Asia Press Summit
Conference Debate Session I
Network Access Control – Seeing the Forest through the Trees
Chaired by: Rene Millman
News Editor, SC Magazine
Gregory Fitzgerald Vice President Marketing, TippingPoint
Steve Mock VP of Business Development, Infoblox
Neil Diener Chief Technology Officer and Co-Founder, Cognio
Andrew Ma Head of Solution Marketing, Asia Pacific, Juniper Networks
Matthew Zanner Worldwide Mobility Solutions Manager ProCurve Networking, HP
I'm Rene Millman. I am the News Editor of SC Magazine. I'll try to talk as slowly as I can in order
to make sure that our translators can get through…translate basically.
Next slide please.
So, NAC (Network Access Control) is a big topic really. It's something that's only just starting to
take shape in Asia. In Europe it’s a little bit further down the line. We believe that in the States it's
even further. Basically, it's about making sure that the good guys are kept in and the bad guys are
kept out. But that's a very simplistic way of looking at it really.
It's also down to making sure that things such as anti-virus, anti-spam and anti-spyware measures
are on each client device or server and also making sure that the network itself has the intelligence
to deal with those security threats. It's also about having a particular policy for your organisation or
infrastructure and making sure that that policy is enforced.
Can you just repeat that again please?
Asia Press Summit NetEvents
Sorry. I'll be getting that in a second.
So, basically the network, for Network Access Control, is split into three parts here. You have a
NAC - a client on the device such as a laptop or a desktop computer or even say a phone or a PDA
and that will go through the network here. You will see we have a network NAC switches and NAC
appliances enforcing the policy within the network. And at the back end, where we have an
appliance that is responsible for the policy, authentication and authorisation.
So, there are a few factors to consider with NAC is scalability. You have to make sure that the
system works whether its 100 end devices or 1,000. Management has to be quite simple to
understand and roll out and be able to enforce policies. And also another topic is compliance.
Increasingly, now with Sarbanes Oxley and Basal, (two regulations companies) need to be in
compliance and show to the relevant authorities that their infrastructure is safe and strong against
As far as NAC is concerned, well there's NAC Network (and also NAP we'll get onto in the
discussion). But you will see in the next few years from the Infonetic Research here that they did a
survey and basically, 30…a third of respondents in the survey said that they were considering
Cisco's industry initiative NAC, as opposed to Microsoft's own brand (NAP). And also, as I said,
trade in the third is another sort of more open standard for the trusted network in Trusted Network
So, in the debate they will be trying to…we'll be talking about how NAC is evolving. Again, talking
about the different types of access control that are out in the marketplace at the moment. And
whether or not maybe Cisco or Microsoft will merge their efforts and develop a joint package which
will allow organisations to take the best of both worlds and integrate them into their own
So, now I've gone to the next bit which is introducing the panel:-
We have from TippingPoint, Gregory Fitzgerald who is the Vice President of Marketing.
Steve Mock who is the VP of Business Development at Infoblox.
Neil Diener; Chief Technology Officer and Co-Founder of Cognio.
Andrew Ma; Head of Solutions Marketing at Juniper Network.
And last but not least, Matthew Zanner; Worldwide Mobility Solutions Manager of ProCurve
Network at HP.
Singapore, 18-19 May 2006 2
Asia Press Summit NetEvents
The first question to the panel is in Europe and more so in the America's we're a lot further down as
far as awareness of NAC (the Network Access Control) and the products. Do you think…How do
you see the market in Asia? And how different do you see that to where we are elsewhere in the
world? Let's throw it open to anyone that wants to take it.
I guess I'm the only one that is physically located in Asia. Let me start. So we definitely see the
awareness is building up in Asia Pacific. Of course, Asia is such a large spectrum of countries.
Various countries like Japan, Australia, that of course going into a more mature stage.
Understanding perimeter defence is not enough for the next generation of security threats. That's
why they are considering, and we have a lot of trials that people are interested in understanding of
all these deployments of access control. Of course there are other types of countries in Asia that just
are trying to understand the technology, the relevance to the scenario and things like that. So it’s a
wide screen, a wide range of spectrum from our understanding.
