Six burning questions about network security

Most NAC platforms not only perform this function, but they keep records of performing it, something demanded by various regulations such as payment card industry (PCI) standards and the Health Insurance Portability and Accountability Act (HIPAA).

Screening guest users is a particular problem that NAC can address well, according to Gartner."Most Gartner clients that are planning to deploy NAC report that their first priority is to implement a guest network," says Gartner analyst Lawrence Orans in a report."In 2007, many security managers who viewed NAC as a strategic security process were able to use the near-term benefits of guest networking to justify getting started in NAC."

If businesses have a diverse set of full-time employees, contractors and guests that use their networks regularly, NAC can help assure that the devices they use to connect meet configuration policies. For machines that flunk, NAC can either fix them, quarantine them or grant them access to a network segment with only limited resources and where they can do limited damage.

Similarly, businesses that need to segment their networks based on department or job function can use the authorization controls in NAC to do so on a fairly detailed level.

"We see a perfect storm if companies have multiple compliance requirements (the Sarbanes-Oxley Act, PCI, HIPAA), a diverse workforce (employees, contractors, remote workers, partners, suppliers) and global operations (the need to segment the environment by region, business unit and others)," says Rob Whitely, an analyst with Forrester Research.

NAC will ultimately become an element of layered security architectures that rely less on perimeter firewalls as the main bastion and more on layers of security that seek to mitigate threats, Whiteley says."This is part of a larger trend around de-perimterization. NAC is not necessary, but will become a critical component for these new security architectures," he says.

Most networks can get by without NAC. The technology reduces the risk that compromised machines gain network access and that they can do damage if they manage to get admitted anyway. But it doesn't guarantee security. NAC came about in response to threats that traditional Layer 3 firewalls couldn't handle, and there are threats that NAC can't handle, but it can make important contributions.

"Ask yourself: Is your firewall enough?" Whiteley says."If so, NAC is most likely unnecessary. It provides the additional host integrity checking, but this provides little value above and beyond more granular authentication and authorization -- which are really just attempts to make up for shortcomings of today's firewalls."

Has IT licked patch management?

Patch and vulnerability management tools can take on detecting and protecting vulnerable machines in a mostly static, controlled environment. The technology area is considered a priority among IT managers, who most likely have spent many years perfecting their vulnerability scanning, patch testing and software distribution processes.

According to an Enterprise Management Associates (EMA) survey, more than three-quarters (76 per cent) of 250 IT managers surveyed had some sort of patch management product in house and said patching is an important to very important process. Van Dyke Software's fifth annual enterprise security survey of 300 network administrators showed that 30 per cent still worry about patching, a number that has declined over the years. Some industry watchers speculate that the lessening concern reflects a maturity in patch management products and in IT managers' processes.