NAC boxes set to win European hearts

Analysts have said that demand for network access control appliances is set to double

Demand for network access control (NAC) appliances is set to double in 2007 according to analysts, with enterprise customers choosing better protection over lower cost software based security solutions.

NAC is designed to control which users are allowed to access what resources and set individual security policies, though some solutions also add real time content control and malicious traffic blocking.

It can be deployed on hardware appliances, within Ethernet switches or as a server based software solution, though a software client on the end user device is needed to guarantee effective security.

Jeff Wilson, principal analyst for network security at Infonetics research predicts that enterprise IT managers will spend over $160bn on NAC appliances in 2007 rather than switches or software, up from an estimated $83bn in 2006.

“Nearly all vendors have gelled around some type of enforcement appliance-based architecture, but there are still a few nagging issues holding the market back,” he said.

The relative high cost of in-line and out of band NAC appliances compared to server-based solutions is one barrier, along with high-risk tolerance of many firms. Over 75 per cent of all NAC appliances sold last year were shipped in the US, though vendors expect EMEA sales to pick up over the next twelve months as more companies start to worry about compliance with corporate governance regulations and revised security practices.

“The software overlay model has a lower cost of entry from the operational expenditure perspective and you do not have to reconfigure the network. But because it uses DHCP for enforcement, it can be evaded by anybody in the know using a local IP address,” said James Collinge, director of product management at NAC appliance specialist TippingPoint, a division of 3Com.

“The network [switch] integrated enforcement model is OK, but is very costly to deploy and requires the VLAN to be reconfigured, whilst older switches often do not support 802.1x.”