The Forrester Wave NAC, Q3 2008 Report not totally reflect the real NAC competition

I've read report of "The Forrester Wave™: Network Access Control, Q3 2008" prepared by Robert Whiteley and Usman Sindhu for Security. It was reported on September 5, 2008. The executive summary of the report wrote:

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base. Cisco’s and Juniper’s NAC solutions are anchored by mature, standalone appliances with top marks for manageability and ease of use. Bradford has pushed into the enterprise space with one of the most scalable overlay solutions. Symantec, McAfee, and StillSecure are all close behind with software-based solutions, which we predict will ultimately win as the best NAC architecture. Mirage Networks’ unique out-of-band system provides superior deployment flexibility and just edges out Nevis Networks, which operates as a secure inline switch with built-in threat prevention. HP ProCurve Networking rounds out the bunch with an approach that marries appliance with Ethernet switches.

I think Forrester forgot to include a few good product in their benchmarking evaluation such as InfoExpress, Consentry and Fortinet. To counter this report, I believe base on my previous experience evaluating NAC requirement, Cisco NAC and Microsoft NAC are not the answer for a comprehensive ubiquitous NAC solution. The way they deploy their NAC Architecture, would not solve major wireless architectural problem. These two devices depend on port base security. Meaning that, any traffic in-out activity from that NAC switch port can be analyzed and monitored only via that physical port. Imagine that if you have 1000 devices in your company. You have to replace all your conventional switches to this NAC switches. My estimation, you need to deploy about 42 NAC appliances to monitor and control every access in your network.

I would prefer a solution provided by Juniper, Bradford, InfoExpress and Consentry. These NAC able to solve many issues logged by WLAN architecture. Their solutions are more.. and more comprehensive for ubiquitous network.

To address many complicated issues in the NAC management of heterogeneous WLAN network, I would prefer solution from InfoExpress, Consentry and Bradford. The deployment architecture of these NAC are less dependent on proprietary configuration. Juniper solution too dependent on their JUAC that requires Odyssey Client. My concent is... the Odyssey client is too complicated to manage for non-IT literate (Non-IT savvy) user. I need to find a solution that could minimize the complexity on the end-user site when deploying NAC appliance. In order to make the Juniper NAC to perform well, every user must install Odyssey client on their devices (Laptop). Does all wifi enable device support odyssey client ? SmartPhone, PDA, PSP and many other wifi devices is not really workable with Odyssey. Can we install Odyssey Client on Windows Mobile Platform or Symbian or etc ?... These are the issues that we need to consider before we deploy NAC in our wireless environment.

So, which solution is less proprietary dependent and workable with many platform ? This time I would prefer a solution from InfoExpress, Consentry and Bradford. Two products were not evaluated in the Forrester report. How about Bradford ? since Forrester has discussed much about Bradford in their report, no point for to me to discuss about Bradford... then, I will highlight my review for InfoExpress and COnsentry. Generally, Consentry has similar features offered by Bradford. There are some minor differences which I think not really important to discuss. In general Consentry can act as a proxy radius to control the access for each user account. It also workable for inline deployment.

InfoExpress offers more unique solution compared to other NAC, especially for heterogeneous ubiquitous network. InfoExpress perform dynamic NAC solution which similarly follow the concept "Man in the middle attack". The total concept and approach they implement for dynamic NAC (DNAC) is very impressive. They are the first introducing DNAC solution and this method meet many end-user requirement especially to protect back-door attack via wireless connection.

The other NAC which include in Forrester report is more to AntiVirus NAC such as McAfee and Symantec. These type of NAC cannot be compare apple-to-apple with Juniper NAC, Cisco NAC or Microsoft NAC because they fall into different categories. AntiVirus NAC has different objection compared to port base NAC or the real network based NAC. If your look at the other NAC features, their can integrate with other third party antivirus server or appliance such as BigFix to update and control antivirus.

My conclusion, I don't understand why Forrester not include InfoExpress and Consentry in their evaluation report. That's why the Q3 2008 report produced by Forrester does not showing the actuall scenario about NAC technology available in the market. The evaluation criteria chosen to identify the market leader in NAC seems like biased to certain products only.

I would to see is there head-to-head evaluation between Cisco, Juniper, InfoExprees, COnsentry and Bradford in solving network access on real ubiquitous network.

