TRENDS

May 12, 2006

Client Choice topic

Getting The NAC Of It: 2006 Network Access Control Adoption
NAC Matures And Gains Momentum, But Firms Struggle With Complexity
This is the sixth document in the “2006 IT Security Adoption And Trends” series. by Robert Whiteley with Benjamin Gray, Paul Stamp, and Christine E. Atwood

EXECUT I V E S U M MA RY
Forrester predicts that 2006 will be a big year for network access control (NAC), also known as network quarantine, which provides a framework for proactive network security. Just how big? In January 2006, Forrester surveyed 149 technology decision-makers at North American companies and found more than one-third already plan to adopt NAC this year. Organizations want NAC for increased security across all access technologies — wired, wireless, and remote-access alike. Companies with no plans to deploy NAC in 2006 feel that cost and manageability are the primary obstacles. However, those same companies with no NAC adoption plans are still looking to put the NAC building blocks in place; 49% are likely to upgrade their switching hardware to port-based authentication-capable switches in 2006. TARGET AUDIENCE IT Operations Executive; Security and Risk Executive. RESEARCH CATALYST Clients selected this topic for Client Choice research. NAC CONTINUES TO GAIN MOMENTUM AND IT MINDSHARE Enterprise security and network architects are eager to deploy NAC solutions to build a proactive security framework right into the network fabric. Specifically, Forrester defines NAC as: A mix of hardware and software technologies that dynamically control client systems’ access to networks based on their compliance with policy. Why all the buzz? Because, done right, NAC enables pre- and post-admission compliance checks, which, effectively, stop the bad guys from getting on the network in the first place, as well as kicking off legitimate users if they don’t comply with company policy. Enterprises crave this level of control and granularity: It not only helps combat regulatory pressures like the Payment Card Industry (PCI) Data Security Standard and the Health Insurance Portability and Accountability Act (HIPAA), but allows firms to realistically enforce security policies — rather than having them simply gathering dust on HR department shelves.
Headquarters Forrester Research, Inc., 400 Technology Square, Cambridge, MA 02139 USA Tel: +1 617/613-6000 • Fax: +1 617/613-5000 • www.forrester.com

Trends | Getting The NAC Of It: 2006 Network Access Control Adoption

2

Forrester believes that 2006 will bring greater awareness around NAC and a significant number of real implementations. In fact, anecdotally, we’re already seeing enterprises dedicate IT budget line items to NAC. As a network analyst at one large healthcare organization put it, “2006 is the year of NAC for us. We’re dedicating about $250,000 to get started — which includes the cost for new equipment as well as upgrading our current switch infrastructure.” NAC Adoption Will Remain Steady At 40% In 2006 To better understand where firms are with NAC, Forrester recently surveyed 149 technology decision-makers at North American companies about their approaches. We learned that:

· Forty percent of companies have already or will deploy NAC in 2006. While just 4% of

the 149 companies that we surveyed have already deployed NAC, 36% plan to purchase or implement the technology in 2006 (see Figure 1-1). This is consistent with previous years’ surveys where NAC adoption levels have stayed consistently between the 30% and 40%.1 Not surprisingly, roughly half of Global 2,000 enterprises (20,000 or more employees) have moved to NAC — the highest of any group; followed by large enterprises (1,000 to 19,999 employees) at approximately one-third, and small and medium-size businesses (less than 1,000 employees) right around one-quarter having adopted.

· Companies deploying NAC seek control across all access technologies . . . NAC provides

the holy trinity of secure connectivity: a universal access control policy across wired, wireless, and remote-access media. This way, security gurus can enforce policies independent of the users’ location and without costly point solutions. So, it’s no surprise that 53% percent of the companies that are planning to deploy NAC solutions in 2006 are primarily looking to increase security across all three access technologies — more than the sum of all the individual media combined (see Figure 1-2).

· . . . and the remaining companies feel that NAC solutions are costly and too hard to manage.
NAC’s primary downfall is that today’s solutions are complex. They require the manual integration of several “moving parts” at the endpoint, within the network, and in the backend with policy servers.2 As a result, cost and manageability, at 23% and 14%, respectively, are the primary reasons why 60% of the 149 companies that we surveyed have no plans to purchase or implement NAC products in 2006 (see Figure 1-3). But, we see a silver lining: The next generation of NAC solutions, from vendors like ConSentry Networks and Applied Identity, focus on simplicity — driving down costs and integration woes.

