NAC seems to cycle between red hot and long droughts of disinterest. I think it suffers serious issues, but the one that piques my interest the most is virtualization. NAC is in danger of being irrelevant in a virtual world.

Think about it:

• Server virtualization blurs      segmentation models. What happens when all of the backend server resources are VMs?      First, it means you have to worry about VLANs and subnets all over again.      Second, advanced server tools like VMWare’s VMotion will mean servers are      highly dynamic and can be quickly relocated to anywhere in the datacenter.      But more importantly, it means that you need NAC inside your physical      servers. Imagine you have two VMs located on the same physical server that      can’t communicate as per your access control policy. I’ve already come      across one client deploying virtual NAC appliances on servers to limit      machine connections based on endpoint status.

• Client virtualization      proliferates MAC addresses and blurs endpoints. Running a hypervisor on a      desktop or laptop allows multiple OSes to run simultaneously, each with      its own virtual MAC address. How do you quarantine the physical machine      and still allow compliant guest VMs to connect? How do you prevent a      compliant VM from transferring data to a non-compliant VM on the same      desktop? You can by restricting IP addresses, installing NAC agents within      each VM, or forcing VPN access — but these present significant granularity      and cost tradeoffs, respectively.
• Application virtualization      hides setting and blurs endpoint status. Application virtualization will change the way      companies distribute apps to endpoints. But isolating an app in its      environment can create an air gap between the OS and the application. If      you use NAC to scan application settings and not just the basic system      attributes like AV signatures, firewalls, and Windows update, then this      can prove to be a problem. For example, you will not be able to determine      a NAC policy that requires your Internet browser settings be set to medium      or higher.

Bottom line: I think 2008 will see a significant culling of the NAC market and top-tier vendors will be those that handle virtual endpoints efficiently. I’d love to hear your thoughts. Has anyone attempted to marry NAC with a virtual infrastructure?