I could not resist writing an upbeat headline about NAC for several reasons. First, it goes against the prevailing views of most of the media that covers network security and many industry analysts. Next, I am not the least bit surprised by the sales momentum evident in Infonetics’ analysis and projections. And finally, I expect Mike Rothman inadvertently contributed fuel to the naysayers with his Security Incite blog post today when he reported:

“NAC market up 16% year over year? According to Infonetics anyway. Fratto has it right, why would he get excited about a net $10 million increase in a market that’s supposed to be “exploding.” - InformationWeek’s Analytics Blog”

First of all, Mike has misunderstood the Infonetics press release. He said that sales in the first quarter of 2008 were up 16% from from 1Q2007 when in fact Infonetics was really reporting sequential quarterly growth. And he naturally concluded that NAC sales were disappointing.

What Infonetics did imply is that 1Q2007 sales were $62.7M. Even with no future growth this would mean annual sales would reach $250M in 2008. This is not a small number for a still young security technology and has been surrounded with controversy and confusion. I am looking forward to reading the entire Infonetics report to see the growth expectations and rationale for them and am betting they exceed a 30% CAGR through 2011.

Mike, I am confident you will admit your mistake and maybe even ask forgiveness for a little misplaced sarcasm. And since you were simply quoting Network Computing Security Analyst Mike Fratto he might do the same. And Alan, how could you compliment Mike when he was telling your existing and potential customers that NAC has “no legs”!

During the past three months I have written few posts for the Secure Access Central blog and I wish to explain briefly why.  On June 10 two co-founders and I launched Rebuild Hope, an innovative national non-profit that helps U.S. veterans who have suffered life-changing physical and/or psychological injuries since September 11, 2001 and received inadequate care and support from existing organizations. In a nutshell, Rebuild Hope operates an on-line financial support network that brings donors and recipients together. It will be supported by teams of volunteers across the U.S. who develop grass roots programs in their own communities. Qualifying veterans display personal profiles along with specific requests for transitional financial assistance and donors advise us on how they would like their donations to be distributed.  Rebuild Hope is entirely staffed by volunteers and 100 % of donations designated for veterans are distributed to them. Our success depends on passionate volunteers, donations and great ideas so if you would like to learn more about Rebuild Hope and get involved in some way we encourage you to visit our website and contact us either at dana@rebuildhope.org or (650) 321-4930.

I look forward to putting much more effort into Secure Access Central later this summer and appreciate everyone’s patience.

 Best regards,

Dana Hendrickson

That IT business technology innovation is driven by a small number of sophisticated customers willing to accept perceived frontier costs and risks in return for some higher expected value is indisputable and the NAC evolution is no exception. Equally true is the claim that the media thrives on controversy and contrary views. Therefore, we have been treated to a relentless stream of negative articles as “small NAC” – network admission control - became the latest security “whipping boy”. But are there signs that early NAC adopters are onto something big? Or will they ultimatly regret their aggressive stances on a still emerging technology. Taking a large view of the NAC evolution, I believe these organizations will not only enjoy huge benefits but there numbers will grow immensely during the next five years. And small NAC will be only a small part of advanced access policy solutions. The best sign is that early NAC adopters are demanding even more functionality as they gain the requisite knowledge and experience to refine their existing solutions.

The growing interest in NAC advanced user registration tools is an excellent example. Cisco Systems, Bradford Networks and Great Bay Software are leading the charge of vendors who are responding to the demand for evermore capable NAC administrative tools and each has introduced a user registration products that enable IT to centrally define access policies for non-employees who might reside anywhere on the network and delegate user registration to non-IT business personnel. This is much more useful than traditional NAC “guest” access control which usually rely on either VLANs or restricted network segments/plugs. Each vendor has taken a very different marketing approach to offering their solution

Cisco NAC Guest Server

Cisco Systems has taken its traditional approach to non-employee network access management. The Cisco NAC Guest Server announced in November 2007 is a dedicated appliance which only works with either a Cisco NAC Appliance or a Cisco Wireless LAN Controller. With the Cisco NAC Guest Server an unlimited number of pre-defined roles can be assigned to guests, contractors and business partners. So far, Cisco has not been responsive to my requests for pricing on the Cisco NAC Guest Server so I will add this information when I get it.