May 12, 2006

© 2006, Forrester Research, Inc. Reproduction Prohibited

Trends | Getting The NAC Of It: 2006 Network Access Control Adoption

3

Figure 1 More Than One-Third Of Companies Look To NAC In 2006, But Cost Remains An Obstacle
1-1 “Is your company likely to purchase or implement network access control/network quarantine products this year?” Already completed 4%

No 60%

Yes 36%

Base: 149 technology decision-makers at North American SMBs and enterprises
1-2 “What is the primary reason your organization will deploy network access control/network quarantine technologies?”
Increase wired network security 13%

Increase wireless network security

8%

Increase remote-access security

19%

All of the above

53%

Other

8%

Base: 53 technology decision-makers at North American SMBs and enterprises that will deploy network access control/network quarantine technologies (percentages may not total 100 because of rounding)

1-3 “What is the primary reason your organization will not deploy network control/network quarantine technologies?”
Cost 23%

Manageability

14%

Too difficult to deploy organizationally

13%

Complexity

9%

Not a priority

7%

Too difficult to upgrade network

7%

Don’t need

3%

Other

2%

Don’t know

23%

Base: 88 technology decision-makers at North American SMBs and enterprises that will not deploy network access control/network quarantine technologies (percentages may not total 100 because of rounding)
38276 Source: Forrester Research, Inc.

May 12, 2006

© 2006, Forrester Research, Inc. Reproduction Prohibited

Trends | Getting The NAC Of It: 2006 Network Access Control Adoption

4

FIRMS SHOULD DEPLOY NAC APPLIANCES AND SOFTWARE WHILE UPGRADING SWITCHES Enterprise environments are complex, to say the least. Most firms will find a very diverse user and device population — including unmanaged PCs for guest users, contractors, or consultants, as well as IP-enabled phones and printers. For adequate NAC coverage, we recommend that firms deploy a mix of technologies, including:

· Ethernet switches for granular quarantining. Ethernet switches like those from Cisco Systems,

ProCurve Networking by HP, Nortel Networks, and Enterasys Networks provide strong port-level authentication coupled with granular Layer 2 mechanisms like VLANs and MAC address filtering to quarantine noncompliant users. Best used for: managed devices in a tightly controlled network. When deploying Ethernet switches, we recommend enabling 802.1X for port-level control. The downside? 802.1X is most suitable for managed PCs with the proper supplicants.3

· Appliances for less-intrusive network deployments. Appliances from vendors like Caymas

Systems, ConSentry Networks, InfoExpress, and Nevis Networks provide in-line and out-of-band NAC solutions. Meaning? You can put one in the network path for the same granular lockdown capabilities of a switch, or you can hang one off a switch’s spanning ports to provide a more scalable and less invasive option.

Best used for: unmanaged devices with older network gear. Appliances often work in a “clientless” mode (i.e., they don’t require a supplicant or endpoint agent) and gracefully handle unmanaged or unknown devices. Appliances are ideal for firms that want to avoid the hassles of a network upgrade or wish to deploy an interim solution before a switch overhaul is complete.

· Software for scalability at lower costs. The last option is a pure overlay to the network with

quarantining at the software layer — available from vendors like ENDFORCE, McAfee, Symantec, and Check Point Software Technologies. These solutions often provide several access control mechanisms, but typically sacrifice granularity because they are not in the network fabric.4

Best used for: managed devices with heterogeneous networks. Firms with extremely complex switching environments or highly distributed topologies often look to avoid hardware-based NAC solutions altogether. It is important to note, however, that most solutions still require some kind of agent (even if embedded in a client security suite) be installed on PCs and servers to provide access control. We’ve also found that software-based approaches are popular if IT security or desktop folks are operating the NAC deployment. What’s the best mix? We recommend that firms spend 12 to 18 months upgrading their switching hardware and deploy either an appliance or software solution in the interim.5

May 12, 2006

© 2006, Forrester Research, Inc. Reproduction Prohibited

Trends | Getting The NAC Of It: 2006 Network Access Control Adoption

5

Debunking The Myth: Network Upgrades Are Already Underway To Support NAC Most vendors — besides Cisco — are marketing their solutions as avoiding the hassle of a network upgrade. Sounds good, right? Recent data proves this point moot. The biggest NAC drawback is upgrading edge switches to support 802.1X — the dominant underpinning for switch-based solutions. But, when we asked folks about their upgrade plans, we found that almost half of the companies with no plans to deploy NAC in 2006 are likely to upgrade at least some of their switching hardware in 2006 anyway (see Figure 2). In fact, 10% of them are already underway. Just 23% of companies that we surveyed are not at all likely to upgrade in 2006.
Figure 2 Companies That Are Avoiding NAC Will Still Upgrade To 802.1X
“How likely is your organization to upgrade its switching hardware to port-based authentication-capable (e.g., 802.1X-capable) switches in 2006?”
Already underway 10%

