In-Depth

SNA and the Hot New Network Security Paradigm

No, Systems Network Architecture (SNA) isn’t making a comeback. Instead, Nortel’s Secure Network Access (also SNA) deliverable is the latest take on a hot new network security paradigm

• By Stephen Swoyer
• 02/28/2006

Two weeks ago, Nortel Networks unveiled the first entry in a new line of SNA deliverables—in this case, a secure switching device designed to compete against similar products from Cisco Systems Inc., Juniper Networks, and others.

Nortel’s SNA gambit has nothing at all to do with the venerable Systems Network Architecture (SNA) of the mainframe world—and everything to do with still another acronym: Network Access (or Admission) Control (NAC), which can describe one of two things: an endpoint security (or “posture assessment”), policy enforcement, and identity-driven network access model; or Network Admission Control, a branded endpoint security, policy enforcement, and identity-driven network access program first developed by Cisco. The latter is an instance of the former, but the former is not (or, rather, cannot be) an instance of the latter.

The arrival of an SNA switch from Nortel doesn’t mean a comeback is in the cards for Systems Network Architecture. A few months ago, in fact, Nortel co-opted the SNA acronym of old (which has been effectively mothballed for several years) for its new-fangled Secure Network Access (SNA) initiative. This new SNA competes with Cisco’s NAC, Microsoft Corp.’s Network Access Protection (NAP), and the Trusted Computing Group’s (TCG) Trusted Network Connect (TNC) initiatives.

Other networking players, such as Juniper (with its Unified Access Control, or UAC, program) and Extreme Networks Inc. (with its Extreme Security Framework, or ESF, initiative), among others, have announced self-defending network strategies that incorporate NAC concepts and methods.

Behind the Wild Profusion of Acronyms

All NAC programs have the same raison d’etre: damage control. They aim to reduce or eliminate the damage caused by outbreaks of malicious software in today’s hyper-connected enterprises. They do this by ensuring that network (or “endpoint”) devices are (reasonably) threat-free (up-to-date on known software patches, anti-virus definitions, the latest firmware, etc.) before they’re permitted to access network resources; by enforcing appropriate security policies at the user, application, and resource levels; and by interoperating with enterprise directory services and other authentication mechanisms to enforce identity-driven network access.

NAC assumes an unprecedented degree of cooperation between and among hardware vendors (including the usual networking suspects, as well as PC, wireless, and other “endpoint” device manufacturers), anti-virus and security software vendors, operating system vendors, and systems management vendors. It shouldn’t surprise anyone, then, that the nascent NAC push has inspired an enormous partner ecosystem.

Cisco and Microsoft are putative rivals in the NAC space, for example, but both companies have firmed up a tentative agreement to make their solutions interoperable. Even so, both companies are going all-out in pursuit of their own pet NAC programs. Cisco—which was first out of the NAC gate with its own branded NAC program—has enlisted the support of industry heavyweights including IBM Corp., Computer Associates International Inc. (CA), Internet Security Systems Inc. (ISS), McAfee Inc., Symantec Corp., and Trend Micro Inc.

Microsoft, for its part, is partnering with most Windows network and systems management vendors (companies such as Altiris, BigFix, ConfigureSoft, LANDesk Software, PatchLink, Shavlik, and St. Bernard Software), all major anti-virus vendors (Extreme Networks, F5, F-Secure, McAfee, Sophos, Symantec, Trend Micro), prominent networking players (Extreme, Foundry, Juniper, Nortel), and other prominent ISVs, including firewall powerhouse Check Point Software Inc., thin client specialist Citrix Systems Inc., and CA.

NAC Takes Its Bow

Last week’s RSA Conference 2006 might one day be remembered as a mainstream coming-out party for NAC. Microsoft chief software architect Bill Gates was on hand to discuss the NAP-inization of Redmond’s forthcoming Windows Vista operating environment. Elsewhere, anti-virus and security software specialist (and Cisco NAC partner) McAfee took the wraps off of its own NAC strategy; security giant (and Cisco NAC partner) Symantec announced plans to deliver its own NAC appliance, due this April; Cisco delivered its NAC-ready Security Management Suite and touted NAC-related enhancements to its SSL VPN products; and Nortel unveiled its first-ever NAC deliverable, the aforementioned SNA switch.

