The benefits and short-comings of NAC

By Joel Snyder
Network World, September 3, 2007

Original Article on Network World Web Site

What's the biggest shortcoming you see with NAC implementations?

That's hard to say. I think that the lack of standardization of NAC approaches and strategies is really holding us back. We want to have different products for different requirements, but NAC products are so different across the board that it makes it difficult for people to know what will solve their needs. You have to be a product evaluation guru just to understand some of the subtle differences between these products. I think that this will shake out over time, but if you look at Mandy's test a few weeks ago, you'll see that she got really different products with really different designs. This makes it hard to know what's right for you.

What are your thoughts about in-band versus out-of-band NAC solutions (pro's/con's each way)?   

I'll have to throw a definition here, and see if you agree: in-band I think of as a box, like maybe a Vernier / Consentry / Nevis or even Cisco CCA (in in-line mode, which is one option), which controls all access. Out-of-band is what I like to call "edge enforcement," more 802.1X-y. Hybrid is more half-way, like Lockdown or CCA in that mode. Anyway, given those definitions: edge is really where I think we want to go for big enterprise deployments. It scales, it handles the load, and it doesn't depend on a single point to do enforcement. In-band I think of more for the occasional guest access -- drop one of those boxes in between your guests and let it handle that load.  BAM, problem solved, that was easy, etc.  Of course, that doesn't mean that the in-band guys can't handle the load, but you really want to aim for edge enforcement if it fits, and go for in-band if it doesn't. And there are zillions of places where in-band fits better. 

Should users hold off on implementing any particular NAC until the vendors sort it all out?

Of course not. You need to buy, buy, buy, so those poor guys can keep up payments on their Boxters. No, seriously, though, you can solve a lot of point problems with current solutions today and look to the future for better solutions with wider scope. I see a lot of people with "pain points" that need solutions -- they should be going for something today. And, a little experience today will help you pick the right solution tomorrow. Should you buy a NAC solution for 50,000 enterprise users on a Windows domain in 30 buildings? Well, I'd do a test rollout for a while first if I were you.

What's your vision of NAC products 5 years from now?

Universal "ho-hum." Just like VPN. We all have it where we need it and it's not so exciting. That's what we want. Universal dullness. We have to go to Funky Town, and then move to Dullsville. That's a good sign.