Selasa, 4 November 2008

I've read report of "The Forrester Wave™: Network Access Control, Q3 2008" prepared by Robert Whiteley and Usman Sindhu for Security. It was reported on September 5, 2008. The executive summary of the report wrote:

In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base. Cisco’s and Juniper’s NAC solutions are anchored by mature, standalone appliances with top marks for manageability and ease of use. Bradford has pushed into the enterprise space with one of the most scalable overlay solutions. Symantec, McAfee, and StillSecure are all close behind with software-based solutions, which we predict will ultimately win as the best NAC architecture. Mirage Networks’ unique out-of-band system provides superior deployment flexibility and just edges out Nevis Networks, which operates as a secure inline switch with built-in threat prevention. HP ProCurve Networking rounds out the bunch with an approach that marries appliance with Ethernet switches.

I think Forrester forgot to include a few good product in their benchmarking evaluation such as InfoExpress, Consentry and Fortinet. To counter this report, I believe base on my previous experience evaluating NAC requirement, Cisco NAC and Microsoft NAC are not the answer for a comprehensive ubiquitous NAC solution. The way they deploy their NAC Architecture, would not solve major wireless architectural problem. These two devices depend on port base security. Meaning that, any traffic in-out activity from that NAC switch port can be analyzed and monitored only via that physical port. Imagine that if you have 1000 devices in your company. You have to replace all your conventional switches to this NAC switches. My estimation, you need to deploy about 42 NAC appliances to monitor and control every access in your network.

I would prefer a solution provided by Juniper, Bradford, InfoExpress and Consentry. These NAC able to solve many issues logged by WLAN architecture. Their solutions are more.. and more comprehensive for ubiquitous network.

To address many complicated issues in the NAC management of heterogeneous WLAN network, I would prefer solution from InfoExpress, Consentry and Bradford. The deployment architecture of these NAC are less dependent on proprietary configuration. Juniper solution too dependent on their JUAC that requires Odyssey Client. My concent is... the Odyssey client is too complicated to manage for non-IT literate (Non-IT savvy) user. I need to find a solution that could minimize the complexity on the end-user site when deploying NAC appliance. In order to make the Juniper NAC to perform well, every user must install Odyssey client on their devices (Laptop). Does all wifi enable device support odyssey client ? SmartPhone, PDA, PSP and many other wifi devices is not really workable with Odyssey. Can we install Odyssey Client on Windows Mobile Platform or Symbian or etc ?... These are the issues that we need to consider before we deploy NAC in our wireless environment.

So, which solution is less proprietary dependent and workable with many platform ? This time I would prefer a solution from InfoExpress, Consentry and Bradford. Two products were not evaluated in the Forrester report. How about Bradford ? since Forrester has discussed much about Bradford in their report, no point for to me to discuss about Bradford... then, I will highlight my review for InfoExpress and COnsentry. Generally, Consentry has similar features offered by Bradford. There are some minor differences which I think not really important to discuss. In general Consentry can act as a proxy radius to control the access for each user account. It also workable for inline deployment.

InfoExpress offers more unique solution compared to other NAC, especially for heterogeneous ubiquitous network. InfoExpress perform dynamic NAC solution which similarly follow the concept "Man in the middle attack". The total concept and approach they implement for dynamic NAC (DNAC) is very impressive. They are the first introducing DNAC solution and this method meet many end-user requirement especially to protect back-door attack via wireless connection.

The other NAC which include in Forrester report is more to AntiVirus NAC such as McAfee and Symantec. These type of NAC cannot be compare apple-to-apple with Juniper NAC, Cisco NAC or Microsoft NAC because they fall into different categories. AntiVirus NAC has different objection compared to port base NAC or the real network based NAC. If your look at the other NAC features, their can integrate with other third party antivirus server or appliance such as BigFix to update and control antivirus.

My conclusion, I don't understand why Forrester not include InfoExpress and Consentry in their evaluation report. That's why the Q3 2008 report produced by Forrester does not showing the actuall scenario about NAC technology available in the market. The evaluation criteria chosen to identify the market leader in NAC seems like biased to certain products only.

I would to see is there head-to-head evaluation between Cisco, Juniper, InfoExprees, COnsentry and Bradford in solving network access on real ubiquitous network.