Future of NAC pits host against network

Makers of network access control technologies find themselves dividing along familiar lines within the world of IT security as some providers evangelize a centralized, network-based approach for enforcing device authentication tools and others claim that NAC should reside on the endpoint.

In recent months, some market watchers have begun calling for industry consolidation under the idea that many of today's enterprise NAC products will either disappear or be collected into larger technology offerings delivered by major security vendors and networking firms.

Demand for NAC tools, which evaluate the security posture of devices as they attempt to log onto a network, has already been constricted by complex deployments, product confusion, and incompatibility, according to some industry analysts.

Read more about NAC technology here.

NAC will only become truly useful to enterprises when it can be tightly melded with other device and network security systems, these experts contend, and will likely be delivered alongside other technologies from the same vendors who already control those markets.

The sheer variety of endpoint and network-based systems being sold under the NAC banner have made it challenging for IT decision makers to get a firm grip on which pieces to buy, which will force a vendor shakeout that favors the largest security and networking players, said Paul Stamp, analyst with Cambridge, Mass.-based Forrester Research.

"This product confusion is one of the main reasons that NAC isn't as big as we'd thought it would be," said Stamp. "Customers know that there's no one product that can solve all these problems for a reasonably large enterprise, yet some large enterprises feel they've already got this problem solved with existing endpoint and network technologies."

In a recent report, Forrester predicted that larger endpoint security players including Symantec, McAfee, and Sophos will end up supplying the brains behind NAC, rather than network-oriented vendors such as Cisco Systems, one of the pioneering companies in the space.

There will be room for infrastructure companies to help marry endpoint security policies with network data controls, but NAC intelligence -- the security policies that determine whether a device is allowed on the network and how it must be updated if infected -- will not be network-based applications, according to the research firm.

"Enterprises need one policy set by client security tools and other technologies that use that policy to determine what to do," said Natalie Lambert, one of the Forrester analysts who authored the report. "There is a need for some enforcement mechanisms that the client can't handle, and there is a place for those technologies, but not if it forces IT to create separate polices."

Networking vendors such as San Jose-based Cisco and Juniper Networks will be able to market integrated products that enterprises use to help manage NAC and tie it tightly into their central defenses, and other major companies including Microsoft will play important roles in facilitating the tools, Lambert said.