Security For All First Birthday: Revisiting Forrester and NAP

By a fairly large margin the most popular and contentious post in the first year of Security For All [if you discount one entitled Prophecy for 2009 which got tons of hits I suspect by mistake due to the clever title] was the September 24, 2008 post entitled I so want to be a Forrester analyst wherein this report on the state of Network Access Control (NAC) by Forrester pegged the old BS-O-meter.

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

I responded with the following assertions.

Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base.

As of now there is one, count ‘em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you.

There was feedback. Todd from Napera responded thusly.

Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.
A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.
Also, NAP does not require Vista Business – just Vista.

There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind.
Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.

There were several exchanges of ideas and the following conclusion was reached with respect to Napera’s product and Microsoft’s NAP.

The Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. It is a third party NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.

Additional information was provided by Joe Davies, Senior Program Manager of the NAP Team at Microsoft.

Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.

So what has changed in the State of NAC and NAP in the year following the infamous Forrester report? Well for one thing no one (at least no one sane) proclaimed 2009 as the Year of NAC. Which was a good thing. But were we to give credence to the Forrester report we might expect that NAP or NAP -based solutions would be dominating the NAC market by now. Well guess what didn’t happen. That’s not to say that NAP development has ceased. In fact there are now eight additional SHA/SHVs that are available from third-party vendors – including an offering from Korean UNETsystem that reportedly brings NAP to Linux and Mac OS/X – and three additional SHA/SHVs that are available from Microsoft. As far as I can tell, the market penetration and predicted dominance failed to occur primarily because enterprises stayed away from Vista in droves. Partly because of the crippled economy but mostly because, well, Vista sucks. And actually useful NAC systems – yes this includes NAP – are not trivial to design, deploy and maintain. Furthermore the adoption of Windows 2008 server has been somewhat less successful than some had predicted. All of which conspires to make the analysis of the Forrester report even more amusing now than it was 12 months ago.

The really significant change in the NAC landscape during the last year is actually systemic to the information security business – the move to security as a service and managed security services. Yep – information security is moving into the cloud. Since NAC is definitely one of the trickier services to move into said cloud, we’re only now beginning to see it happen. StillSecure acquired ProtectPoint and now offers managed security services based on several StillSecure products. It’s a safe bet that their Safe Access NAC product has got to near the top of Alan’s “cloud it” list. Napera announced a beta program in July for a new online service, codenamed Cobalt that “will give you an advanced look at your network and the state of every computer connected to a compatible switch.”

Oh yeah, and Microsoft announced a free consumer security offering codenamed Morro that directly competes with three of the eight third-party vendors who have those NAP SHA/SHVs. Wonder how that’s working out.

And I still so want to be a Forrester analyst.