Security For All First Birthday: Revisiting Forrester and NAP

By a fairly large margin the most popular and contentious post in the first year of Security For All [if you discount one entitled Prophecy for 2009 which got tons of hits I suspect by mistake due to the clever title] was the September 24, 2008 post entitled I so want to be a Forrester analyst wherein this report on the state of Network Access Control (NAC) by Forrester pegged the old BS-O-meter.

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

I responded with the following assertions.

Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base.

As of now there is one, count ‘em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you.

There was feedback. Todd from Napera responded thusly.

Thanks for the mention of Napera Joe. I wanted to clarify a couple of points from your posting specific to Napera rather than the Forrester analysis per se.
A Napera deployment does not require Windows Server 2008. As stated clearly in the blog post you linked to – our solution is self contained – we licensed the NAP protocols directly from Microsoft and we speak directly to the NAP agent. This removes the requirement for customers to upgrade to Server 2008 to deploy NAP. In fact, we don’t require changes to any server infrastructure (DHCP, AD etc) to deploy NAP. Just last week a brand new user told me they were checking health on PC’s within ten minutes of deploying Napera.
Also, NAP does not require Vista Business – just Vista.

There are several SHA/SHV’s shipping today beyond the Microsoft WSHA in XP/Vista you mention. Microsoft Forefront Client Security, McAfee, Symantec, Blue Ridge and Avenda are some that come to mind.
Apple has yet to commit to releasing a TNC based agent for Mac. Our Napera health agent for Mac OS X has similar functionality to the Windows NAP agent, but isn’t based on NAP or TNC protocols per se. The Napera agent could easily be made TNC compatible if that option presents itself in the future, and provides a great solution in the interim.

There were several exchanges of ideas and the following conclusion was reached with respect to Napera’s product and Microsoft’s NAP.

The Napera solution doesn’t require NPS since that’s a component of Windows Server 2008. It is a third party NAP Network Policy Server (or TNC Policy Decision Point) that uses the MS enforcement mechanisms.

Additional information was provided by Joe Davies, Senior Program Manager of the NAP Team at Microsoft.

Just wanted you to know that there are seven additional SHA/SHVs that are available from third-party vendors and two additional SHA/SHVs that are available from Microsoft for System Center Configuration Manager and Forefront Client Security.

So what has changed in the State of NAC and NAP in the year following the infamous Forrester report? Well for one thing no one (at least no one sane) proclaimed 2009 as the Year of NAC. Which was a good thing. But were we to give credence to the Forrester report we might expect that NAP or NAP -based solutions would be dominating the NAC market by now. Well guess what didn’t happen. That’s not to say that NAP development has ceased. In fact there are now eight additional SHA/SHVs that are available from third-party vendors – including an offering from Korean UNETsystem that reportedly brings NAP to Linux and Mac OS/X – and three additional SHA/SHVs that are available from Microsoft. As far as I can tell, the market penetration and predicted dominance failed to occur primarily because enterprises stayed away from Vista in droves. Partly because of the crippled economy but mostly because, well, Vista sucks. And actually useful NAC systems – yes this includes NAP – are not trivial to design, deploy and maintain. Furthermore the adoption of Windows 2008 server has been somewhat less successful than some had predicted. All of which conspires to make the analysis of the Forrester report even more amusing now than it was 12 months ago.

The really significant change in the NAC landscape during the last year is actually systemic to the information security business – the move to security as a service and managed security services. Yep – information security is moving into the cloud. Since NAC is definitely one of the trickier services to move into said cloud, we’re only now beginning to see it happen. StillSecure acquired ProtectPoint and now offers managed security services based on several StillSecure products. It’s a safe bet that their Safe Access NAC product has got to near the top of Alan’s “cloud it” list. Napera announced a beta program in July for a new online service, codenamed Cobalt that “will give you an advanced look at your network and the state of every computer connected to a compatible switch.”

Oh yeah, and Microsoft announced a free consumer security offering codenamed Morro that directly competes with three of the eight third-party vendors who have those NAP SHA/SHVs. Wonder how that’s working out.

And I still so want to be a Forrester analyst.

I so want to be a Forrester analyst

Now that would be a totally sweet gig. No experience necessary, no research required. Just collect the swag from vendors. Totally sweet deal – sign me up.

Now hang on there, that’s harsh – even for you! Yeah, well what conclusion am I supposed to come to with this report on the state of Network Access Control (NAC)? Actually I should start at the beginning with how I came across this amazing piece of … information.

