Network access control in appliances and client-side applications will become the industry norm within two years, but a lack of open standards in network protocols may hinder the quick adopters.
Almost every organisation will go down the network access control (NAC) road for security, access control and network bandwidth management. Cisco and Microsoft, with the release of Vista and Longhorn, will have a serious impact on the uptake, according to Gartner research director Steve Bittinger.
Niche players in the NAC market, Bittinger said, will be quickly eaten up by the "800 pound gorillas" within the near future, using Cisco's recent purchase of network security specialist Meetinghouse Data Communications as a prime example.
Speaking at Gartner's recent IT Security Summit in Sydney, Bittinger warned that code added by Cisco to the 802.1x (Layer 2) network protocol, as used in some wireless access points and switches, features proprietary extensions to the existing standard. Nevertheless, all new infrastructure gear should be checked for 802.1x compatibility.
"802.1x is the network protocol now found in a lot of switches and wireless points, which helps implement Layer 2 blocking but does not do everything required in network access control, but it actually does the blocking part," Bittinger said.
"Meetinghouse, another specialist player in the 802.1x software space, helped Cisco phase up the overall NAC picture; now we have AV vendors, software configuration management, and Microsoft at the operating system level offering something to do with NAC.
"But not every switch and network component works with 802.1x - if you have some legacy equipment in your environment that may be a few years old chances are it may not have .1x capability.
"Today 802.1x itself needs extra code extensions and Cisco has put extensions of a standard for authentication and to move information between end points, policy and remediation servers across the network."
Bittinger said the existing standards cannot do what is required, but the extension has yet to be accepted as a valid open standard, and added that in some recent deployments of VOIP, the 802.1x network has broken down.
"Both VOIP and NAC have to play well together to make it work and with Cisco telephones and networking gear it's not a problem, but with non Cisco phones using the 802.1x gear it breaks."
Bittinger emphasised that the overlap between Cisco and Microsoft is obvious with NAC, as both will offer policy servers and end point agents - Cisco through the Cisco Trusted Agent, and Microsoft in Vista.
"Microsoft Network Access Protection (NAP) is meant to work with future versions of active directory, domain isolation, but the problem with the Microsoft solution is it only works with Microsoft," Bittinger said.
"Certification authority is the approach it is using with its suggested mechanism and it might not come in until Longhorn, but Microsoft has ideas of issuing certificates, without which you cannot get access to anything, and which will control who can access within the whole Microsoft-type of environment.
"But we don't really know all the details as yet and it is not able to be tested."