NAC on Heterogeneous Wireless Network: Campus Network

Tested products: Consentry, Infoexpress, Aruba ECS, Bradford, Juniper
schematic wireless network diagram

The most critical feature which can be considered compulsory to the tested NAC that it must be able to detect the network bridging activities running by the users: bridging via UTP cable, Bluetooth, GPRS, Edge, 3G, HSDPA and other possible method of bridging such as via firewire, USB, PCMCIA etc. It must also able to quarantine or disconnect or isolate the users from the wireless network once they activate the bridging processes. In fact, most of the bridging activities is able to create a back door to our secure network. That’s why this feature is really really important to us.
Since we are having heterogeneous network, this NAC must able to support multiple protocol such 802.1x and non 802.1x including all OS platform: e.g Windows, MAC OS and Linux Clients.
We will announce later which product is the most suitable to be deployed to protect our campus wide wireless network.

[more]

Quick Review of Network Access Control (NAC) for Wireless Network

IT Division of International Islamic University (IIUM) has conducted series of Proof of Concept (PoC) by tested out five different Network Access Control (NAC) products to demonstrate its feasibility deployment on their heterogeneous wireless network. This project lead by Mr. Jaiz Anuar basically aim to determine the best solution to overcome the common technical problem facing by them, such as how to integrate and indirectly to control two different network segmentation. It also measures certain throughput which been used to identify the best solution that suit to their environment. In fact, the NAC features evaluated by them normally must able to protect their wireless network from any possible technique to perform network attacks.

The tested product during the PoC were Consentry, Infoexpress, Aruba ECS, Bradford and Juniper

Bridging provide an ad-hoc connection for the attacker be inside of any secure cooperate network. Since the network bridging technique capable to bypass the gateway security, it become the most critical feature need to be include in tested NAC. The NAC solutions must be able to detect the network bridging activities running by the users as follows:

• bridging via UTP cable
• bridging via Bluetooth
• bridging via GPRS, Edge, 3G, HSDPA and 
• other possible method of bridging such as via firewire, USB, PCMCIA etc.

The team also include other requirement as follows

• the system must be able to quarantine or disconnect or isolate the users from the wireless network once they activate the bridging processes. .

In fact, most of the bridging activities is able to create a back door to any secure network. That’s why this feature is really really important to them

In addition, the overall design of network infrastructure in IIUM network considered as a heterogeneous network. They have add another important requirement for the test NAC appliance must be able to support multiple protocol such as 802.1x and non 802.1x including multiple OS platform: e.g Windows, Mac OS X and Linux Clients.

Finally after the PoC, Mr. Jaiz and his team conclude that, non of those 5 NAC 100% meet their requirement but they have rank all those product after taking into consideration a few aspect according to their network environment and end user experiences.

1. Infoexpress
2. Juniper
3. Aruba ECS
4. Bradford
5. Consentry

What’s So Great About Deploying NAC in IIUM ?

The planning deployment of Network Access Control (NAC) technology aims to protect IIUM heterogeneous wireless networks from the public back door (possibly done through 3G, bluetooth, firewire, UTP, USB etc), and often dangerous, Internet. It also provides protection from viruses and other types of malware that may be resident on the mobile gadgets that staff, students and visitors connected into IIUM wireless networks. NAC places a virtual shield around a network by guarding its endpoints, the places where heterogeneous wireless networks mesh with the outside world.

A survey conducted earlier this year by Infonetics, a technology research firm located in San Jose, Calif., found that enterprises acquire NAC technology for various reasons, including blocking viruses (86 percent), intercepting external attacks (80 percent), stopping spyware/malware (73 percent) and blocking e-mail attacks (70 percent). Other motivations cited by the respondents included regulatory compliance (54 percent), adding LAN security (45 percent), blocking internal attacks (38 percent) and meeting customer and business partner demands (36 percent).

Much of NAC’s overall appeal comes from its simplicity, as well as its ability to provide enhanced security and more sanitized networks with little or no negative impact on the community productivity especially in IIUM. In fact, many instituition that have adopted NAC technology report improved productivity. By deploying this, IIUM Community are now free to use devices that were formerly banned from any other enterprises networks due to security concerns. By deploying NAC, ITD is trying to secure the wireless connection even browsing via smartphone or PDA since this devices is not really have a good antivirus software. The Symbian OS has been infected by mobile virus.

