Neighborhood Watch for Network Security?
Peer-to-peer (define) approaches work for a variety of different technologies. But can P2P work for serious network security?
A company called InfoExpress thinks so with the use of Dynamic Network Access Control (NAC).
Network Access/Admission Control technologies, commonly referred to as NAC, typically involve either hardware infrastructure or client-side software approaches in order to secure a network.
Dynamic NAC (DNAC) changes that paradigm by introducing a peer-to-peer approach that offers the promise of easier deployment, management and scalability.
The privately held InfoExpress is showing off its DNAC approach this week at the Interop networking conference in Las Vegas this week.
Stacey Lum, CEO of InfoExpress, told internetnews.com that DNAC offers advantages of both software and hardware infrastructure.
Instead of a hardware appliance to control NAC functions and enforcement, as is the case with vendor solutions from Cisco, Juniper and others, DNAC utilizes the collective power of a network of "enforcer" PCs to provide NAC policy enforcement.
A policy server acts to define the network community and guests and helps to "elect" the enforcer PC endpoints. As opposed to software based NAC approaches, DNAC enforcer endpoints do not enforce themselves, only other nodes on the network.
"In a sense it's like a neighborhood watch scheme," Lum explained. "Except, instead of just being passive, it's like having a neighborhood watch where you deputize some people to actually call the police."
Lum argued that DNAC solves the first major barrier to adoption for a NAC solution. "The ease of use and ease of deployment is really a huge issue and is the first barrier most customers have to cross."
Scalability is also a barrier to adoption of traditional hardware infrastructure based NAC approaches. Lum said DNAC solves that issue because the "enforcer" population can grow as the network grows.
Eric Ogren, senior security analyst at the IT research firm Enterprise Strategy Group, is of the opinion that the peered approach offered by DNAC can work very well.
"I like the fact that it does not require incremental hardware on every LAN segment, does not require software installation on every end-point, and seems easy to manage once deployed," Orgen told internetnews.com. "DNAC can do a nice job of ensuring that only endpoints with compliant configurations participate in the network. "
DNAC is not without its own barriers to adoption though.
Orgen pointed out that large enterprises tend to purchase infrastructure products from large vendors. Infoexpress is a privately-held firm and is significantly smaller then Cisco or Juniper and is one among many players in the marketplace claiming NAC innovations.
"The biggest potential barrier is the amount of NAC noise in the market, especially from big vendors that don't have deployable products," Orgen commented. "It seems like everyone has a NAC capability now. InfoExpress will need to show how effective the DNAC approach can be at attractive price-points, and that it is doing the job today."
John Pescatore, VP for IT research firm Gartner, agreed.
"Probably the biggest barrier is that it is a proprietary, one vendor solution - not something coming out of industry standards with lots of vendor choices," Pescatore said. "So, seeing InfoExpress get some implementation partners is key to enterprises trying it out."