Bradford NAC Director GCS

In April 2008 Bradford Networks introduced its delegated user registration software in two forms each designed for a different deployment strategy. The first, the Bradford NAC Director GCS, is designed for organizations that initially want to deploy NAC only to control users and computers operated by non-employees. Like the Cisco product it works with both wired or wireless network connections. Since users usually possess their own laptops a dissolvable admission control agent must be downloaded. This Bradford solution combines delegated user registration system, network admission control AND resource access control. Unlike the Cisco product role-based policies for admission control are limited to three variations: guest access to the Internet plus contractor and temporary user access to internal network resources. However, the Cisco NAC Appliance does NOT provide resource access control a capability prized by a growing share of the NAC marketplace.

When an organization decides to include employees in its NAC deployment, the software on the Bradford NAC Director GCS can be upgraded to provide full NAC Director functionality. With the other Bradford guest management offering, organizations can start with the feature-rich NAC Director for controlling employees and non-employees and later add delegated guest user registration through the purchase of GCS user licenses. There is no additional cost for the actual CGS application.

A starter NAC Director CGS system carries a list price of $7995 and supports a maximum of 50 GCS users ($160/user). A mid-range appliance that supports 300 GCS users is priced at $16,995 ($57/user). When the CGS capability is added to an existing NAC Director the price is $500 per 50 users ($10/user).

Great Bay Software (GBS)

The GBS product is software called NAC Sponsored Guest Access. The capabilities are similar to the other two products and the product integrates easily with not only the Cisco and Juniper NAC systems but can share a database with the GBS Beacon Endpoint Profiler that is used to monitor and control the access of non-authenticating devices on a network. The NAC Sponsored Guest Access software ihas a list price of $25,000 (U.S.).

Everyone (?) knows that product-related, press releases should be read with more than a bit of skepticism. After all, no one actually expects them to be objective and a bit of hyperbole is the norm. However, occasionally we are treated to one that is so “over-the-top” that it evokes a smile. On April 17, 2008 I received a press release from NAC vendor Impulse Point Networks. This is a wonderful example. What were they thinking?

First, I recommend you read the original release titled: SAFE•CONNECT NAC LEADS INDUSTRY IN GOING GREEN, Impulse Point’s Safe•Connect NAC Uses 92 Percent Less Energy than Legacy NAC. Now this is an attention-getting claim. No doubt about that. It’s so sensational that the needle on ones BS-detector should be pinned against the right side- immediately. So what is the real story here? In the very competitive NAC market has “being green” become a significant buying consideration? Is there a truly meaningful difference between NAC products by this measure? If so, is this a big differentiators in most sales situations or simply a relatively minor vendor “talking point”?

Let’s examine the press release more closely to see if we can find some answers. Here are the primary assertions and claims:

“In side-by-side comparisons of energy consumption, Safe•Connect uses 92.9 percent less energy than Legacy NAC systems.”

“Safe•Connect can provide network access control for 10,000 users on a single appliance,” explains Karl Muehlberger, Chief Operating Officer of Impulse Point. “Legacy NAC solutions need 12 or more appliances to support a similar end user environment.”

“Safe•Connect costs an average of $775.92 a year to operate and cool. Comparatively, Legacy NAC solutions requiring multiple and redundant appliances can cost nearly $11,000 a year in energy costs alone.”

“Based on an analysis of the greenhouse gas emissions produced by the energy required to power the solution, Safe•Connect emits only 2.6 metric tons of carbon dioxide a year compared to the 37 metric tons produced by Legacy NAC solutions. 37 metric tons is equivalent to the same amount of emissions produced by 4,079 gallons of gasoline or 97 barrels of oil.”

Key Missing Information:

• What is a Legacy NAC system? Initially, it sounds like a brand name (note the use of caps). But this is not the case. In fact we are never even told what product(s) Safe•Connect is being compared to.
• How many organizations other than large educational institutions expect to install 10,000 end users?
• Most large enterprises will not enable NAC for this many users for many years. What is the discounted value of the claimed savings enjoyed 5 or more years out in the future?
• What customers would install a fully redundant NAC system? Why?

“Being green” will remain a big concern for us all for a long time. That’s the good news. But beware of vendors who hitch their products to the green bandwagon - as simply being green is not enough. Make sure their promises are relevant to you and the benefits really significant. And demand credible evidence that backs their siren songs.

