InfoExpress to release dynamic NAC product 2 May, 2006 By Chris Talbot

PromoPipeline Exclusive Channel Promotions Find Out How You Can Make Money Today! ENROLL FREE! >> Factory Direct Should Not be Cheaper William Vanderbilt - Innovative Learning Channels Cloud Ecosystem II: A Candid Conversation with Oracle Beth Vanni - Amazon Consulting Cloud Ecosystem: A Candid Conversation with Rackspace Hosting Beth Vanni - Amazon Consulting Channel Manager Compensation William Vanderbilt - Innovative Learning Channels Financial Expertise William Vanderbilt - Innovative Learning Channels

CyberGatekeeper with Dynamic NAC (DNAC) was designed based on what the company learned about NACs and the NAC market over the last couple of years, said Stacey Lum, CEO of InfoExpress.

"If you look at the number of LAN-based NAC deployments out there, it's actually slower than most people think. The reason is getting the infrastructure updated to support network access control ... is fairly significant. It's a really big challenge for mid-sized enterprises and nearly impossible for the smaller ones because it's a lot of work and fairly expensive," Lum said.

With DNAC, the idea is it dynamically creates a pack of endpoint enforcers on the network that look for unauthorized endpoints and, when they spot them, quarantine them.

"With dynamic network access control, what we've done is taken the paradigm that's being used for infrastructure NAC and shifted it so it gets into some of the endpoints on the network," Lum said.

He added, "We're using the trusted members of the community to enforce access of untrusted members of the community."

According to Lum, DNAC provides more scalability than infrastructure-based NAC because the more endpoints there are on the network, then the more enforcers that could be on the network itself. Essentially, trusted endpoints act as those enforcers, meaning it's a peer-based NAC system.

"It's a scalable approach. It doesn't require changes to the network configuration," he said.

InfoExpress' DNAC product organizes endpoints into communities of enforcers, reserves that can become enforcers, guests that don't act as enforcers and unhealthy endpoints that need to be quarantined by enforcers until they are healthy (and once they are healthy, they could become enforcers). In the centre of all of this is a policy server that the endpoint enforcers communicate with.

Lum compared the process to a neighborhood watch program. The policy server knows who all the neighbors are and creates a trusted group of neighbors, he said. When a new endpoint tries to connect to the network, the enforcers check the traffic coming from that endpoint. If they don't recognize the endpoint, the enforcers quarantine it and bar it from connecting to the network until it's been checked out and deemed healthy.

By moving the NAC infrastructure into the endpoints, it makes it easier to configure because there doesn't have to be a networking group changing configurations to support DNAC, Lum said.

"There's also no need to reconfigure the network with subnets or access control lists because the enforcement is being done by the endpoints," he added.

With DNAC, client software and a policy server have to be installed, and that's it, Lum said. For an infrastructure NAC to support equivalent functionality, an administrator would have to install a RADIUS server, configure 802.1x ports, and reconfigure the network with VLAN, router ACL, new subnets, the RADIUS server and other elements, Lum said.

"We focus on the ease of use with this approach and yet provide the same benefit as infrastructure NAC," Lum said.

For the channel, the sweet spot will be in medium to large enterprises, mainly because the tools to deploy DNAC are coming from InfoExpress' CyberGatekeepers product geared towards such companies, Lum said. However, there is the ability to scale the product down into the SMB market, as well.