I am not sure if the US is really that much further ahead anyway. If you look at the statistics that you
just showed, there's an interesting dichotomy. You have Cisco NAC, and Microsoft, NAP are two
of the big driving forces. Microsoft NAP is reliant on Microsoft Vista (operating system and long-
term server). As everybody knows, CISCO have just put out till next year, the ports available. Most
major enterprises in the United States will not adopt the 1.0 version of the software products so that
way for the next. So 2007 then becomes 2008 before we'll use that. Typically then we won't just
wait for their laptops and their host to be renewed. It will be 12 to 24 months after that before you
will start seeing any reasonable sized enterprises have a full comprehensive Windows solution in
that particular case. And that's probably 2010 in that case.
Take Cisco on the other hand. Cisco's story is that it’s a one vendor solution. They suggest that you
draw away most of your network infrastructure and buy all new infrastructure which is a good idea
if you're Cisco. So it will be probably a five year depreciation cycle before people would actually
start doing that over time. So that again is 2008/2009. So really they've generated a lot of awareness
of this problem but the solutions aren't there today. So it actually creates opportunity for other
vendors like ourselves to be able to reinforce those solutions as well as provide different solutions
that solve the problems in different ways.
We see the network in Asia growing with various independent best of breed solutions for access
control, be them biometrics, be them SSL VPN. Be it the NAP from Microsoft with the desktop
host integrity to specific vendors. And I think everyone is trying to just understand how they work
independently before they can mature to bringing them altogether in a cohesive security offering
with all the various vendors. Again, I confer with the analysts here that the United States and
Europe are not ahead of the game of Asia and it's still a very open experiment at this point in time.
Singapore, 18-19 May 2006 3
Asia Press Summit NetEvents
I think it's important to note that the needs and drivers within the Asian markets really aren't any
different than what happens in North America and Europe. It’s the same concerns whether you
characterise it at a very high level at trying to keep the bad guys out while maintaining appropriate
access to the good guys on our network. The deeds are there. They're consistent across all regions
around the world. I think it's important…on your slide that showed the Cicso approach and the
Microsoft approach and then that third bar (that rather small bar). We at ProCurve have spent a lot
of attention on actually is the Trusted Network Connect Group because it's so much more open. It's
standards-based approach to promoting this across all these different players and the various
industries and allowing for a much more open environment as we start to digest what Network
Access Control really means. Rather than trying to force the hand on what the technology actually
brings you and forcing people to adopt a certain path that they don’t really have the flexibility and
choice to change some things and adapt them differently in the future.
So what you're saying; do you think that’s the openness of Trusted Network Connect will actually
gain much more attraction than going down a proprietary route?
I certainly see a lot of promise there. If you look at the list of 50 or so companies that report Trusted
Network Connect, I am pretty sure a lot of us are on this panel support that. I mean one notable
exception, that’s not on that panel which is Cisco. So when you look at…someone mentioned that
it's very much in a state of evolution today right? There are companies focusing specifically on one
or two aspects of Network Access Control. There are others from the infrastructure side such as HP
that are trying to take a more infrastructure centric view. In order for all of those people to play
together effectively, an open environment and framework really is the way for that to occur. So it
allows customers to get the best of both worlds whether it's a very specified point solution, or a
more broad infrastructure-based solution allowing to interact much more readily.
One to add on Matthew's comment; basically when we talk to customers about Network Access
Control and things like that, one of the important aspects that people really ask (the top three
questions) is; where is my cost in deploying it? Not just a one time cost, but ongoing. Because they
know the standard is very evolving. There are new things coming out. They are very concerned that
it is very early in the game locked in by one vendor. They know that's not going to be favouring
them in terms of negotiating a best deal, getting a better class solutions. That is the concerns that a
lot of IT Managers reflect to us. So open standard. Keeping better costs. People to participate and
help them to solve the problems are definitely the way to go.
