NAP shot – Why Microsoft’s access control feature in Vista has many execs excited

Microsoft’s network access control client in Vista and now in Windows X has a lot of IT executives excited, according to an informal poll of about 250 attendees of an Interop Las Vegas NAC seminar who are actively considering deploying the access technology.

About a third of them say they would use the NAC support in the Microsoft client software rather than pay more and deal with deploying and maintaining a client with more features that they have to pay extra for. Microsoft calls its NAC technology Network Access Protection (NAP)

Slightly fewer said they would pay extra and deal with the additional work needed to deploy a better client. About a fifth of the group didn’t respond to the call for a show of hands when asked by the session’s instructor, Joel Snyder a partner in Opus One consultancy and a member of Network World Lab Alliance. (Compare NAC products.)

Many vendors make gear compatible with Microsoft NAP, including Cisco and vendors that follow the standards set by the Trusted Computing Group (TCG).

But NAP didn’t escape unscathed by a panel during the Interop NAC session. Participants noted that in order to support non-Microsoft machines, customers have to deal with third-party vendors that make software that can report the status of Linux, Unix and McIntosh machines to NAP severs.

Sophos, which makes such a NAP client that also interoperates with Sophos’ own desktop security software, says it’s more convenient to get all the data about the endpoint in one place rather than have separate clients.

“You look in one place and get all the information — from the firewall, NAC, [desktop security software],” says Chester Wisniewski, product specialist for global sales engineering at Sophos.

“Our APIs are available to any partner,” says Manlio Vecchiet, a group product manager in the Windows server division of Microsoft.

One of the knottiest problems with NAC technology remains how to get data about devices that can’t run NAC clients such as phones and printers, panelists say. The best way to deal with it is checking the behavior of devices continuously after they are admitted to the network to flag and block them when they stop acting like printers and phones.

“If these devices do things they shouldn’t, you need to know,” says Brendan O’Connell, a senior product manager at Cisco who also was on the panel.

To that end the TCG announced at Interop that it has a new standard that lets other security devices share network security data with NAC platforms. The data is posted centrally and can be tapped by any of the devices. That way firewalls, intrusion detection/prevention systems and the like can contribute to ongoing monitoring of devices’ behavior.

Vendors acknowledged in response to questions from attendees that setting up NAC is a slow, methodical process and may in its initial phases require significant work. That is especially true of networks lacking updated infrastructure to support the form of NAC chosen, says Cisco’s O’Connell.

“When you put NAC on your network, you probably are going to have a fair amount of spending on your hands,” he says. “If you’ve ignored your wiring closet in the last 10 years, you’re going to have some work to do.”

The upside is that the investment will be worth it because the network will have a needed overhaul.

Other vendors noted that phasing in NAC in monitoring mode first to find out just how many devices would be rejected is the best way to deploy. Once the majority of endpoints are remediated to pass NAC inspection, enforcement can be turned on without disrupting business, they say.

Interest seemed high in NAC, with the workshop selling out to about 250 attendees who had to come a day early to pay for the class.

Vista’s proprietary NAP has been cited as one reason that many businesses are not upgrading to Window’s newer OS from XP. But one analyst says there’s really no other choice, and upgrading is inevitable.

In a report he authored, Forrester analyst Ben Gray damned Vista with some faint praise, saying that for large businesses, there was “no viable alternative.” Companies may talk about non-Windows operating systems — Apple Inc.’s Mac OS X and the open-source Linux in particular — but “they’re not looking to swap out thousands of users,” Gray said.

“Companies are trying to figure out where these alternatives make the best fit, maybe pilot [Mac OS X or Linux] in small batches, but on the whole, it’s almost a check-mark kind of thing.”

The lack of a viable alternative to Vista may be a fact, but it doesn’t mean that every business likes the idea of upgrading to an operating system that has been dinged by both users and the press. “Vista’s problems are driving a lot of companies to rethink everything,” said Gray.

The hesitation to bet the bank on Vista was illustrated by a different Forrester report last month. Then, the research firm touted polls that surveyed 50,000 corporate users throughout 2007. The results, said Forrester, showed that Windows XP usage had not budged during the first year of Vista’s availability. Instead, the rise in Vista use — by the end of 2007, 6.3% of users were running it — was matched by a decline in Windows 2000 usage.

“Companies have clearly pulled back on their very aggressive migration plans, in some cases by a couple of quarters, in others by a couple of years,” Gray said. “And there’s a lot of resentment that Microsoft dominates the [desktop] operating system, which is why people are looking at Mac and Linux.”

But businesses should put all that should aside and start their migrations to Vista soon, Gray argued.

“There’s no question that adoption of Vista has been tempered to date,” he said, “but now that [Vista] SP1 is out, that’s going to help adoption. It’s the official blessing of Vista.”

— with files from Gregg Keizer

Share on LinkedIn Share with Google+