Forrester: Today's NAC is whack

Today's NAC (network access control) technologies will fail and disappear as companies move to device authentication systems that operate on the end point, according to a new report issued by Forrester Research.

Enterprise companies desperate to improve their security systems in the wake of high-profile malware attacks and systems intrusions bought into the current crop of NAC technologies, Forrester analysts said. Those firms, however, have struggled to install and maintain those existing NAC tools, and will seek alternatives in the coming years, according to the report.

NAC systems -- marketed by a wide array of security software makers, as well as infrastructure vendors including Cisco Systems and Juniper Networks -- promise to scan devices as they attempt to log onto a network to test their overall security posture.

Once a device has been proven to be authorized for systems access, and NAC tools have verified that the machine has required security applications and patches in place, it is allowed on the network. Some products also promise to provide so-called post-admission NAC protection, whereby they continue to monitor device behavior after granting network access to protect against hidden attacks.

In addition to confusion about all the various products that individual vendors are marketing as NAC tools -- which range from complex end-to-end systems to simple authentication applications -- Forrester highlighted a number of reasons why its experts believe that today's technologies will fail.

The report contends that one of the most significant problems with existing NAC systems is that they lead to the creation of too many policies that aim to control the same processes.

For instance, the researchers said they frequently see customers using Symantec's Sygate remote and wireless access technologies alongside Cisco's product for local user access, which results in "disjointed" policies that don't allow users to enjoy a consistent experience when trying to log-on in to the office or remotely.

In another dig, Forrester claims that there is too much complexity, and too little compatibility, among the many NAC technologies, even those made by companies backing standards efforts, including guidelines proposed by Cisco, Microsoft and the Trusted Computing Group (TCG).

The report maintains that too many current NAC products are "purely preventative," lack the capability to defend against newly emerging threats, and too often offer users advice on how to make their computers compatible with security policies instead of helping them to remedy any problems.

The fact that most NAC systems today lack the ability to remediate potential problems, such as having the wrong version of an anti-virus package or lacking the latest Microsoft security patches, and merely quarantine devices that fail to comply, is perhaps the biggest issue with the technologies, said Natalie Lambert, one of the analysts at Forrester who authored the report.

"The way that NAC works today, it forces duplicate efforts to create policies at the network and at the end point, and most often these systems cannot handle the remediation aspect that is necessary to make the process effective and blind to end users," Lambert said. "Today's NAC vendors can't pull the whole process off. Why not have these tasks handled as part of a security and management solution whereby if you don't meet the policies you can [be updated]?"