Singapore, 18-19 May 2006 4
Asia Press Summit NetEvents
You said earlier about the Asian market being so diverse. You're going from one extreme to
another. So at one end we've got maybe the method in place mentality like this to strip out
everything. But on the other end we've got basically a Greenfield site where there's no
infrastructure. Is it still the same ethos? I don’t want to get locked in regardless of where you are in
Definitely they have placed a significant factor of what solutions to choose. I think the important
aspect is in the ecosystem they are players that have the best solutions. And they are system
integrator like HP and other people. Understanding all the different pieces and integrate suites and
gives them this need. So we need to develop that ecosystem in each country to fit the customer's
needs. And needs in Japan is very different than needs in Singapore and Indonesia. The local
expertise understanding each customer's needs to rely on people in the country and integrate the
better price solutions in the world that suits that country's need. I think that's the way to go.
We do and I agree. And I think we do see certain countries taking a lead because certain businesses
are more mission-critical. For example, Korea for TippingPoint has proven itself to be extremely
sensitive to their businesses. Either being attacked or having a wide variety of worms or the viruses
or other mailware from inappropriate people coming into the network because they have a very
large bandwidth going into and out of that country.
Particularly with China, its still brand new security is much lower on the development list because
the emerging economies are still just trying to build a network in general. Whether it's proprietary or
distributed is almost irrelevant at this point because they have other concerns above security.
So we see a very broad base of implementations of Network Access Control and most of the time
it's very simple. Just using a password today. But the defence, in-depth strategy, which every one
here on the panel is taking, is one where as countries mature, they realise they must, its required to
have much more than just a simple authentication. But must have a much more sophisticated
approach or else their economies, their businesses are in jeopardy.
True. You made it [indiscernible] on your questions so if you look at growth and opportunity,
whether it's starting from scratch (and it might represent many companies in China or Korea or
anywhere in Asia as well as the US) really it depends on the IT Manager. They say; you know what,
I'm perfectly…I love Cisco, I've worked for Cisco and all I ever want to be is a Cisco person. Then
they will probably lean towards that solution. Likewise if they are Microsoft House, they might lead
towards that solution.
However, what you would hope is that an IT Manager would say; I don't want to be locked into any
one vendor. I'd rather have the flexibility now and over time to take the best agreed solution to each
Singapore, 18-19 May 2006 5
Asia Press Summit NetEvents
of the point areas that are critical to me and meet my business needs, to do what we're doing today
as well as in the future. And I'd go through a variety. So it's a lot of work actually. They've got to
look at a lot of products, a lot of vendors. It's an evolving area, a lot of solutions. But they can
pick…there is a lot of flexibility out there from them to pick the right solution for them for their
On Network Access Control, it's not about building up a framework whether its Cisco led,
Microsoft led or open standard. It's all about developing a framework. Do you think we need
actually that framework in place? Or is it still pretty much a work in progress?
I think it's very much a work in progress. I think depending on the vendor you're talking to, we all
have our own interpretation. We probably agree at a high level about what the general approach
should be about defence. It's certainly a common theme. But its absolutely work in progress to have
a generic approach to Network Access Control by across vendors and customer environments alike.
I would like to remind people that Network Access Control gets a lot of attention but it is not the
end-all, solve-all answer to security problems.
Appropriate access control is a big part of securing your network. But looking how to build in other
capabilities actually into that network and not having to rely on specialised solutions to do bits and
pieces are in there. I think like anomaly detection. So, I have assured other appropriate people who
to access my network. Now how do I allow the network to be smart enough and have enough
intelligence in the network to actually go out and detect anomalies automatically? And then there is
the response to that as well. So it's detected something. Now I need to figure out what to do with
this. And also, allying that around a company's security policies is a very effective way to go. And it
takes a lot of burden off that network administration staff from having to add additional resources
and people to go out and understand how to implement these things. So it's very much in its
formative stages today. I think it puts us and others in the industry to help people through that and
provide different sources and opportunities to get those things.
As I was saying there is a proper way to going through this. It's either sticking a security appliance
within the infrastructure. Or you try and build that security into the network itself, into the structure
itself. I mean what current efforts, again, I'm going to direct this to you really. What kind of efforts
are being made so far to have security within the switches in the network infrastructure?
