NAC, simplifying access in a shrinkwrapped market place

Network access control is an idea we've all been working on for a long time in one way or another.  If you've touched a router, switch, or any other network device in the past decade, my suspicion is you've had some thoughts about network access control.  What's being touted as network access control today, is really the result of feature set evolution as a response to demands, over more than the last decade, for new tools.  This demand has taken place as we've all figured out how to work around limitations in current architectures to control access to enterprise resources.  In some cases, these have been restrictive DHCP leases, as we've worked with different address pools and authentication to some central mechanism before we allow a port into the right address pool.  In other cases, we've had access control lists at the port level or close to it.  At times, and where we can afford it, we've distributed firewalls, big and small.  We've even turned to host profiling (think Nmap, Nessus, IP stack fingerprinting) to attempt to identify anomalies and help mitigate potential issues.

But in the end, NAC as a set of products or an approach to network resources is a lot like a virtualization technology.  The common benefit of virtualization technology is a simplification of management of the infrastructure, which you can get in a number of ways.  But once you've worked a sophisticated kludge enough yourself, you have to ask whether you really need a virtual solution.  NAC could be a simplification of complex architectures, but unfortunately we've shot ourselves in the foot, because all of these workarounds haven't ever been addressed as an industry standard.  Today, if we try to re-engineer them, there's not a cookie cutter approach that requires anything less than a total overhaul.

What we should be left with in NAC is an evolutionary development of current architectures, such as 802.1x, that are standardized and fully interoperable.  There's some discussion afoot about interoperability, but in reality the market has greatly fragmented itself with a bunch of different solutions and poor definition of what NAC is.  We're left without a solution set, but a lot of different packaged up products.

I think the road for NAC in the enterprise is going to be a long road, slow to come.  Think of it as a new protocol or architecture, but not a product.  Hold on to those dollars until you see that architecture emerge, and don't fool yourself thinking you're buying something better than a band-aid in the meantime.