Symantec leads effort to create open source NAC client

Network access control (NAC) depends on either Windows or expensive third party software for mobile devices; a new alliance is working on a free open source NAC edition.

When customers of value-added reseller Novacoast Inc. want to limit the risk to their networks and data centers from laptops and other mobile devices, the VAR offers network access control products from its partner Symantec Corp.

More on network access control and open source
VARs must educate clients on endpoint security flaws

Network access control (NAC): Perspectives on an immature market

Cisco takes NAC to the next level

But Symantec's Sygate NAC products – renamed with the parent-company's name after Symantec acquired Sygate in 2005 -- relies on a "less than capable" Linux authentication client, which has created some difficulties for Novacoast and its customers, according Al Maslowski-Yerges, project and security practice manager and lead engineer.

Maslowski-Yerges sees hope, however, in an open source 802.1x authentication client that Symantec and five other vendors are developing.

"It gives us the flexibility to customize the client for a specific situation, and promote integration with other products and offerings," he said.

NAC authentication clients – called supplicants – are small pieces of software that run on mobile devices and request permission to connect from an access-control server, which can enforce security policies and update antivirus or other security applications on the client, before granting the device an IP address.

A NAC supplicant is built into Windows XP and Vista, but most implementations rely on software of varying abilities purchased from third-party networking companies.

Symantec is now leading an effort to create a consistent, cost-effective alternative, allying with TippingPoint, Trapeze Networks, Extreme Networks, Identity Engines and Infoblox in a consortium called the Open Secure Edge Access Alliance to develop it.

Working with Jon Oltsik, a senior analyst with Enterprise Strategy Group, and JANET/UKERNA, the group is building an open source 802.1x supplicant that will authenticate network devices before they are assigned IP addresses.

Alliance members hope the open-source supplicant will help proliferate 802.1x technology much in the same way that OpenSSL did for the Secure Sockets Layer protocol. In turn, that will bring more opportunities to their channel partners, Oltsik said.

"Having an open-source supplicant guarantees some degree of interoperability, and that's where it will most affect the channel," said Brian Smith, chief architect for Austin, Texas-based TippingPoint.

"We all see that 802.1x technology is offering a lot of promise to customers," said Paul Sangster, a distinguished engineer for Symantec and executive director of the OpenSEA Alliance.

"This will support an open environment," he said. "It doesn't matter whose back end is involved. The OpenSEA Alliance supplicant will work."

Most customer organizations do not authenticate endpoint devices in any way, leaving them susceptible to attacks launched from desktop and laptop computers, USB drives, MP3 players and other portable devices. Those that do can either rely on the supplicant in Windows XP or buy third-party products from Cisco Systems Inc., Juniper Networks Inc. and some smaller vendors.

"That can get pretty expensive," Smith said. "It's $20-$25 a head."

Furthermore, most third-party supplicants do not work well -- or at all -- on non-Windows platforms, Sangster said.

But the biggest reason organizations do not purchase 802.1x is the cost and hassle of upgrading their network infrastructure to be compatible, Maslowski-Yerges said.

Although the OpenSEA Alliance's supplicant won't directly do anything to change that, "it'll be a lot easier for folks to invest in a new architecture on the back end knowing there is a standard that will be supported on the front end," he said.

Those factors spurred the planning of the OpenSEA Alliance, which began last summer.

"It really started to look like 802.1x was going to be a proprietary standard rather than an open standard," Oltsik said.

"Creating something around open source made the most sense," Sangster said.

Having the backing of six vendors will make customers more comfortable with using open source software, Smith said. Oltsik said the alliance's supplicant will be "Firefox-like" in terms of its wide availability, robustness, compatibility with multiple platforms and -- hopefully -- its success.

The OpenSEA Alliance, an incorporated nonprofit organization, will demonstrate the supplicant at Interop Las Vegas later this month. There is no timeline for its public release, but "we'll have something that is enterprise class sometime soon," Oltsik said.

The alliance may go on to develop other open source security products, but members are focusing solely on 802.1x now.

"We want to get the first one off the ground," Smith said.

Let us know what you think about this story; email: Colin Steele, features writer.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.