While all NAC solutions provide multiple layers of network security most focus primarily on authenticating authorized users - and sometimes their computing devices - and determining where they can go on a network once their device is judged compliant with security posture policies. Authentication and posture checking are the easy elements of NAC; the harder part for a security professional is deciding what do to with this real-time information. That’s where security policy definitions come in to play. And these policies can range from the very simple to the extremely complex.

In the latest edition of the NAC Product Selection Guide we examine the policy-setting capabilities of more than 15 different products. The following is a representative table from the guide which is updated regularly.

Some critics claim that NAC products fail to provide enough network protection because they do not prevent unauthorized users from circumventing access controls. This claim is highly debatable. In reality there is no way to prevent this activity. You can add security to reduce this vulnerability but it always carries additional ownership costs. And NAC does add significant protection and can reduce support costs. Remember, passwords are not fool-proof but they remain the most widely used authentication method. Network Security will forever remain a subjective matter.

In the past 12 months network admission and access control (NAC) has received more media and analyst attention - AND triggered more controversy - than any other security topic excluding perhaps vendor- and standards-specific ones. Unfortunately, much of what has been written is simply opinion and often too one-sided. While opinions can be helpful in identifying the key issues security professionals should consider when evaluating technologies and products, these views suffer obvious shortcomings. In comparison, our NAC Product Selection Guide provides comprehensive, fact-supported analysis. In the Fourth Edition published this month individual vendor profiles have been updated, Juniper Networks has contributed for the first time, and we include an in-depth look at the extensive policy management capabilities now available on existing products.

Also please note that our 200+page publication is priced at a very affordable $695 (US) and will be order-able online the week of March 10 (you can mail a check before then). I am confident the NAC PSG will save anyone who is seriously evaluating NAC for their organization at least 50 hours of research. How much is your time worth?

You can learn more about the NAC PSG, Fourth Edition now.

For most organizations figuring out what network security investments - in labor and capital - make the most sense will never be easy. There is simply too much complexity, uncertainty and continual change surrounding one’s decision making. So it’s healthy for all security professionals to accept the fact many of their choices will be less than optimal. That said, armed with greater knowledge (and the tools to attain it) one can make much better decisions and one of the best tools is a healthy amount of skepticism. Not cynicism. Rather, a genuine reluctance to accept unproven claims and a complementary curiosity about underlying truths.

Starting today, Secure Access Central is going to highlight and inventory claims and assertions voiced by individuals and publications who by the nature of their positions are often heard above the crowd. And we will point out why these opinions should be taken with a “grain of salt”, i.e., with a healthy dose of skepticism.

I encourage you to contribute your own examples, please post them here and when the list becomes long we will maintain a easy-to-navigate summary on a separate “What Should We Really Believe” page on our portal. This activity can be educational and instructive. And a proven way to relieve stress. So have at it!

Here are my first contributions:

1. “NetClarity is shooting for “world’s smallest” distinction with its EasyNAC Micro appliance.” (And) “for about $1,000, the Micro supports all the feature of the company’s larger NAC appliances.” (Tim Green - Network World - Feb 12, 2008)

Closer Look: Is the physical size of a NAC appliance really a major consideration for many organizations? Is a price of $100 a user really that competitive? A good deal? How do the features of this product compare to other vendors’ products? Good enough for your environment?

2. “We are proud of Mirage Networks’ strong performance in 2007 and extremely optimistic about 2008,” said Greg Stock, president and CEO of Mirage Networks. “In 2007, we created great distance between ourselves and our competition. In 2008, we will become the de facto standard NAC solution .” (Mirage Networks - Feb 19, 2008)

Closer Look: this is an easy one because it appeared in a recent vendor press release. No disputing evidence is necessary as no rational support is provided. Also, note that the company does NOT supply a number for 2007 revenue. So how well is it really doing in absolute or relative terms?

3. “NAC must scale. The deployment must include all sites, and not just a certain portion of the environment. If dependent on an appliance and/or on the switching fabric, it is bound to fail (time-to-value, effort and money). Any NAC deployment must cover the entire environment, so other venues accessing the network would not be possible. One good example is with guest access. Enforcing guest access on specific locations, such as meeting rooms, etc. would fail once the guest will connect to those unprotected locations.” (Ofir Arkin - CTO - Insightix)

Closer Look: This is another example of Ofir’s frequently cited perspective that NAC is an all or nothing proposition. His position amounts to “If you have 1000 doors and one is left unlocked you are not safe”. A more practical approach is to decide what protection you need and can afford. Personally, I would feel a lot safer with 999 locked doors rather than no locks whatsoever even knowing I was not completely protected. Security is always imperfect and never free.

