Microsoft could fulfill security dreams with NAP

Spring Interop in Vegas. Temperatures in triple-digit positives, air conditioning in double-digit negatives, pneumonia just over the horizon, and loads and loads of NOC geeks playing with the latest tech toys, oblivious to the debauched temptations around them.

Except for Fry’s. They can’t ignore Fry’s. Ever. Want to make a geek happy? Give ’em a Fry’s gift certificate and you’ll be on their do-favors-for list for the rest of your days.

Or give them one of those Nabaztag smart bunnies. Amazing piece of technology. A plastic manga-bunny with no useful purpose in life whatsoever, but crammed full of every tech hook you can spout: SNMP, RSS, Wi-Fi, robotic ears, e-mail alerts, synced singing, network discovery, mood circuitry, and lots of open APIs so you can customize the thing. Hours of nerd time wasting. Someone brought a small army of the little buggers to Interop and now they’re all over the NOC, humming, glowing and waving their little ears in time to some invisible Ethernet beat. God, how I want one! And yet, strangely, the curvaceous yet non-cerebral booth ornament wasn’t at all impressed that I knew where she could see four of them. Mystery.

What’s not a mystery is the theme of this year’s show. It’s security, and specifically NAP (Network Access Protection), NAC (Network Admission Control), endpoint security, or anti-malware wubbie. Whatever name you’re calling it, it’s here and it’s coming to a network near you. Fast. Our sister pub, the venerable NetworkWorld, did a piece shortly after Interop Hot Stage, reporting on how three of the bigger endpoint vendors showed real interoperability. (Interop Hot Stage is just that; all the NOC geeks gather in a dank Californian warehouse weeks before the show and prebuild the entire Interop network — ample chance for any vendor to demonstrate interoperability.)

This time, it was Cisco, Juniper, and our own Microsoft clearly showing that endpoint security solutions can talk to each other if only they’d try. Now that the show has started, the Redmondians also made sure to tout the fact that their endpoint stuff would work with the Trusted Network Connect specs being designed by the Trusted Computing Group (TCG).

So I’ve got to admit it. Endpoint security is here, it’s interoperable, and since it’s driven by nasty compliance legislation, no way it’s not going to find you sooner or later. But don’t let the big names fool you. This is still anybody’s game.

Cisco’s been pushing the NAC concept the hardest the past few years, but Microsoft looks to have a huge advantage over everyone because it placed its NAP platform in both Vista and Longhorn — oops, I mean Windows Server 2008 (such an unexpected and spine-tingling name deserves italics) — with full support in its management platforms, especially System Center. Although this will only cover your Vista clients and Windows Server 2008 servers … hey waitaminnit! What’s this “only” stuff? Windows clients and Windows Server 2008 servers constitute, what, 70 to 90 percent of most corporate networks, depending on how Win-centric their IT staff has become? That’s a foregone conclusion. A fait accompli. A no-brainer. No?

Not really. Maybe in a couple of years when Vista has as much penetration as Windows XP does today and when Windows Server 2008 has finally pecked its way through the shrink shell and to the light of day. But for the next twelve months, that still leaves the market wide open for third-party endpoint security platforms. And the lack of Vista on many corporate desktops is only part of the reason. The other is cost.

NAP may be built into Vista and Windows Server 2008, making it essentially free from a highly optimistic marketing viewpoint. Cisco’s NAC may be embedded in its switch and router firmware and proprietary silicon, making it free in the same way. But that doesn’t mean they won’t cost. A lot.

On Microsoft’s side, you’ve got to do the Vista and Windows Server 2008 upgrade. That’s all the usual OS-upgrade hassles, plus all that new hardware juice this particular upgrade wants. Mucho dinero.

On Cisco’s side, NAC simply isn’t a software upgrade. It wants a specific switch/router family stack, so you’re looking at a hardware upgrade unless all your Cisco gear is brand new. Admittedly, Cisco’s trying to back this down, but so far, you’re still not getting away without new hardware boxes. Thus, the dinero is still muchoed.

The competition, on the other hand, can be significantly cheaper — maybe. Many of the roughly thirty other endpoint security vendors operate on the software-only or software-plus-an-appliance-box model. That makes them drop and play. (OK, maybe drop, configure, pull hair out, configure some more, curse like a Bangkok sailor, then play.) But the upside is, they will not only run on today’s desktop operating systems, but they’re also a fixed and predictable cost. OS and infrastructure upgrades are scary in large part because their cost ceilings are so difficult to predict.

All of that combines to give third-party endpoint guys a fighting chance, especially for the next year or so. Even better, many like Array Networks and Vernier are looking at Vista’s NAP client as an extension of their own products. Exactly how much functionality you’re going to get out of that marriage is still a little fuzzy, but if it’s open enough, the proliferation of Vista may actually help non-Microsoftian vendors.

But they’d better not rest on those lucky laurels. Both NAC and NAP are fairly feature rich, and most corporate networks will deploy both Microsoft and new Cisco hardware … eventually. That means that at some point, turning on mid-tier endpoint scanning is going to be a matter of flipping a few software switches. So third-party guys better offer more than just the same thing in an appliance. Better management interfaces, better support for transient clients, much better support for unmanaged clients, improved policy creation and reporting, and support from all the best anti-virus/anti-malware engines. Not to mention ease of use and proven cost bennies over the embedded versions. Just a few of the things on my endpoint wish list, and they’d better be there a year from now or the Redmondian version really will be a foregone conclusion.