So I’m browsing the blogoshere, just minding my own business, looking for NAC news. I should mention that in real life I make my living developing a NAC system. So when I come across this article, it totally pegged the old BS-O-meter. I mean nailed it.

Microsoft NAP Leading the NAC Pack

It didn’t surprise us when Forrester Research put Microsoft NAP as the frontrunner in the Network Access Control market. “Microsoft’s NAP technology is a relative newcomer but has become the de facto standard…,” said Rob Whiteley in his report. While Cisco and others might be able to claim more direct revenue from NAC products as of now, I believe Microsoft has the technology and framework that positions it for success.
As Tim Greene pointed out in his NAC newsletter, “the result is interesting because it’s not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations.”
Tim hit the nail on the head, as NAP works in the real world, not just in a complex architectural diagram that only exists in a 30-page white paper. I think NAP’s success is twofold: One, NAP is built into the operating system on the client and server, making it easier for customers to use and deploy; and, two, NAP is one of those rare examples of Microsoft truly achieving interoperability and playing nice with others.

So at this point, I’m thinking well sure, these Napera guys are NAC vendors who are trying to ride the NAP wave so I’ll cut them some slack. I mean you do have to dial down the sensitivity on the old BS-O-Meter when dealing with marketing copy. But they reference an article by Tim Greene in his NAC newsletter. So I go there thinking surely they must have taken Tim totally out of context for their own vulgar marketing purposes. But much to my astonishment, (after navigating past NetworkWorld’s lame cover ad – which shows up as a nice blank page for those of us who block doubleclick – get a clue guys!) those Napera flaks were pretty much quoting Tim verbatim.

Microsoft comes out on top of the NAC heap in an evaluation of 10 vendors that was published recently by Forrester Research.

The result is interesting because it’s not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations.

Which led me to the original report by Forrester. By now my poor BS-O-Meter is toasted.

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.

So at this point I can no longer remain silent – you guys broke my BS-O-Meter! And it was industrial strength! So NAP “would meet the challenges of a set of real-world deployment situations“? What color is the sky in your real-world?

Here’s the deal guys. Until all enterprises make the switch to Windows Server 2008, there is no real NAP install base. Also, NAP is critically dependent on these nifty little client and server plugin combos – System Health Agents (SHA) and System Health Validators (SHV), that fill the roles of TNC Integrity Measurement Collectors (IMC) and Integrity Measurement Verifiers (IMV) respectively. It not a bad idea since the SHA’s are managed by a single client-side meta agent, and the SHV’s are plugins on the server side (the Network Policy Server (NPS) to be exact). But the real strength of this idea is that everyone who has some endpoint component they want to monitor for policy purposes (like say an AV package) just builds an SHA and corresponding SHV to be part of the happy NAP family. As of now there is one, count ’em, one SHA/SHV set provided to the “near-ubiquitous Windows Server customer base“. And guess who provides it (hint – they build a well known OS). So if your endpoint policies require only the Microsoft Security Center stuff and all of your endpoints are Windows XP SP3 or Vista Business+ and your servers are Windows Server 2008 you are golden! Both of you. Maybe I’m wrong and Napera has partnered with a whole bunch of competing endpoint security vendors to get all the system heath gizmos that they have been developing in secret. Hey – they do make this claim:

Napera then builds on the NAP platform to provide a single solution that combines health enforcement for both Windows and Macintosh computers with identity enforcement and guest access.

Whoa – A Mac SHA? I had no idea that OS/X had the basic plumbing to support such a beast! Oh wait – I get it – it’s a TNC IMC. So what’s the SHV for that bad boy look like? You see, I’ve written an SHV (no I’m not going to tell you how it works) and I’m pretty sure the Napera guys are blowing marketing smoke. If not I’d love a demo of an actual working system (not a “30-page white paper”). Preferably in my real-world.

So this brings me back to my original point. I want to be a Forrester analyst. I mean if I can make conclusions “not based on how many units were sold or performance tests but rather on evaluation of how well the products would meet the challenges of a set of real-world deployment situations“. Dude! sign me up. Don’t get me wrong – in all likelihood NAP will eventually become a “de facto standard” (well duh, it’s a Microsoft framework) and that’s not a bad thing. It’s just not there yet. In the meantime I need a new BS-O-Meter.