In 2002 Neoteris launched what was arguably the first SSL VPN – based, secure access gateway (Aventail will of course disagree). A year later Netscreen swallowed Neoteris and then Juniper Networks consumed Netscreen. And today Juniper enjoys the lion’s share of the installed SSL VPNs. Along the way dozens of other SSL VPN companies emerged. As noted in our SSL VPN product directory, most have been acquired. And a few remain operating in small niches, enjoying small shares of the total market. After six years it’s safe to claim that the SSL VPN market is mature and the lack of breath-taking announcements simply reflects this fact. That said, there were still some “noteworthy events” in 2007. Here is my list NOT listed in any particular order. Your contributions are welcomed.

1. Microsoft announced Intelligent Application Gateway 2007, a combination of the application-aware, remote access gateway acquired with Whale Communications in 2006 and the perimeter security provided by Microsoft ISA Server. ClientAccess Licenses are available at $22 per user. Appliance versions are available from Celestix Networks Inc. and Network Engines Inc. This was a very good move for Microsoft and beneficial for Microsoft and Whale customers.

2. Worldwide SSL VPN sales exceeded $325M in 2007 and Gartner expects respectable growth through 2011 ( CAGR between 13% and 15%). That’s good news for vendors and organizations that count on them.

3. SonicWall acquired Aventail. Aventail resellers and customers now have a more financially sound supplier. And the SonicWall SSL VPN product portfolio gained a true enterprise class product. It remains to be seen whether SonicWall can significantly penetrate high end security markets. Remember that Symantec has struggled unsuccessfully for years to become a major security solution provider for large enterprises and even withdrew its SSL VPN appliance.

4. Citrix acquired Caymas assets. The only thing that is really significant about this announcement is that a handful of companies that took a chance buying products from Caymas are now left with only regrets. The Caymas universal SSL VPN + NAC + identity-based access gateway never generated significant sales. It was more security layers in a single appliance than most organizations needed and too ambitious a product strategy for a tiny venture. Since Citrix already has a strong SSL VPN gateway and shown little interest in NAC, it is not clear what will come from this “asset aquisition”.

5. More hybrid gateways appeared. More companies have transformed their SSL VPN products into hybrid gateways that support both SSL VPN and IPSec remote access. SonicWall (Aventail) is the latest to do so. Now organization can centrally manage access security policies for users of both technologies with a single solution. And they can also more easily migrate users.

6. OpenVPN a success? In September Infoworld crowned OpenVPN the best open source “secure connectivity” product. While OpenVPN claims to be a full-featured SSL VPN solution it is not an SSL VPN gateway (no fine-access controls = SSL VPN concentrator?) and it does require an installed client (i.e., does not use a browser). While this product receives a lot of attention on the web in technical circles, I simply do not have any idea how widely it has been adopted in large scale settings. Are the ownership costs really significantly better than a commercial SSL VPN gateway? Are the lack of sophisticated policy tools not an obstacle? Anyone have some credible evidence that OpenView will become the next open source security success story - up there with Nessus and Snort?

7. Competitive positions have stabilized . Unsurprisingly when a market matures individual vendors become largely locked into their competitive positions. A look at SSL VPN sales numbers, market shares and products confirms this inevitability is now the reality. You can read our analysis of Gartner’s SSL VPN reports from 2004 thru 2007 to see how it views the stabilization of vendor positions.

These are the 2007 SSL VPN highlights that come to mind as I review 2007. There were many product enhancements but nothing revolutionary. Go ahead and add others you feel were important and explain why.

I have been accused of many things including being too much of a booster first for SSL VPNs back in 2003 and then NAC starting in early 2005. But the reality is (I believe anyways) that I am committed to educating myself and others on “possibilities” and the facts and worthy opinions surrounding their pursuit so security professionals can make even better decisions for their organizations. There are enough NAC naysayers (remember the IPSec bigots?) - usually journalists but also security gurus - who too often provide selective real data, at best, to support their opinions. So maybe I do tend to lean against them. And where am I going with this post? I have decided to try a new approach to deal with controversial issues raised by individuals who are widely read on the Web, e.g. analysts, journalists, technologists, security. I will withhold my opinion while summarizing their arguments and pointing you to source publications. A least I am going to try this out. Holding my tongue should be easy. Right!

