Rob
NAC seems
to cycle between red hot and long droughts of disinterest. I think it suffers
serious issues, but the one that piques my interest the most is virtualization.
NAC is in danger of being irrelevant in a virtual world.

Think about it:

  • Server virtualization blurs
         segmentation models.     What happens when all of the backend server resources are VMs?
         First, it means you have to worry about VLANs and subnets all over again.
         Second, advanced server tools like VMWare’s VMotion will mean servers are
         highly dynamic and can be quickly relocated to anywhere in the datacenter.
         But more importantly, it means that you need NAC inside your physical
         servers. Imagine you have two VMs located on the same physical server that
         can’t communicate as per your access control policy. I’ve already come
         across one client deploying virtual NAC appliances on servers to limit
         machine connections based on endpoint status.
  • Client virtualization
         proliferates MAC addresses and blurs endpoints.     Running a hypervisor on a
         desktop or laptop allows multiple OSes to run simultaneously, each with
         its own virtual MAC address. How do you quarantine the physical machine
         and still allow compliant guest VMs to connect? How do you prevent a
         compliant VM from transferring data to a non-compliant VM on the same
         desktop? You can by restricting IP addresses, installing NAC agents within
         each VM, or forcing VPN access — but these present significant granularity
         and cost tradeoffs, respectively.
  • Application virtualization
         hides setting and blurs endpoint status.     Application virtualization will change the way
         companies distribute apps to endpoints. But isolating an app in its
         environment can create an air gap between the OS and the application. If
         you use NAC to scan application settings and not just the basic system
         attributes like AV signatures, firewalls, and Windows update, then this
         can prove to be a problem. For example, you will not be able to determine
         a NAC policy that requires your Internet browser settings be set to medium
         or higher.

Bottom
line: I think 2008 will see a significant culling of the NAC market and top-tier
vendors will be those that handle virtual endpoints efficiently. I’d love to
hear your thoughts. Has anyone attempted to marry NAC with a virtual
infrastructure?