Now that would be a totally sweet gig. No experience necessary, no research required. Just collect the swag from vendors. Totally sweet deal – sign me up.
Now hang on there, that’s harsh – even for you! Yeah, well what conclusion am I supposed to come to with this report on the state of Network Access Control (NAC)? Actually I should start at the beginning with how I came across this amazing piece of … information.
So I’m browsing the blogoshere, just minding my own business, looking for NAC news. I should mention that in real life I make my living developing a NAC system. So when I come across this article, it totally pegged the old BS-O-meter. I mean nailed it.
Microsoft NAP Leading the NAC Pack
It didn’t surprise us when Forrester Research put Microsoft NAP as the frontrunner in the Network Access Control market. “Microsoft’s NAP technology is a relative newcomer but has become the de facto standard…,” said Rob Whiteley in his report. While Cisco and others might be able to claim more direct revenue from NAC products as of now, I believe Microsoft has the technology and framework that positions it for success.
As Tim Greene pointed out in his NAC newsletter, “the result is interesting because it’s not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations.”
Tim hit the nail on the head, as NAP works in the real world, not just in a complex architectural diagram that only exists in a 30-page white paper. I think NAP’s success is twofold: One, NAP is built into the operating system on the client and server, making it easier for customers to use and deploy; and, two, NAP is one of those rare examples of Microsoft truly achieving interoperability and playing nice with others.
So at this point, I’m thinking well sure, these Napera guys are NAC vendors who are trying to ride the NAP wave so I’ll cut them some slack. I mean you do have to dial down the sensitivity on the old BS-O-Meter when dealing with marketing copy. But they reference an article by Tim Greene in his NAC newsletter. So I go there thinking surely they must have taken Tim totally out of context for their own vulgar marketing purposes. But much to my astonishment, (after navigating past NetworkWorld’s lame cover ad – which shows up as a nice blank page for those of us who block doubleclick – get a clue guys!) those Napera flaks were pretty much quoting Tim verbatim.
Microsoft comes out on top of the NAC heap in an evaluation of 10 vendors that was published recently by Forrester Research.
The result is interesting because it’s not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations.
Which led me to the original report by Forrester. By now my poor BS-O-Meter is toasted.
In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.
So at this point I can no longer remain silent – you guys broke my BS-O-Meter! And it was industrial strength! So NAP “would meet the challenges of a set of real-world deployment situations“? What color is the sky in your real-world?
Here’s the deal guys. Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base. Also, NAP is critically dependent on these nifty little client and server plugin combos – System Health Agents (SHA) and System Health Validators (SHV), that fill the roles of TNC Integrity Measurement Collectors (IMC) and Integrity Measurement Verifiers (IMV) respectively. It not a bad idea since the SHA’s are managed by a single client-side meta agent, and the SHV’s are plugins on the server side (the Network Policy Server (NPS) to be exact). But the real strength of this idea is that everyone who has some endpoint component they want to monitor for policy purposes (like say an AV package) just builds an SHA and corresponding SHV to be part of the happy NAP family. As of now there is one, count ’em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you. Maybe I’m wrong and Napera has partnered with a whole bunch of competing endpoint security vendors to get all the system heath gizmos that they have been developing in secret. Hey – they do make this claim:
Napera then builds on the NAP platform to provide a single solution that combines health enforcement for both Windows and Macintosh computers with identity enforcement and guest access.
Whoa – A Mac SHA? I had no idea that OS/X had the basic plumbing to support such a beast! Oh wait – I get it – it’s a TNC IMC. So what’s the SHV for that bad boy look like? You see, I’ve written an SHV (no I’m not going to tell you how it works) and I’m pretty sure the Napera guys are blowing marketing smoke. If not I’d love a demo of an actual working system (not a “30-page white paper”). Preferably in my real-world.
So this brings me back to my original point. I want to be a Forrester analyst. I mean if I can make conclusions “not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations“. Dude! sign me up. Don’t get me wrong – in all likelihood NAP will eventually become a “de facto standard” (well duh, it’s a Microsoft framework) and that’s not a bad thing. It’s just not there yet. In the meantime I need a new BS-O-Meter.
Security For All 
great article Joe!
Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.
A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.
Also, NAP does not require Vista Business – just Vista.
There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind. Joel Snyder reviewed several of these back in April in Network World. One of the reasons we chose NAP was because of the large number of partners who have committed to supporting the architecture.
Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.
Thanks for your reply, Todd. It’s always much more enlightening – not to mention fun – when you call me on misrepresentations or misinterpretations.
I still have some issues with your response (probably just semantics) but I hoping you’ll continue to set me straight.
1. If you “licensed the NAP protocols directly from MS” you were screwed – they are all open.
2. If you don’t require any changes to the server infrastructure (particularly not Win2K8 server) then you are not using the MS NPS (NAPified IAS) that only comes with Win2K8 server.
3. While all Vista editions may come with the SHA framework installed, I have a hard time imagining how practical it is to manage network policies on Vista Home editions that can’t join a domain and therefore don’t get GPOs pushed to them.
It sounds like Napera is mostly a NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.
Thanks for the pointer to Joel’s review, I’ll definitely check it out.
Thanks Joe.
Yes, Microsoft published their protocol docs in Feb 2008, but commercial developers still need to sign a license to implement them (see http://www.microsoft.com/protocols/default.mspx). We started working on the Napera solution long before then. I’ve blogged about it at http://www.napera.com/blog/?p=7
You are correct that the Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. Likewise we don’t require domain membership for NAP (although most of our customers are using Active Directory and we leverage it for authentication).
Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.
See the following NAP blog entries for the details:
http://blogs.technet.com/nap/archive/2008/09/30/system-health-agents-shas-and-system-health-validators-shvs-that-are-available-from-nap-partners.aspx
http://blogs.technet.com/nap/archive/2008/09/03/system-health-agents-shas-that-are-available-from-microsoft.aspx
Thanks.