New Controversial Assertion: Virtualization spells the end of NAC. I do not know who came up with this idea first, nor does it matter. But last week I came across a post in the Forrestor blog Does Your NAC Deployment Work In A Virtual World?” The gist of the narrative is that the oncoming wave of server, client and application virtualization expected by the author will render current NAC products useless. Notice the 3 key dependencies in this argument. Then this week I read Chris Hoff’s post How the Hypervisor is Death By a Thousand Cuts to the Network IPS/NAC Appliance Vendors” and I think when is some credible person going to counter this stuff. Now Chris is a technical and business savvy guy (and a chief strategy officer for security vendor, CrossBeam Systems) and not one to take on lightly. But there might be an opening. Chris is focused on the technical complexities of server virtualization. And Mike Fratto, a senior analyst at Network Computing has a well-reasoned response Who really intends to rely on NAC to protect their important servers? “The example he (Chris) describes is somewhat silly when compared to how virtualization and NAC are deployed.”

This is of course not the end of this debate. WARNING: Always keep an eye on the contestants’ underlying assumptions before being seduced by their logic. And where is Alan Shimel? He has been disquietly silent so far.

The Big Winners in the current NAC marketplace are rarely buyers or sellers of NAC products. This should not surprise anyone. It’s the market observers who fill the air and Web with a steady stream of generally negative opinions and cautionary tales who are prospering. With their hackneyed themes of “NAC is too confusing…NAC is too costly…NAC is not sufficient…NAC is too complex…NAC is not ready…NAC sales are disappointing …and NAC is too (you can supply this one). They are the ones who thrive at the early stage of every new technology market. And network security is no exception.

So why does this phenomenon matter to network security professionals? Because you are always better off, i.e., make better decisions, when you ignore “fear-tainted” noise and retain a healthy level of skepticism about information sources that rely on “anecdotal analysis” to sell advertising (e.g., the media) and advisory services (e.g. security consultants). No one is in a better position than you to learn what is best for your own organization. And in the end, whether you take advantage of this position depends entirely on you. Smart organizations are fortunate to have smart security professionals. And they both do well because they figure out what they need, buy it, learn how to continually squeeze tremendous value out of their smart investments and find satisfaction in knowing they make really good decisions most of the time. They are also the other big winners in the NAC marketplace and will be remain the exceptions in the NAC buying community for at least another two years.

A new Aberdeen Research Report, “Who’s Got the NAC?”, provides some anecdotal evidence for my belief although it is more bullish than I am. Aberdeen surveyed about 400 companies’ on their experiences with and views on NAC. (You can download a free copy of the entire report.) In this post, I will highlight a couple of their findings. First, Aberdeen assigns the surveyed companies into three categories - “Best-in-Class (top 20% = 80)”, “Industry Average (middle 50% = 200)” and “Laggards (bottom 30%”= 120) - based on their recent track record at defending their networks from attacks. Then Aberdeen describes how views of NAC vary widely across the 3 groups. For example, the “best-in-class” (smart organizations) are NOT confused by NAC. They also have praiseworthy records for network security, have a clear idea what protection/security layers they need and 33% (27) already have NAC solutions in place. So smart companies are already adopting some form of NAC. And I doubt they are the least bit concerned about the “problems” of defining NAC, measuring adoption rates, or forecasting NAC product sales.

The following chart is even more noteworthy as it offers a rosy yet perhaps too optimistic outlook for general NAC adoption. While Best-in-Class organizations currently lead in actual NAC usage, the survey reveals that 80% percentage of Industry Average organizations (180 ) intend to rely on NAC solutions within 2 years. That’s a substantial adoption rate with one important caveat. It’s one thing for organizations to deploy NAC in limited special usage scenarios and quite another for them to broadly deploy it across their networks. When (and if) the latter occurs no one will be agonizing over NAC definitions and measurements. Regardless, some vendors are going to flourish while others will fall silently by the wayside. And all customers are going to enjoy a great selection of choices with appealing prices and lower ownership costs. NAC Nirvana? It is possible. When will your company join the ranks of the Best-in-Class?

For organizations, I recommend you simply become smart about NAC possibilities and invest wisely. And simply ignore the negative NAC noise in the air. It’s harder than counting rabbits but realistically you do not have an attractive alternative. Some things never change. Good luck!