Very likely

1%

Likely

13%

Somewhat likely

26%

Not at all likely

23%

Don’t know

28%

Base: 94 technology decision-makers at North American SMBs and enterprises that will not deploy network access control/network quarantine technologies (percentages do not total 100 because of rounding)
38276 Source: Forrester Research, Inc.

May 12, 2006

© 2006, Forrester Research, Inc. Reproduction Prohibited

Trends | Getting The NAC Of It: 2006 Network Access Control Adoption

6

W H AT I T M E A N S

NAC WILL SHIFT “POWER” FROM THE NETWORK TO THE DESKTOP
Any vendor will tell you that NAC solutions are budgeted, deployed, and maintained by the networking staff. Ask any enterprise and the answer will differ. During the past three years, we’ve found that NAC prevents a significant challenge to the average IT shop. Why? Because it requires that desktop operations, networking, and security folks collaborate. Ultimately, we feel that the vendors have it half right: Network architects and engineers will operate and maintain NAC gear, but we predict that enterprises will shift policy creation — the heart and soul of the NAC deployment — to the desktop security and operations experts — an IT buyer who understands deploying large-scale, policy-based technologies.

ENDNOTES
1

In June 2005, Forrester spoke with 438 infrastructure and data center decision-makers at North American enterprises and found that 31% are already using network quarantine products. In May 2005, Forrester spoke with 653 technology decision-makers at North American and European enterprises and found that 39% are already using network quarantine products. See the September 21, 2005, Data Overview “The State Of Security In SMBs And Enterprises: Business Technographics® North America” and see the June 28, 2005, Tech Choices “Choosing The Right Network Quarantine Solution.” Forrester defines three major components that require integration: 1) endpoint and client security on the front-end; 2) quarantine-enabled network devices in the middle; and 3) policy, user, and remediation servers at the back-end. See the November 4, 2005, Best Practices “Best Practices To Prepare For Network Quarantine.” The 802.1X authentication protocol is an essential component of LAN technology and, ultimately, will save enterprises money. But early adopters of 802.1X for authentication have run into high capital costs, unexpected operational costs, and security risks that can translate into costs if not addressed initially. Enterprises should be aware of these pitfalls and use the latest versions of software, firmware, and deployment tools to minimize costs. See the March 14, 2005, Best Practices “Beware The Hidden Costs Of 802.1X.” The three most common software-based NAC options are: 1) DHCP to restrict IP addresses; 2) issuing commands to an Ethernet switch (using SNMP or a log-in script) to restrict at the port level; or 3) IPSec to restrict by using domain isolation. Note: This last one doesn’t necessarily mean using IPSec for encryption, but rather using the authentication header of IPSec to ensure that only machines with proper credentials can communicate with each other; Microsoft’s Network Access Protection (NAP) advocates the use of IPSec. Firms need to treat NAC as a multiphase project. In fact, Forrester found that most clients need at least a year and a half to get network quarantine up and running. We’ve identified three major phases and, as a best practice, we recommend that firms: 1) create network quarantine policies; 2) deploy an interim overlay solution while upgrading network hardware; and 3) test interoperability and consolidate endpoints. See the November 4, 2005, Best Practices “Best Practices To Prepare For Network Quarantine.”

2

3

4

5

Forrester Research (Nasdaq: FORR) is an independent technology and market research company that provides pragmatic and forward-thinking advice about technology’s impact on business and consumers. For 22 years, Forrester has been a thought leader and trusted advisor, helping global clients lead in their markets through its research, consulting, events, and peer-to-peer executive programs. For more information, visit www.forrester.com. © 2006, Forrester Research, Inc. All rights reserved. Forrester, Forrester Wave, Forrester’s Ultimate Consumer Panel, WholeView 2, Technographics, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. Forrester clients may make one attributed copy or slide of each figure contained herein. Additional reproduction is strictly prohibited. For additional reproduction rights and usage information, go to www.forrester.com. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. To purchase reprints of this document, please email resourcecenter@forrester.com. 38276

Sign up to vote on this title
UsefulNot useful