We will try again to provide as much choice and flexibility for our customer base as possible
recognising that ProCurve is a dominant player in enterprise networking. There's another dominant
player out there that far surpasses anybody else from the market share stand.
Singapore, 18-19 May 2006 6
Asia Press Summit NetEvents
It's important to recognise that, as you mentioned, there's customers coming from a Cisco mindset
that may like the idea of transitioning but making an abrupt transition is not possible for them. Just
from costs and resources alone. So you need to be able to offer a choice in the form of appliance to
have an override-based solution to drop into someone's network that may be ProCurve based. But
also focusing a lot of investment and R&D around building in that security capability, be it Network
Access Control, or virus throttling or anomaly detection down at that switch port or at that wireless
access point. So that the network can adapt and respond to those security threats now and into the
future without adding that additional burden of dropping different things that need different
management conflicts around them in the network.
It can't happen overnight. We'd like to think people that are buying into choosing us to be their
enterprise networking provider will have some safety and security knowing that they can ignite
these capabilities in the infrastructure. But clearly, there is a need for the appliance overlay
approach as well because things don’t transition overnight. It’s a long transition period though.
Just to add on Matthew's point, I think people have been associating Network Access Control to
switch port-based security which is basically only one aspect of doing Access Control. Access
Control needs to be done not inside, or not only just in your campus which is LAN. But needs to be
also done outside the LAN. Because now its global workforce. Neil was just talking about the more
and more use of wireless inside or outside the hostile environment. People still have to lock on.
Basically, just getting onto here, I was using a WiFi here which has my e-mail and things like that.
So you need to have that Access Control outside and inside your campus. It's equally important.
And even inside the campus doing it using your switch is just one aspect. There are other aspects
you need to co-ordinate; you intrusion detection, your firewall, your routers all in a co-ordinated
fashion. Or even your end points to all co-ordinate to keep the bad guys out. Because that is just not
one device to do all the jobs for you.
Just picking up on your point about the wirelessing, maybe I could direct this to you Neil. Where do
you see the wireless world? You said it's getting quite…more and more important. How do you see
that wireless being part of this framework that we've been discussing? How does that fit in?
I think wireless certainly adds some new degrees of challenges for security. And certainly the first
thing you give up with wireless is the physical control. Because someone can be outside your
building attacking you and that adds a degree of complexity. If I think of WiFi in the security space,
the trend has been originally was appliance-based. It's exact analogy. People built separate wireless
intrusion detection systems. And now what you're seeing is now just recently a whole bunch of
announcements where it's becoming part of the infrastructure equipment itself so that the IT can go
with a single vendor and it can be well integrated. So I think that evolution, from a user perspective,
is what they want. I think in this discussion, that eventually with Cisco being the very large player
Singapore, 18-19 May 2006 7
Asia Press Summit NetEvents
that they are often tries to go….use that power to go in their own direction but over time. What the
users really want is an open standard I think that tends to win out in the long run.
I see. Steve, coming back to you. The point I made earlier about maybe having the intelligence
within the networks as opposed to appliance. What's your viewpoint coming from this on the
appliance end of things?
I believe, as everybody else here has stated, an appliance is a first step approach to overlaying to an
existing network. Companies over the past 10 to 20 years have invested heavily in their
infrastructure. Networks, switches, routers and maybe invested in the application. And in today's
world we have a new control environment that wraps around both of those. And the easiest way to
step into the security realm without a costly upgrade is to impose an overlay solution.
Now, as stated from the wireless perspective, and most of us here, I believe there is an access
control really does need to be networked based. Now the host is important to ensure that appropriate
people have the right device. The reality is, is if they've got the right device or wrong device, that's
only one individual. It's when they get access to the network and are able to roam around that
problems are really caused. So the appliance perspective can work from a performance and
scalability standpoint you pointed out. And it also works independent of other vendors. So it's
agnostic to brand and allows companies to mature into the Network Access Control security game.
I see. Shall we for the questions? So I think we might need to put our headphones on
Please remember to state your name, publication and country.
