Winston Churchill once said the Americans can always be counted on to do the right thing, though often after they have exhausted all other possibilities first.

Cisco and Microsoft appear to support Churchill’s theory, having finally introduced at least some interoperability between their network security tools – more than two years after concerns were first voiced about making Network Access Control (NAC) and Network Access Protection (NAP) work side by side.

There are several sound business reasons for them to work together, not least of which is the prospect of either NAC or NAP being booted out of the enterprise network altogether in favour of the other.

Nor are NAC and NAP the only network access controls in town. A host of networking rivals and security vendors, including the Trusted Computing Group and its Trusted Network Connect (TNC), are queuing up with their own solutions. And many of these lean towards open standards rather than Cisco and Microsoft proprietary technology.

Plenty of other best-of-breed access control products can also handle unmanaged devices in a way that is far easier for the IT department to understand and deploy.

Most IT managers recognise the need to control network access and minimise the security risks of allowing guest users, business partners, contractors and mobile employees onto the network; and to comply with corporate governance rules. But they are also worried about the effect of access control tools on LAN performance and failover. The burden of identity management processing can cause additional network bottlenecks and failure points, for example.

Nor does the NAC/NAP alliance address the one problem which network managers have long associated with all flavours of network access security: the absence of a clear return on investment (ROI) argument.

Without this, it’s hard to see how network access control can be made to run at all. Unless, of course, somebody were to give it away for nothing as part of an operating system – which is exactly what Microsoft plans to do with the next version of Windows Server in 2007.