Fight For Control

Standards wars have become part and parcel of the IT industry. Skirmishes typically involve one or more prominent vendors trying to rush their solutions to customers, hoping the breadth of their installed base will help them corner the market. Opposing those Goliaths are a host of Davids, all contending that the prominent vendors' tools are designed less to solve the problem at hand than to force IT customers to use even more of their already dominant products.

That dynamic is at work right now in the security space, where demand for better network end-point security has caused a land rush around network-access controls (NACs). The battle is particularly lively, as Cisco Systems and Microsoft square off against each other and, more recently, Juniper Networks. Longtime security vendors, such as Symantec and Check Point (through its Zone Labs division), naturally have a huge stake in this area, as well. The Trusted Network Connect (TNC) Group, a now-ubiquitous open-standards contingent, also has horses in the NAC race, as do a number of lesser-known vendors that lack name recognition, but just might have the best solutions of all.

The broadening use of high-speed networks across all aspects of business, combined with the emergence of wireless technologies and the greater need for remote-access capabilities, has made NACs one of the most crucial issues in network security.

"The need for NACs is well-established," says Steve Fuller, president and CTO of NetWorks Group, a security-focused integrator and consultant in Brighton, Mich. "Vendors are right to target the space, but it's early, and I don't think anyone has it nailed down yet."

The hammering has begun in earnest. In October 2004, Microsoft and Cisco announced an intention to make Microsoft's Network Access Protection (NAP) and Cisco's Network Admissions Control (NAC) protocols as compatible as possible. The companies said they would share information to help make products from the two architectures interoperable, and they planned to cooperate on driving industry standards.

So far, this alliance is still a work in progress. Microsoft says NAP will enable users to create customized policies that will validate a computer's health before it's allowed to access a network, isolating those that need to be made compliant. But NAP won't be available until Microsoft ships its Vista (aka Longhorn) operating system sometime next year.

The Cisco NAC is out in various forms. The company has released several appliances and applications under the Cisco NAC umbrella as part of its broader Self-Defending Network (SDN) strategy. This October, Cisco announced its Catalyst switches and numerous wireless LAN devices would all be made compliant via upgrades with the Cisco NAC protocol. The company also unveiled the Cisco NAC appliance, a $9,000 device that offers single sign-on support for the ASA 5500 series and VPN 3000 series remote-access concentrators.

Not to be outdone, Juniper also jumped into the fray in October with the release of its Infranet Access Controllers, appliances aimed directly at Cisco's NAC devices. (Juniper further upped the ante last month with the purchase of network-access solution developer Funk Software.)

In establishing its NAC policies, Cisco is attempting to address one of the most gaping holes in IT security.

"The need for admissions control is contributing to the No. 1 cause of financial losses in the enterprise right now," says Alex Thurber, Cisco's director of security for worldwide channels. "Companies have been really good at authenticating users, but not so good at authenticating devices."

Cisco's approach, logically enough, is to attack this problem at the network level. "By implementing it there, you can touch every device with the smallest footprint and the lowest cost possible; you can upgrade the network with appliances that can be literally dropped right into an existing network," Thurber says.

He adds that partners who have customers with up-to-date networks can implement the Cisco NAC at a reasonable cost. There is also a significant opportunity for partners to add services revenue.

According to observers, the key caveat with the Cisco NAC is the part about having up-to-date networks. Even Cisco acknowledges that its NAC will work best in an all-Cisco environment--just as Microsoft's NAP will be optimized for Windows--but Cisco's detractors say not only must the network have exclusively Cisco devices and software, but they'd better be the latest versions as well.

"The problem with the Cisco NAC is that it only supports the most recent switches, so it forces customers to upgrade even if they have a 100 percent Cisco network," says Brett Helsel, CEO of Lockdown Networks, a NAC solutions developer started by veterans of F5 Networks and WatchGuard.

Helsel says a similar shortcoming still exists with the Microsoft NAP. "They're trying to convince the whole world that their version will solve the problem, but on Microsoft's own network, one-third of their developers still aren't NAP-capable, and the company has acknowledged that none of their customers is 100 percent 'NAP-able,'" he says.

VARs who are attempting to address the NAC problem say that the very notion of almost any company having a pure, one-vendor network is fantasy.

"The interesting thing is, a lot of people may think they have a single-vendor network, but some are more pure than others, and we find that most organizations have mixed environments," says Andrew Segal, president of Vandis, a security- and network-infrastructure solution provider in Albertson, N.Y.

On the off-chance that a customer does have a truly all-Cisco network, the Cisco NAC isn't necessarily as easy a sell as one might think. "The real drawback to the Cisco NAC is that you can have an all-Cisco environment and it still might not work if you have products that can't be upgraded," NetWorks Group's Fuller says.

Notable Alternatives

Vendors that are offering alternatives to Cisco's NAC and Microsoft's NAP are relying on the combination of their own innovation and customers' desire for choice to help them establish a foothold in the NAC market. Funk Software, the new Juniper property, has created the Odyssey Client, a network-access solution for wired and wireless LANs, originally designed for the open-standards-based TNC protocol.

The TNC standard is the product of the Trusted Computing Group, a nonprofit organization created to develop, define and promote open standards for hardware-enabled security technologies. The group has dozens of members, including Microsoft but not Cisco, and it established the TNC standard as an alternative to single-vendor, network-access solutions. The stated goal of TNC is to provide an opportunity for vendors to create best-of-breed interoperable solutions.

"We think the standards debate will sort itself out over time, but TNC is the one we believe is the open standard for end-point integrity," says Kevin Walsh, director of product technology for Funk. "Network admissions shouldn't be a user-driven exercise; it should be automated. We support both TNC and the Cisco NAC, but we don't believe anyone can win protracted wars over the standard."

Walsh says that by going with a solution such as Odyssey, users will benefit in numerous ways. "With Cisco and Microsoft, you're getting what their developers tell you to get," he says. "We like a solution where you can choose the components, and customers want to be able to go with best-of-breed products."

Lockdown Networks and Aventail are two other smaller vendors hoping to capitalize on customers' desire for choice. Lockdown's Enforcer turnkey NAC solution provides an agentless, switch-based approach that works in any network environment; the Aventail ST is a remote-access platform that isn't tied to any one protocol either. These vendors and others like them welcome the visibility Microsoft and Cisco bring to the NAC market, but agree that the two titans' views of the space are too narrow.

"We think networks should be dumb, fast and reliable, and that intelligence should reside on another plane, so we've created a remote-access policy that's independent of the network infrastructure," Aventail COO Lewis Carpenter says.

As much as Cisco, Microsoft and even Juniper want to corner the NAC market, solution providers are content to keep their options open while the standards fight plays out. "As a security specialist, we always have a mix of vendor partners," Fuller says. "We like to partner with start-ups because they can move fast and provide innovations and new approaches."

He says NetWorks has partnered with Juniper over Cisco so far in the NAC space because it offers a commitment that's more palatable to the customer. "Juniper doesn't require the level of integration that Cisco does," he says. "Customers can phase in network-access controls in areas they're concerned about without having to do a forklift upgrade on every desktop."

In the end, maintaining flexibility and the ability to create customizable solutions is what will decide the NAC debate for most VARs. "Different vendors have different approaches to the problem, which is why there's so much start-up activity; there's no one-size-fits-all solution," Segal says. "It becomes a custom solution for each client, which is why a company like ours can really affect the market."