Speaker – Engineer, China,
Let me have Juniper view first to answer your question. I think not only Chinese resist to change. I
think resisting to change is universal in a lot of countries. And you've pin-pointed a very important
aspect that if Cisco approaches, just upgrades to the latest [indiscernible] switch. We talk to
customers. One customer says; yes. If I listen to what Cisco approaches, I need to throw in $2m to
Singapore, 18-19 May 2006 8
Asia Press Summit NetEvents
upgrade all my switches. Is that practical? Is that also the best way to allowing the business that the
customers want? So Juniper's approach is a little bit different. We take a little bit more pragmatic
approach. We want to have an incremental deployment meaning that we want to help you to solve
the most problematic area first. The most problematic area typically starts with outside. Because
outside for remote access you probably have the least control. So access control needs to start with
remote access control first, which basically Juniper is the leader in SSP VLN in the past three or
Once you start that. Once you know understand end port security and all this kind of stuff in the
remote environment, with similar technology and protect your most vulnerable resource inside your
network. The most vulnerable we saw typically is in the data centre that basically connects things of
a sensitive [indiscernible]. So let's just put a enforcer in front of the data centre and just have all the
people who needs to connect the data centre, need to have that access control so that you won't
easily get infected. Worms won't get infected into the server, in the data centre, because by this is
the most vulnerable part.
Once you've solved that, then you've solved the other part, which between, machines to machines
between endpoints and endpoints they may easily get infected with each other. Then you
strategically put the enforcer at the place you want to put. It's a much more incremental and
pragmatic approach to solve a problem. Rather than; okay, all that was update all the switches
which is very, very difficult to a lot of customers.
Just picking on what was said just now by my colleagues here. It sounded to me like it will be just
easier just to go to one vendor and just have everything. Isn't that just an easier way of thinking
Yes, I think ideally if you could go to one vendor and buy the exact solution that meets your needs
that will be ideal and I think that does work. The Cisco solution/the Microsoft solution will
probably do that in a lot of cases for a lot of people. But just to ask some questions for instance. Do
you have everybody in one building or do you have branch offices? So if you have everybody in one
building then you might have a different need than if you have some people in one building and
then maybe 100 branch offices around other countries. Another question is; what is your line of
business? You mentioned network world, so what is the cost to you when your network goes down
or you have problems? So for instance, it may not be bad for your organisation, as you're a
periodical. But what if you're an online bank? What is the cost for you for your network going down
if you're an online bank? What if you are a credit card company and you have very sensitive
information of hundreds of thousands of users. And what's your liability risk if that data is
compromised? If you're a hospital – what happens if your network goes down in your hospital? All
these things, you know, the cost, the level of requirements that people are different. So I think the
challenge that you have and we all have, is identifying our requirements and then going and finding
the right either single vendor solution. Or, better to meet the needs, finding the right basket of
vendors that meet those solutions.
Singapore, 18-19 May 2006 9
Asia Press Summit NetEvents
Just back to the original question as well on the resistance to change. Usually that's a result of the
resistance to want to spend a great deal of money at the change over or not right? It's hard.
Speaker – Engineer, China,
[Not spoken in English]
I'm very sorry, but the translation wasn't available for that.
Probably a very good question that.
Let me just make a couple of points on our way to ease through the change though and I go back
and I'll turn the shift back towards the idea of open standards. So its industry coming together to try
to make it as easy as possible to do things like Access Control on a standard-based fashion while
not disrupting that existing network and allowing it to transition over time. Andrew's point it's very
liable to sort out where you think your biggest vulnerabilities and weaknesses are and address those
first. Standards like 802.1X as an authentication framework two years ago; very difficult to
implement because it required specialised supplicants or clients at every end point in the network.
Microsoft was anything beyond XP Service Pack 2. Now supports 802.1X supplicants inherently in
that client. That only gets better and better over time.
So if you think about whether you're buying wireless network components, wired network
components, WAN components. How do you address the people on virtual faith? Think about that
network edge and apply it as consistently as possible wherever it may be. Whether its people
connecting into your WAN link at a corporate site, your wired port or a wireless port things like
Data 2.1X is now a very common feature on just about any network approach you buy. And can be
leveraged to create a very consistent framework across all those different modes and access points.
They can get you on top of those issues.
