Access control on a network is one of the hottest topics around. A whole host of companies have technology offerings to do it, but they all pretty much fall into one of two basic groups - an overlay to the existing network, or a switch-based scheme.

Cisco, with its NAC (network access control) phase 2 scheme has taken the latter approach, for example. The first phase used a separate NAC appliance, but the company has now embedded that same capability into the IOS firmware of its Catalyst 6000 switches.

The switches talk either to CTA (Cisco trusted agent) software running on the PC that's requesting connection, or to an auditing server. The effect is the same - CTA or the auditor either confirm that the PC is clean and up to spec on its security, or they declare that it must be quarantined or blocked until it can be remediated.

"Security is frequently an overlay, one of our goals is to make it transparent," says Bob Gleichauf, Cisco's CTO for security. "NAC is a control plane for the infrastructure."

He adds that Cisco included the auditing capability because it didn't want to be accused of forcing software agents onto users - although he says he expects most users to adopt CTA anyway, once they see the advantages it brings.

Trusting your agent
"In NAC, we made sure that you don't have to have a trust agent," he says. "Our competitors all had products that didn't require an agent and sold them on that basis, but we found that almost every customer ended up going back for the agent version. When you have CTA, you're rewarded with almost immediate access, so lack of compliance comes with a cost.

"So you design for the reality of people wanting different options - you persuade them to do what you want, rather than forcing them."

Juniper Networks, which last year acquired Funk Software to bolster its unified access control strategy, says its focus is much more on standards - not least because Juniper doesn't sell edge switches so cannot rely on being able to enforce policies there.

Its access control scheme is based around an Infranet Controller appliance which downloads a trust agent to clients dynamically, and then uses Juniper's NetScreen firewalls for policy enforcement.

Funk's RADIUS technology adds the capability to do Layer 2 control, enforcing policies via any 802.1x-compliant switch, says Hitesh Sheth, VP for enterprise products and solutions at Juniper Networks (and formerly a top staffer in Cisco's metro Ethernet group).

"When we launched the Infranet Controller last year, the aim was an overlay approach to access control - secure the network you have, rather than replace it," he says.

"We knew that the enforcement points would be firewalls but we also needed to co-exist. Funk adds Layer 2 control, so the customer has the choice to use firewalls or switches - or both. Versus Cisco, its approach is tied to a Layer 2 infrastructure that would have to be overhauled.

"Secondly, we are very determined to push this down the standards path, you could even use third-party firewalls - we don't recommend it, but it's the reality."

Bob Gleichauf denies that NAC is non-standard. "NAC is serving as a tipping point for long-awaited network hardware upgrades, but that gets confused into 'NAC forces upgrades'," he says. "We also bought Perfigo to do an overlay version of NAC, so people can still do that."

He adds, "You will see us become more heterogeneous in how we work, for example NAC can be driven by applications from other vendors.

The porous network
"The idea of a public net and a private net is disappearing. All are porous at some level, so you need solutions that assume porosity and that where the network ends is ambiguous.

"There's already enough AV software but customers are more and more burdened with the patch problem and threats appearing faster than they can deal with. So we said, what if you could put in an anomaly detector.

"You need to build elasticity into the infrastructure - to build dampers in. Even if you can only get CTA onto a proportion of your systems, it can give you more time to react to a problem."

Hitesh Sheth agrees, but warns that a port-based approach to access control, as used by NAC-2 and other secure network developers such as Enterasys, depends on expensive upgrades to the access layer. He argues that an overlay approach will be significantly cheaper, and just as effective.

"We believe a RADIUS-based policy engine is the way to go," he says. "If your access control is port-based, you can only achieve true control when all ports have been upgraded.

"With an overlay you can provide more granular control, and there are fewer touch-points to administer as well. All you need is 802.1x compliance in the switch, there's no need to enforce an upgrade.

"The fact we're doing 802.1x is evidence that we'll work with any compatible system and take this to anyone who wants access control. There is enough installed base out there that's 1x-compliant, though you'd have to interrogate the software and hardware to find out its level of features."

He adds that if the feature level isn't up to it and the switches need upgrading, the Juniper approach can achieve the same result via enforcement at the firewalls. And he says that as network security evolves, he doesn't see an intelligent switch or router taking over the role of policy engine from the Infranet Controller.

Policy engines
"Eventually, I see the policy engine taking signals from the IPS and application acceleration boxes, and providing not just thread control but determining how applications are delivered to the end user," he says.

"Today those are individual devices, but down the road they may get integrated. But for this to scale, there has to be a policy engine outside the routers."

Bob Gleichauf acknowledges that it will be hard to do, but insists that the switch is the right place to enforce policy - not least because in the future, identity management is also going to be a access control policy issue.

"We want to talk role-based access down the road," he says. "The complexity is that people can have multiple roles and the system then has to check them all. We want it done at the switch or router level, so you need policies and distributed databases.

"We need to get our arms around a simple feedback loop linked to lots of others - if you simply have fine-grained access control lists on a router, performance will bog down."