eWeek - May 21, 2007

Interop grapples with NAC systems because of licensing concerns assuming that the host network even has access to, for example, the anti-virus sig-

TECH ANALYSIS: ENDGAME FOR ENDPOINTS IS ELUSIVE ^natures ^used ^by ^a ^particular ^endpoint.

The other way to combat viruses and
B Ty Cameron Sturdevant other handset operating systems, as malware being carried into the network
he vendors and experts as- well as network appliances such as by visiting systems is to harden internal
sembled at this week’s Interop printers and copiers, are almost always clients and servers to better withstand
Las Vegas are out to answer once excluded from NAC conversations. the onslaught infected systems will
again the question, Whither Today, NAC tools are aimed primar- inevitably bring into the network.
endpoint access control? ily at endpoints used by contractors Server managers can take a page from
Interop attendees interested in find- and auditors, which are machines that the trusted operating system functionality
ing an answer to this question for them- lay outside the strict control of central and best practices that are emerging from
selves will find at the show an entire IT. It’s clear that many of these systems the Linux and Solaris platforms. Servers
NAC (network access control) Day track must be allowed onto controlled net- can also be protected by taking advantage
in which Cisco Systems, Microsoft and works to provide valuable services and of their special location in the data center
the Trusted Computing Group—along to ensure compliance with a burgeon- where firewalls and identity-based access
with a host of lesser providers of so- ing host of regulations. systems can be effectively combined to
called NAC-right-now products—will Contractor and auditor systems that ensure that authorized users alone are
line up to assert that the network is the are outside central IT control are, as our able to access the protected resources.
best place to control access. tests have shown, some of the most resis- We’ve talked for years about ways that
The NAC Interop Lab is certainly a tant to being checked as safe to use. For client-side systems can be protected, and
place to go to get some nitty-gritty ques- one thing, it’s hard to put an agent on the we stand by those recommendations
tions answered. The lab has been up and systems to run the checks. For another, today. Least user privilege combined
running for at least the last with strict user system lock-
two shows and has plenty of Interop Las Vegas down is still one of the best
handouts and demonstra- ways to ensure that systems
tions for attendees. Aside from the obvious big NAC players (Cisco, Microsoft aren’t susceptible to the effects
Despite what NAC ven- and Juniper Networks), here are some interesting vendors of malware. IT managers who
dors at Interop will argue, and events to put on your Interop NAC tour shortlist. haven’t taken this mantra to
the question of whether the Stop by _Bradford _Networks’ _booth _to _see _the _company’s heart should pay careful atten-
network is the best place for _NAC _Director _appliance. tion to Interop exhibitors that
checking endpoint compli- Set aside some time to visit ConSentry Networks, whose provide endpoint configura-
^ance ^with ^security ^policiesLANshield controller and NAC-savvy switch equipment are ^tion ^products ^and ^{services.
remains} ^unsettled ^for ^now. both worth checking out. Read e WEEK’s review of LANshield ^At ^the ^end ^of ^the ^day, ^it
For ^one ^thing, ^using ^NACat www.networking.eweek.com/print_article/High+Priority+ ^will ^likely ^be ^a ^combinationdevicesandservicestoassess _{on+LAN+Assets/ 191040.aspx.}of some form of network-
endpoint health—including At Lockdown Networks_, _ask _to _see _the _Enforcer. based access control and
the status of anti-virus sig- At StillSecure's booth_, _ask _about _Safe _Access. _You _can much tighter client-side con-
natures, operating system _read _our _take _on _Safe _Access _at _{www.eweek.com/}figuration that will solve the
^and ^application ^patches, ^and article2/0,1759,2100749, 00.asp. ^problem ^of ^providing ^networkfirewall rules—and to ensure _Vernier _Software _& _Technology _is _showing _its _latest access to information without
^that ^unauthorized ^programs Edge Wall appliance. Read our review of Edge Wall 7000 Rx at ^destroying ^the ^network ^or ^theandmalwarearenotrunning _{www.eweek.com/article2/0,1895,1870305,00.asp}_.clients attached to it. None-
on endpoints threatens to be _At _last _check_, _we _didn’t _see _Caymas _Systems _or theless, we think the ques-
^a ^{policy-writing} ^nightmare. TippingPoint on the expo list. However, these two vendors ^tions ^Interop ^will ^{attempt
What’s} ^more, ^NAC ^toolsmake interesting NAC offerings and also are well worth con- ^to ^answer ^are ^worth ^asking,today typically settle for a _sidering. and we will likely see the NAC
definition of endpoint net- _Finally_, _look _into _attending “_The _Truth _About _Network technologies that are being
works so tightly constricted _Access _Control” _May ₂₃ _at _{3: 30} _p.m. _Cisco’s _Russell put forward today being used
^that ^it ^ignores ^all ^network Rice—who’s always eager to note his role as the “father of ^for ^several ^years ^to ^come. ^´^clients ^except ^the ^various NAC”—is an expert on the topic and a rather informative
^versions ^of ^Microsoft ^Win-speaker. Juniper, Microsoft and McAfee will all have leading
^dows. ^As ^a ^result, ^Apple,experts on the panel as well.