Makers of network access control technologies find themselves dividing along familiar lines within the world of IT security as some providers evangelise a centralised, network-based approach for enforcing device authentication tools and others claim that NAC should reside on the endpoint.

In recent months, some market watchers have begun calling for industry consolidation under the idea that many of today's enterprise NAC products will either disappear or be collected into larger technology offerings delivered by major security vendors and networking firms.

Demand for NAC tools, which evaluate the security posture of devices as they attempt to log onto a network, has already been constricted by complex deployments, product confusion, and incompatibility, according to some industry analysts.

NAC will only become truly useful to enterprises when it can be tightly melded with other device and network security systems, these experts contend, and will likely be delivered alongside other technologies from the same vendors who already control those markets.

The sheer variety of endpoint and network-based systems being sold under the NAC banner have made it challenging for IT decision makers to get a firm grip on which pieces to buy, which will force a vendor shake-out that favours the largest security and networking players, said Paul Stamp, analyst with Forrester Research.

Product confusion

"This product confusion is one of the main reasons that NAC isn't as big as we'd thought it would be," said Stamp. "Customers know that there's no one product that can solve all these problems for a reasonably large enterprise, yet some large enterprises feel they've already got this problem solved with existing endpoint and network technologies."

In a recent report, Forrester predicted that larger endpoint security players including Symantec, McAfee, and Sophos will end up supplying the brains behind NAC, rather than network-oriented vendors such as Cisco, one of the pioneering companies in the space.

There will be room for infrastructure companies to help marry endpoint security policies with network data controls, but NAC intelligence -- the security policies that determine whether a device is allowed on the network and how it must be updated if infected -- will not be network-based applications, according to the research firm.

"Enterprises need one policy set by client security tools and other technologies that use that policy to determine what to do," said Natalie Lambert, one of the Forrester authors. "There is a need for some enforcement mechanisms that the client can't handle, and there is a place for those technologies, but not if it forces IT to create separate polices."

Networking vendors such as Cisco and Juniper will be able to market integrated products that enterprises use to help manage NAC and tie it tightly into their central defences, and other major companies including Microsoft will play important roles in facilitating the tools, Lambert said.

However, many third-party NAC technologies on the market today will either be acquired, move down-market from the enterprise, or disappear, she predicted.

The debate over whether it is smarter to locate the top-level intelligence of security systems at the endpoint or the network is one that has raged on for years, prompting companies to deploy both types of technologies.

In the IT systems defence space, for example, vendors have successfully marketed both network and host-based intrusion prevention systems (IPS). Used to ward off external attacks, a host-based IPS lives on an endpoint such as a PC, while a network-based IPS is typically handled within a firewall device or network appliance.

Flourishing diversity

The enterprise NAC segment will allow for the same type of diversity, and support providers who deliver network-based device authentication and remediation tools beyond than the infrastructure giants, claim other vendors.

According to some, Forrester's endpoint-based vision for the technology -- technically defined as proactive endpoint risk management (PERM) -- overlooks the need for additional NAC products to sit between the endpoint and network to handle heavy lifting that traditional desktop and infrastructure systems can't deliver.

"The PERM people are talking about NAC as an endpoint uber-agent, but in today's world one of biggest drivers of NAC are unmanaged users like contractors coming onto networks," said Alan Shimel, chief strategy officer at StillSecure. "Enterprises need to know that machines are not polluting the network, that's the whole point, and with the PERM approach there's no solution for that problem."

Shimel said that the more endpoint-focused NAC strategy also fails to address the issue of allowing a potentially-infected device to rely primarily on its own internal ability to verify its security status.

He said his company and others like it also continue to sell plenty of NAC products while the broader market lines are being drawn.

Shimel expects the NAC market to split into two camps, with those who think device authentication intelligence moves into the network and is embedded into routers on one side, and others who think it moves onto endpoints.

"Many of the initial expectations around NAC are unachievable, but that's no reason for people to start writing obituaries about these technologies before their time," he said. "We don't think the last word has been written about network-based control, if you look closely at the Forrester report and what they say NAC is lacking, it's actually what the network based people already doing such as remediation."

Many larger vendors support the notion that both network and endpoint NAC tools will be adopted by enterprises, but some agreed that there will not likely be tolerance among customers for multiple systems that require the creation of parallel policies and controls.

In that sense, major security and infrastructure providers will have an advantage over smaller best-of-breed NAC suppliers as the big players are already working to co-ordinate their products and stake out which aspect of the systems in which they will specialise.

"Hard-core security guys will always tell you there's no way that you can expect an endpoint to protect itself, but it's not ultimately a one or the other scenario, there's a need for a co-ordinated combination of tools," said Oliver Tavakoli, vice president of architecture and technology, at Juniper. "You cannot force people to create duplicate policy stores, and our goal, if you look at what companies like Juniper, Cisco and Microsoft are doing, is to provide that policy enforcement framework."