Catching the Unicorn:
A technical exploration of why NAC is failing

Author: Jennifer Jabbusch
White paper, technical and market review of Network Access Control technology
36 pages, PDF format
2009-09-18 First release
Copyright Carolina Advanced Digital, Inc., all rights reserved

 

 

Executive Summary
Network access control (NAC) solutions have been failing as a technology in the IT security market, a truth punctuated by numerous NAC vendors closing their doors and an abundance of failed implementations in the past two years. The failure of NAC is detrimental to manufacturers of the technology, integrators offering the solutions and most importantly, to the countless organizations with security challenges that NAC will solve.

This document provides a unique perspective into the NAC market and a comprehensive dive into the technical difficulties that are inhibiting NAC technologies from seeing widespread adoption. Beyond explaining the issues of NAC adoption, this effort reveals a detailed plan to remedy the current situation – with explicit calls to action for manufacturers, consumers and the industry as a whole.

Catching the Unicorn is vendor neutral and presents issues from several angles, making it relevant to all NAC vendors and those interested in NAC technologies.

Included in the first two sections are background information and a brief overview of the technology market as it relates to NAC. This information lays the foundation for understanding the larger underlying issues that need to be addressed for the market to be successful. In the third section Mapping NAC Functions, basic concepts of the feature component set of NAC are identified and explained. Part four Reducing Cost and Complexity for Widespread Adoption begins the exploration f primary technical complications of NAC and outlines ways to streamline each feature component as a means to simplify the solutions enough for widespread adoption. Throughout the paper, several key concepts of security, network security and access security around which NAC was developed are discussed. Part five concludes with specific recommendations for vendors and consumers alike on what must happen to turn NAC into a viable solution.

Key findings
-NAC will not succeed as a niche market.
-NAC will be a feature set, not a product.
-Much confusion of NAC stems from ambiguous terminology, a result of NAC’s evolution from other products.
-The hindrances in adoption of NAC are due to technical challenges.
-There are four feature components of NAC: Authentication, Access Rights, Endpoint Integrity and Behavior
Monitoring.
-There are frameworks and standards in place that will help NAC reach widespread adoption.

Key recommendations
-Vendors should focus on standards of interoperability in order to succeed.
-NAC solutions should be renamed, based on the feature components they offer.
-Consumers of NAC technology must demand standards and roadmaps from vendors.a way to make it work.

Document Keywords
NAC; network access control; failure of NAC; NAP; complexity of NAC; IEEE; 802.1X; 802.1X-REV; TNC; TCG; IF-MAP; IETF NEA; Juniper; Cisco; Symantec; Microsoft; ForeScout; StillSecure

Document

Catching the Unicorn: A technical exploration of why NAC is failing, PDF, First Release 2009-09-18

jj

Author, speaker, and recognized authority on network and wireless security architectures, Jennifer (JJ) Minella helps organizations solve technical problems and align teams.

View all posts

7 comments

  • Hi Jennifer,
    good work and finally a neutral point of view for the NAC ;-)

    I understood that you think that the standard is very important in NAC environment and I agree with you.
    But what do you think about if-map?
    As far as I know at the moment it is just a protocol but no behavior is defined for each devices that are parts of the NAC architecture.
    For example no behavior is defined for IDS/IPS, firewall, etc and moreover the if-map server is not full specified.
    So, I am just worried that the if-map solution of the vendor A is not compatible with the solution of the vendor B.
    You say that large company, including Boing, are using if-map: do you know which vendors they are using? Are they using a NAC architecture with components provided by more than one vendors?

    I know that in order to implement the “behavior monitoring” the if-map could be a good solution but I would just know how much it is mature.

    Thanks again for your white paper.
    Ciao
    Ettore

  • Richard,
    Thanks! The other post’s link was working but evidently I had a little copy/past failure here.
    All fixed.
    thanks!
    jj