About three years ago, I was one of a core group of network engineers sitting at the Interop Hotstage facility working through the details of policy-based networking and the Interop Lab that we were designing to demonstrate it. There were a number of players in the marketplace, and it was clear that the technology was reaching a tipping point. In the intervening years, "NAC" (for Network Access Control) became a classic hyped technology, with dozens of companies creating products for the market, a number of established companies relabeling their existing products, and the confusion of multiple semi-compatible standards efforts.
Last week, yet another sign of the maturing of the market appeared when one of those companies involved in that early Interop demonstration announced that it was ceasing operations. Lockdown Networks is no more.
Although Lockdown Networks is not the first company to depart the market, it is perhaps one of the more widely deployed to do so. In Lockdown's announcement, the company cited "overall economic trends and slower than predicted adoption of Network Access Control (NAC) technology" for its failure to secure additional investment capital. However, its announcement was grist for industry insiders to expand the conversation surrounding the NAC and policy-based product marketplace.
And I think there is validity to their postulations.
If there are any key lessons that we can learn from the past waves of network-related technology, the first two are these:
1. Standards win
2. In-line devices collapse into the infrastructure
Although the marketplace is still far from consolidated, products from a broad range of providers including Cisco and Microsoft (whom we will be reviewing in the not-too-distant future), Enterasys, McAfee, Symantec, and Trend Micro (click the link to see our comparative roundup), and ConSentry (reviewed in February) demonstrate that companies already deeply involved in enterprise infrastructure understand the necessity of policy enforcement to protect that infrastructure from both rampant malware and the ever-present threat of data breaches.
You ignore policy enforcement at your own peril. Ignoring the risk will make you more vulnerable. Trying to implement without design won't work, either.
The focus of your decisions around policy implementation are directly related to the granularity of your policies, the importance of your information infrastructure, and the critical nature of your data. Only you can decide.
Given that, though, focusing on infrastructure-centric solutions to policy enforcement makes the most sense. Whether in your switches, endpoint security agents, or the systems that manage these and other network components, using policy management that integrates with the components that see the traffic and client characteristics makes the most sense, don't you think?
Posted by Stephen Hultquist on March 25, 2008 10:18 AM
