Earlier this year, antivirus specialist Sophos acquired US network access control (NAC) vendor Endforce. The move follows similar forays into the NAC market by rival antivirus vendor McAfee and network hardware firms such as Extreme Networks.

Butler Group security analyst Andy Kellett said the Sophos deal is part of a growing trend. “NAC certainly has a higher profile than it used to have and is aligning itself with a perceived need in the vendor community to provide a more rounded system.”

The term NAC applies to software or hardware systems that are designed to secure firms’ whole network infrastructures, end-to-end. Endforce’s flagship Endforce Enterprise product is a software-based NAC solution that protects networks from non-compliant or misconfigured endpoints. It is designed to work with the three main NAC architectures: Cisco Network Admission Control (NAC), Microsoft Network Access Protection (NAP), and Trusted Network Group’s Trusted Network Connect (TNC).

NAC aims to check and identify who is connecting to corporate networks, where they are connecting from and what they are connecting with. NAC should then be able to check that the device, whatever it is, has an up-to-date security profile. This profile could, for example, stipulate that the device’s operating system has the most up-to-date patches.

If the user works in the company, their access is based on a specific policy defined in the NAC system. Guests, temporary staff and contractors will be allowed access to only those parts of the network defined in the NAC policy system. A system missing critical patches or out-of-date antivirus signatures will be quarantined in an area with less access to the corporate network or even no access while it is updated to meet the NAC policy.

One of the main drivers for implementing NAC is the growing need for firms to provide secure remote and guest access to contractors and temporary staff. A recent survey conducted by independent B2B consultancy Loudhouse Research and commissioned by network security firm ConSentry found that half of the 200 senior security and network professionals interviewed saw temporary workers, guest users and contractors as network threats.

ConSentry’s director for Northern Europe, Alex Raistrict, said, “About 40 percent admitted they hadn’t got up-to-date network access policies in place.”

Corporate governance regulations that require firms to show they have implemented adequate security measures are also fuelling interest in NAC as a means of enforcing security policies and logging incidences where potential threats have been neutralised.

Despite these advantages, corporate adoption of NAC remains relatively slow. In the Loudhouse survey for ConSentry, nearly half of the respondents said they were not able to roll out NAC because of a “lack of resources”. And a recent study of 120 companies by the Aberdeen Group found that firms are wary of rolling out NAC because of its complexity and problems integrating with current infrastructure.