Vendors seem to have NAC on the brain. There’s a reason for that. According to market watcher Infonetics Research, worldwide manufacturer revenue for NAC enforcement products and services is set to explode over the next three years—growing from a modest $323 million last year to $3.9 billion by 2008. That’s an increase of 1,101 percent. Clearly, NAC is big business.

It’s also unfinished business. There are no less than three proposed NAC paradigms, and—if history is any indication—it’s going to be a long time before the industry as a whole gets the knack of interoperable NAC. In the meantime, everyone’s jockeying for position. Right now, according to Infonetics, Cisco's NAC is the most recognized of the three main flavors, followed by Microsoft's NAP, and TCG’s TNC is a distant third. That could change, however—and quickly, as new vendors climb on board the NAC gravy train.

Consider SNA. Nortel is an arch-competitor against Cisco in the enterprise. It has little or no incentive, then, to accommodate Cisco’s NAC program. Instead, it has positioned SNA as compatible with NAP and TNC—but not with Cisco's NAC. Ditto for Cisco competitors Extreme and Juniper.

Will the majority of networking players employ similar strategies? “There is a great deal of uncertainty in the market as the result of Microsoft, its NAP initiative, Cisco and its NAC initiative, and the TCG/TNC, and dozens of implementations coming from small and large competitors alike in the market,” says Joel Conover, a principal analyst for enterprise infrastructure with consultancy Current Analysis. For example, Conover notes, Nortel hasn’t yet delivered SNA-compatible firmware updates for its enterprise switches and routers—which essentially makes its first SNA switch deliverable a non-starter for many prospective customers.

Conover also thinks Nortel and other vendors need to take a more active role in promoting the otherwise feckless TNC. “Nortel needs to lead the charge in transforming the TNC/TCG organization into one that not only defines standards, but one that also provides market visibility and guarantees compatibility and assurance in the industry,” he concludes.

But what of NAC today? NAC-ready solutions are just starting to go mainstream, and interoperability is still a big question mark. “Much like all new technologies, NAC vendors are fighting to create de facto standards and customers who try and remain somewhat vendor-neutral are uneasy in deploying an end-to-end single-vendor solution whether it be from Cisco or Microsoft,” says Matt Godden, president and CEO of Xoasis Networks Inc., a provider of IP telephony solutions for small- and medium-sized businesses. Xoasis and other small players are watching the NAC space with especial interest: they’ve typically got to interoperate with a range of different gear, from a host of different vendors. So NAC Babel could overwhelm them.

A Pragmatic Approach to NAC

There’s another wrinkle, too. Cisco was first out of the gate with NAC, and most of its networking rivals—companies such as Extreme, Juniper, and Nortel, to name a few—have aligned themselves with competitive NAC models. This might help check the momentum of Cisco’s own NAC program, but Godden says the networking giant has wisely based its branded NAC initiative on key open standards, too. “Fortunately for Cisco they've taken a very open approach in including other security vendors early-on and certifying them on the Cisco platform. At the same time they've chosen to use key standard components to make up this new technology, like their dependence on PKI [public key infrastructure], which the Department of Defense and Federal Government have trusted for years to police their networks,” he points out.

Fact is, there’s a paucity of NAC-ready standards, so most players will adopt (or retrofit) existing standards where necessary, says Roy Chua, co-founder and vice-president of marketing with Identity Engines, a networking start-up with a Cisco-heavy pedigree. In the identity-driven authentication segment, for example, most NAC players can and must accommodate existing standards. “There are quite a few players trying to wrest control [of the NAC authentication segment] by putting an in-line product in place. Our view is that it’s much better to go in there and work with what customers already have—the Ciscos, the Extremes, the Foundrys. We work with what’s already there,” said Chua, in an interview late last year. “What’s already there” can include venerable RADIUS technology, along with new-fangled authentication schemes such as LDAP, Novell’s eDirectory, and Microsoft’s Active Directory Services, among others.