As part of the security blogging echo chamber, I feel it is my duty to help the three of you who are waiting patiently for NAC details while Amrit and Alan continue their little quarrel. Okay, maybe not details, but a quick value proposition:

NAC takes what were once standalone products on the network and on clients (usually) and forces (encourages?) them to acknowledge one another in the form of "just-in-time" triggers. It assists in the build out of a network-based "trust" model from the more traditional "threat" model.

Is it messy? Sure it is. That’s because it is much more of an eco-system than some particular product. I happen to like this because it forces folks to think about their security architecture. And it’s working. It is pretty rare to have someone looking into NAC and not realize that they need to evaluate their IT asset management process, the state of their client security, their network authentication requirements, and their security perimeters and zones architecture.

More often than not, the messiness comes from people who want to talk about product categories in lieu of security functions and techniques. Else, they could just specifically describe an all-encompassing set of capabilities at each stage of the process (both TCG’s TNC and/or the IETF provide good overviews; I use five stages: identify, interrogate, isolate, remediate, and recover). There is of course a lot more to this once you get to implementation details, but this will get you started. (If you are a Burton Group customer, you may have already seen the detailed report).

It is fascinating watching the supercollisions of the network security product categories as enterprises begin to sort this stuff out.