NAC often arrives on customer premises in the form of a network appliance. This approach is appealing to many enterprises, and the solution that ITD is looking for: the appliance must simply be plugged into the wireless network, providing fast, painless, out-of-the-box security and avoid changes to the existing configuration. Many NAC appliances are multifunction security devices, offering capabilities such as network-based virus scanning and intrusion prevention systems (IPSs) along with NAC capabilities. The appliance must be capable to integrate with the existing equipments.

Non-appliance-based approaches to NAC are more complex and tend to require a bit more hands-on work. The available alternate choices are to enforce NAC with functionality that’s built into network devices, such as switches, or to enforce NAC using SSL VPN gateways.

No network is airtight—malware continues to get in, whether via mobile gadget (PDA, smartphone), staff, student or guest laptops, or end users downloading dodgy content. Antivirus software at the gateway or on the desktop helps with computers under your control, but guests and unmanaged servers remain problematic. And let’s face it: Sometimes attackers are just smarter than we are. Even companies following best practices get hit.

Deploying NAC don’t just mean just security best practices, either. Protecting the network from malicious hosts is, ultimately, a desktop management function. NAC is what puts teeth in our policies, providing an enforcement mechanism that helps ensure computers are properly configured. By weighing such factors as whether a user is logged in; their computer’s patch level; and if anti-malware or desktop firewall software is installed, running and current, ITD can decide whether to limit access to network resources based on condition. A host that doesn’t comply with your defined policy could be directed to remediation servers, or put to the quarantine VLAN.

Remember Slammer? If a company could have determined that a host was running an unpatched version of MSDE 2000 and denied access until it was patched, Slammer would have had a much less dramatic effect.

With all the available choices, settling on the right NAC technology from the right vendor requires a significant amount of research. The final selection usually boils down to finding the product that most closely matches the IIUM’s NAC goals and the network’s size, complexity, budget and configuration

Aruba secures endpoints with NAC interop and product.

Frank Bulk wrote

By Frank Bulk

Aruba Networks most recent announcement regarding NAC interoperability verification and a product announcement repeat a common anthem of this vendor's emphasis on security.

The three major NAC groups are Cisco, Microsoft NAP, and the Trusted Computing Group (TCG); the first two are clearly vendor driven, while the last is standards-based and enjoys broader industry support. Unable to drive a standard of its own, Aruba has not hitched itself to any single group, but has verified NAC interoperability with three technology industry heavyweights: Cisco, Juniper, and Microsoft. Working with network equipment market share leader Cisco is almost a de facto requirement, and Microsoft is Aruba's largest customer, if not most significant. This shouldn't be considered Aruba's first fore into NAC: they have partnerships with Bradford, FireEye, Fortinet, InfoExpress, Snort, and as well as Symantec (via Sygate, though this is end-of-sale).

In addition to their partnerships, Aruba has also announced a new appliance for "targeted industries". To date Aruba has built most of the products it sells, preferring to partner where necessary. Ash Chowdappa, director of mobility management system, stated in a briefing, that Aruba will wait until the NAC market shakes out before considering to develop something internally. This time around Aruba OEMed their Aruba Endpoint Compliance System (ECS) appliance from a vendor that has significant success in the higher education market.

According to Chowdappa, higher education is Aruba's number one vertical, and they expect ECS to gain traction in healthcare and hospitality, markets where there are significant numbers of guest users. Aruba makes the point that many NAC vendors are targeted toward managed devices such as desktops and laptops, while ECS is able to deal with unmanaged and transient devices such as Vo-Fi phones, and the occasional Sony Wii, that may not be able to run an agent. For devices in this latter group Aruba's ECS can work in tandem with their mobility controller to implement more restrictive traffic policies leveraging Aruba's stateful firewall. And this appliance isn't restricted to just wireless products, as the appliance can take trunked wired traffic, such as guest VLANs, and enforce policy on those, too.

Aruba is making the right moves in offering its customers multiple NAC options resulting in great stickiness for their core wireless LAN products. One of the challenges that Aruba faces is that organizations may look first to their wired networking equipment vendor for a NAC product, giving Cisco a natural leg up. Aruba appears to have chosen to OEM a mature product that integrates with systems in both mediums, and with eventual implementation of 802.11n, may take a larger and larger portion of IT's mindshare and networking budget.