Microsoft Vista security impresses those hot for NAC

Interop poll gives new feature the thumbs-up

Microsoft's network access control client in Vista and now in Windows X has a lot of IT executives excited, according to an informal poll of about 250 attendees of an Interop Las Vegas NAC seminar who are actively considering deploying the access technology.

About a third of them say they would use the NAC support in the Microsoft client software rather than pay more and deal with deploying and maintaining a client with more features that they have to pay extra for. Microsoft calls its NAC technology Network Access Protection (NAP)

Slightly fewer said they would pay extra and deal with the additional work needed to deploy a better client. About a fifth of the group didn't respond to the call for a show of hands when asked by the session's instructor, Joel Snyder a partner in Opus One consultancy and a member of Network World Lab Alliance.

Many vendors make gear compatible with Microsoft NAP, including Cisco and vendors that follow the standards set by the Trusted Computing Group (TCG).

But NAP didn't escape unscathed by a panel during the Interop NAC session. Participants noted that in order to support non-Microsoft machines, customers have to deal with third-party vendors that make software that can report the status of Linux, Unix and Macintosh machines to NAP servers.

Sophos, which makes such a NAP client that also interoperates with Sophos' own desktop security software, says it's more convenient to get all the data about the endpoint in one place rather than have separate clients. "You look in one place and get all the information — from the firewall, NAC, [desktop security software]," says Chester Wisniewski, product specialist for global sales engineering at Sophos.

"Our APIs are available to any partner," says Manlio Vecchiet, a group product manager in the Windows server division of Microsoft.

One of the knottiest problems with NAC technology remains how to get data about devices that can't run NAC clients such as phones and printers, panelists say. The best way to deal with it is checking the behaviour of devices continuously after they are admitted to the network to flag and block them when they stop acting like printers and phones.

"If these devices do things they shouldn't, you need to know," says Brendan O'Connell, a senior product manager at Cisco who also was on the panel.

To that end the TCG announced at Interop that it has a new standard that lets other security devices share network security data with NAC platforms. The data is posted centrally and can be tapped by any of the devices. That way firewalls, intrusion detection/prevention systems and the like can contribute to ongoing monitoring of devices.

Join the newsletter!

Error: Please check your email address.

Tags MicrosoftvistaSecurity ID

Show Comments
[]