Some NAC users tout successes

The long-term viability of NAC -- and the question of if it will remain a standalone product set -- is still up in the air, but some users are already seeing benefits

Security industry analysts and other market watchers are still working to understand the long-term viability of NAC (network access control) as a standalone technology, but some end-users contend that they are already seeing major benefits using best-of-breed tools.

Experts may debate whether or not NAC will remain a standalone product set or be integrated into other networking and security systems, or whether it will be used to control access to internal IT systems such as enterprise applications, but some users say that they are already satisfied with the ability of exiting products to help keep their computing infrastructure protected.

From companies building components for NASA's Space Shuttle program to regional college campuses, these IT administrators maintain that they have already found NAC to be a valuable method for keeping unauthorized users and infected devices from ever logging on to their networks.

At Astrium North America, the Houston-based arm of European aeronautic defense and space giant EADS, NAC is being used to help safeguard product designs and sensitive data that the company maintains as part of its work on the Space Shuttle program, among other projects.

While getting the tools into place was no simple trick, said George Owoc, director of business administration at Astrium NA, NAC has made it far easier for the company to work with all the business partners needed to collaborate on products that will someday travel into space.

"We have a lot of partners, including a fair number of people in Europe and foreign nationals without State Department clearance, so we have to be sure that we can protect our information, things like our engineering techniques, or we could lose the ability to participate in the Shuttle program," Owoc said. "Being able to manage access so that people who aren't authorized to get in cannot do so, or to ensure those who can don't bring in spyware is extremely important to our business, and NAC has allowed us to address that."

As in many other industries, a number of the companies that Astrium NA partners with on its projects are also competitors in other business environments. Combined with complex government requirements about protecting sensitive NASA engineering data, Owoc said that it was a challenge to both grant access to partners and ensure that his company's informational assets were protected prior to installing NAC.

Among the most significant challenges that Astrium NA faced in getting its NAC system, built by Lockdown Networks, into place was the structuring of the technology's rules for managing access to different areas of its network, Owoc said.

However, over the last four years that Astrium NA has used the product, Lockdown has improved the usability of its technology significantly, and the company is now able to tailor its enforcement capabilities to meet its unique processes, he said.

One of the main reasons the company chose to go with Lockdown over NAC products from larger vendors, specifically Cisco -- from which it buys the majority of its networking gear -- was that Owoc felt the smaller vendor would be more willing to listen to feedback about its products and make improvements over time.

From that standpoint, the admin said that his company will stick with the best-of-breed approach and its current vendor as he feels that the standalone product works better than integrated tools offered by platform providers like Cisco.

Using NAC as a teaching tool
Astrium NA will also avoid opportunities to use NAC to control access to applications or other systems because it works well enough in its current format and the firm doesn't want to add more complexity to its system, Owoc said.

"I don't think NAC is something that can be part of a product that is trying to be all things to all people. In our experience, those types of products don't work as well as dedicated products that do one thing well, so we'll stick with best of breed," said Owoc. "I don't want to add any other functionality like applications access because it's not something we need right now, and it could just prove to be a huge performance issue."

At Binghamton University in New York, home to more than 13,000 students and faculty members, Network Administrator Joe Roth said that the school was in desperate need of a better method for keeping malware from finding a way onto its network.

Unlike a business, the university is forced to admit machines that it does not own or control, and students were continually dragging unwanted programs onto the school's network that they had picked up on their computers in other places, Roth said.

After fighting its way through several major virus outbreaks, the school decided to install NAC applications made by Bradford Networks in 2004. Since that time, the institution has saved a significant amount of time and money that it was previously forced to exert to deal with the repeated outbreaks, he said.

"We were spending a lot of time trying to clean things up, and we needed to have some way to ensure that when a student tries to connect to the network, we know who they are and what they're doing, and make sure that they're not spreading infections to us," Roth said.

"I won't lie, [NAC] is a large system to get your head wrapped around, especially when you think about working with networks in a more traditional sense, doing switching and routing," he said. "If it is going to work you have to understand what is going on with your network, how it will interact with a client PC in terms of what types of anti-virus they have, but we've made it work."

As with Astrium NA, Binghamton isn't planning to take NAC in any cutting-edge direction, but it does continue to roll out the system to include additional users, such as its faculty members, and it has begun using the system to grant wireless access to students on campus.

One of the greatest benefits of using the system, in addition to allowing the school to better enforce its security policies, he said, was that it has made Binghamton's undergraduate community far more aware of the realities of today's computing environment and the nature of malware attacks.

"We're a teaching institution, and I think this is actually some valuable experience that our end-users are going through, as they're going to have to deal with this type of thing as they head out into the workforce," said Roth. "Every year when the students come back, we find that a lot of them don't even know what anti-virus is about or the threats themselves, so it has value from an educational standpoint as well."