The Nortel Secure Network Access (NSNA) switch will provide classic network access control (NAC), but specifically for endpoints requesting access on an internal network. The Toronto, Ontario-based company already has endpoint security for devices seeking access from outside a corporate firewall with the TunnelGuard function on both its IPsec and SSL VPN products.

TunnelGuard carries out check on end devices for the latest OS patches, AV signature update and so on, said Shirley O’Sullivan, Nortel’s EMEA leader for security and WLAN. The NSNA switch has a lot of TunnelGuard technology in it.

While its first iteration will be Nortel-specific in that it will only support the company’s own switches, but O’Sullivan said that by the end of the second quarter Nortel will add support for other companies’ switches.

NAC as a discipline has been a hot topic for the last couple of years. Cisco threw its hat into the ring in November 2003 with its Network Admission Control program in which multiple vendors are engaged with the networking vendor to enable full endpoint checking carried out within its switches. Microsoft has a similar initiative around its Network Access Protocol where the intelligence for endpoint checking will reside in the OS. Juniper has its Infranet program, with its routers becoming the enforcement points, while dedicated endpoint security vendor Sygate last year unveiled its Sygate NAC initiative, which has continued with the same name since its acquisition by security heavyweight Symantec.

O’Sullivan said one of the big advantages of the Nortel technology will be that it is clientless, with all the smarts required for it to operate residing in the network, as mandated by Nortel’s mantra of security through network intelligence. While she did not reveal the specifics of NSNA, she implied that it will require no switch-by-switch upgrade, as Cisco’s NAC program does, nor any client software on end devices. Indeed, it promises even to integrate with other vendors’ kit by mid-year.

This heterogeneous approach is reminiscent of the Permeo technology acquired earlier this week by security vendor Blue Coat. In Permeo’s case, the client enabling endpoint checking is downloaded on the fly when access is requested and resides in the device’s memory only for the duration of the session, which makes it possible for the company to offer support for unmanaged devices such as PCs in home and internet cafes.