexibility is important because being customized for a particular environment restricts usefulness. For instance, Rings, the NAC software written at the University of Kansas for use on campus, is customized for its homegrown DHCP servers, so its DHCP enforcement isn't widely applicable outside the campus, says Dustin Brown, the lead developer and designer of Rings.

Rings ties a username to a MAC address to register machines to the network that also sends a Java agent to the client machine to check for antivirus software and install it if it's not there. It also configures machines to tap the local update server, and assures their IP address falls within the appropriate range and that they have the most critical Windows updates.

Rings uses DHCP to isolate machines, and the fact that University of Kansas uses its own version of DHCP is a limiting factor for use of Rings, he says.

"I think that's the biggest stumbling block that other groups are having, that they don't want to redo their entire DHCP infrastructure just to get NAC. They'd much rather use what they already have," Brown says.

That doesn't prevent others from using Rings, though. For instance, Trinity Christian College in Palos Heights, Ill., had to delay deploying Rings while it made needed changes, says Kevin Jacobs, coordinator of computer services at the school.

The school tried to integrate Rings' DHCP back end with Microsoft Active Directory as part of the NAC policy platform, but that proved difficult. "We spent a lot of time working on this and decided we wouldn't be able to get it working in time for students arriving on campus [in the fall of 2005]," says Jacobs. Ultimately that required code changes to the DHCP used by Rings, a process that was aided by Brown at the University of Kansas. "Dustin helped guide us through a lot of configuration," he says.

This cooperation is typical of the open source NAC effort, says Williams College's Berman, and is being borne out by interactions among the groups. For instance, FreeNAC's Boran wants to share information with PacketFence. "We're more than willing to work with anyone that's interested," says Amorin.

"There's not a lot of overlap in the way we do things in our platforms," says LaPorte, " so we may both be able to pick up a lot of things."

Still, it may be some time before open source NAC takes hold in enterprises, says Forrester's Whitely. Businesses switch to open source platforms when they are stable and integrate easily with all networks, and even then it takes concerted effort. The same will hold true with NAC.

"It will take a champion of some kind for this to make the leap to enterprises," Whiteley says.