Actually, we're running out of time now, so I think we've got time for one more quick question.
Uday Pai, India
I don’t know whether we can continue seeing the forest through the trees because most of issues
around the deforestation happening. So coming back to NAC technologies, where are we heading
Singapore, 18-19 May 2006 10
Asia Press Summit NetEvents
to? For instance, where's the NAC technology and solutions evolving saying three years from now?
And Andrew was mentioning about the costs involved. So is it really going to eat IT Managers
I take your point; our strategy is that existing technologies around security will mature more and
open standards to interact with one another. So that the policies that are created by those best of
breed technologies get a burst into one location, an example. The second point intrusion prevention
system; it sits inline and looks at all data traffic. Complete packet, complete close. Today the
intrusion prevention filters stop attacks inside and outside the network. But because we see all of
the data traffic we can also enforce policy of VPNs, of Microsoft NAP, of Cisco NAC or whatever
else comes down the line.
So in three years, our full strategy is that you will continue to have policy-based technologies that
are best of breed. But you will start ending up having one enforcement point that will be in the
network that's already doing at least one job which is going to be some sort of deep packet
inspection that can decipher all of the information that's going through the network. That’s where
we see it in three years.
I think coming back to what the gentleman just said, for us to see what's happening three or four
years down the line because, obviously, everyone's got budgets to adhere to. So they want to know
that what they've got today, they can use and make the most of because it may be around for a good
few years. I mean is that the kind of things that we're seeing here?
I think it's….I would propose a combination approach. I think its all depending on where you are in
your IT lifecycle. So if you've just bought a network infrastructure (wired, wireless, or WAN it
doesn't matter). If you've just procured that, you would expect three or five year's life side of that
plus or minus depending on what it's being used for. If you are ever on the tail end of that life cycle,
so you've extended your capital investment. You've gotten as much out of it as you think you can
and now you're out trying to shop around to deploy a new network infrastructure or add on to what
you have. The decision in each of those is going to be different.
I think if you're very concerned about utilising your network infrastructure, whatever the brand may
be, then certainly the overlay appliance approach is by far the most attractive. Because it will allow
you to drop that end to whatever the existing environment and take advantage of all. If you are
however on that timeframe where you're thinking about buying in and deploying new network
infrastructure, I think you owe it to yourself to listen to the vendors that are trying to promote a
more open environment. And building in all these capabilities like packet inspections
In three or four years from now, if you could add packet inspections being done by the switch ASIC
itself, at that imposing end of your network, so not going all the way to the core to make a decision
on whether someone's bad. But that's the equivalent of having a security guard at the centre of your
Singapore, 18-19 May 2006 11
Asia Press Summit NetEvents
building rather than the lobby? There is some [indiscernible]. If you can make that decision where
that point of ingress or egress happens, automatically based on some policy constructs, that’s a
powerful thing. But very difficult to get to if you've just bought a network infrastructure that doesn’t
have that capability. There's this transition. And any time you're in transition, I like to say open
standards are the way to think about how to manage that transition because it doesn't lock you into a
The way I see it, we need to look back to what is the accents of Network Access Control. It’s a
framework that it needs a co-ordination between end-points, the switches, the routers, the power is a
co-ordinations of everything. And I will see three years from now there will be a lot more
collaborations between the vendors. Because even one vendor we have in collaboratively in Cisco,
they are, as are called, they are the gorilla in the switches and the routers. But they definitely not the
end point expert. It's really the Microsoft. It’s the one who actually understand operating systems.
The client side more. So, even if you choose a CISCO, you're choosing somebody that understands
a network piece, but not the end point security piece. So you need that co-ordination.
But having open standard is definitely the only way to have Network Access Control to be really
going forward into a mainstream. Because one vendor don’t have expertise in all them. And even
Cisco, all of the technologies are acquisition. It's not developed home-grown. So they almost is like
a system integrator themselves. They need to integrate different piece of technology themselves. So
why you need to choose one vendor which is the equivalent to just a system integrator which can
integrate better with solutions?
Thank you gentleman. I'll think we'll wind it up. Thank you very much.
Singapore, 18-19 May 2006 12