SolutionBase: Discover open source alternatives for NAC on your network

Are commercial NAC products not in your budget? David Davis explains why you should consider open source NAC solutions.

Network Access Control (NAC) is a buzzword in networking today, although the products are still in their early stages. Large commercial NAC products can be very expensive; you're funding development efforts. A less expensive option is a open source NAC solution.

Why should you consider open source NAC solutions?

  • Open source NAC is tremendous for the market because it keeps the commercial NAC vendors on their toes. The vendors must know that there are free solutions just around the corner that are steadily being improved; this must be a big driving factor for them to quickly enhance their products and more willingly negotiate their prices.
  • In addition, open source NAC pushes the entire NAC market to form more NAC standards and fosters innovation.
  • Open source products allow you access to the source code. Perhaps there is a feature that you want but do not have; with open source NAC, you're able to customize the software to your liking.
  • Over the years, open source products have shown that they can provide reliable and functional solutions to enterprise products at virtually no cost. Look at the Linux OS, Asterisk VoIP phone system, Snort, Nmap, Nessus, and others; all of these are very successful alternatives to commercial products.
  • If there's good community support for a product, the features can quickly be identified and developed. This can happen much more quickly than commercial vendors can do it.
  • Cost is certainly one of the greatest reasons that admins often turn to open source products; many people choose a product on its cost alone. It will always be difficult to justify a commercial product with a large price tag when compared to a free product.

Are there pitfalls to choosing an open source NAC product?

Certainly, "free" products don't come without some pitfalls. Open source software, in general, can be prone to lack of technical support from the creator, lack of upgrades, and serious lack of interoperability. If you called for Windows OS support and told them you were running open source NAC, you may not get any support. The potential lack of technical support tends to turn many open source software users into programmers and developers, who then invest a lot of time attempting to fix what is broken.

Additionally, it is likely that there is any implementation support for your open source NAC solution. In other words, you are on your own when it comes to rolling it out to your users. For those who like to DIY, that may be fine; but it certainly isn't what every admin needs.

What are the open source NAC alternatives?

There is no shortage of open source NAC players in the market today. As NAC is what is hot, that is the topic that open source developers are going to write applications for. Here is the list of open source NAC vendors that I have found, and my take on each:

  1. PacketFence Zero Effort NAC (ZEN): A virtual appliance OS that runs inside Windows or Linux. It does policy checking when that device connects to the network. ZEN is based on Fedora Linux, LAMP, Perl, and Snort. According to their Web site, it is used in universities around the word. It doesn't require any sort of Cisco hardware, and will operate in just about any network. PacketFence ZEN was developed by two Harvard IT workers. It has a Web GUI management interface, and it's free.
  2. FreeNAC: Made by Swisscom in Switzerland, FreeNAC is open source software, but has recently been offered in a commercial version as well. The commercial version offers some additional features that the free version does not, and you can get installation and support for it. FreeNAC uses 802.1X or Cisco's VMPS. Additionally, FreeNAC is offered as being able to provide VLAN and switch port management, documentation, port cabling information, and device discovery.
  3. More open source NAC: According to an article in Network World, there are a number of open source NAC projects going on at universities. Universities like Carnegie Mellon and the University of Kansas have both developed their own in-house NAC solution. At Carnegie Mellon, the product is called NetReg, and its use is also being expanded to other universities. At the University of Kansas, their custom product is called Rings. This product connects a username to a MAC address and uses a Java agent to checkout the client PC that is trying to connect to the network. At KU, the Rings product has its own DHCP server and that is one thing that makes it specialized.

And what about Cisco? Does Cisco belong in the list of open source NAC providers? Not yet, but perhaps one day. Cisco announced that they will stop enhancing the Cisco Trust Agent (CTA) currently used by their NAC Framework. They had initially announced that the next Cisco NAC client will be submitted to the open source community, however, they later retracted that decision.

Another NAC vendor, StillSecure actually did release a free version of their NAC product to the public as open source software. StillSecure's free NAC offering is called Safe Access Lite.

Additionally, Symantec and five other vendors have announced that they will join forces and work together to build an open source NAC client. Symantec, TippingPoint, Trapeze Networks, Extreme Networks, Identity Engines, and Infoblox have formed a group called the Open Secure Edge Access Alliance to develop this client. The client is technically called a NAC supplicant. This supplicant is what runs on your devices and requests permission to connect to the network from an access control server. That access control server can enforce your NAC security policies, such as AV definition file version, OS patch level, and firewall settings.

Currently, many commercial NAC customers tend to buy their supplicants from vendors like Cisco and Juniper. The cost of those suppliants is per PC client and, at $25 per client, cost can really add up. By having a free open source supplicant that works with a variety of vendors' NAC equipment, these vendors hope that NAC sales will increase.

Don't lock yourself in

Since the NAC market and products are still young, I believe there is a lot of room for open source NAC products to come in and give the commercial products a run for their money. At this point, the NAC market is hot; but, in my opinion, the solutions are only in varying shades of warm. In other words, there is no real leader in the market and the solutions that are available all have a list of caveats that you should be aware of before making your choice.

Open source NAC could save you a ton of money in licensing costs, and might give you the flexibility you need. However, to use open source NAC, you must be willing to invest more effort into the product, as they are designed for admins who are willing to DIY. Still, it would be a smart move to evaluate open source NAC along with your evaluation of the commercial products.