Network access control stands out as one of the most promising security technologies, but it also is one of the most misunderstood. That's in part because vendors want in on the NAC buzz and are clamoring for attention, despite selling products that are only peripheral. This raises problems for companies that want to consider NAC but don't have a solid sense of what it is, what it might do for them and what kind of investment it requires.
The first step in cutting through the hype is to define NAC. According to Forrester Research, "NAC is a mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy."
NAC and you
Before you decide whether network-access control products are right for your enterprise, ask yourself:
- How much risk is posed to my network by endpoints that can become infected prior to connecting to the network?
- Which of the three major NAC schemes (Cisco, TNC or NAP) would most easily integrate into my existing security environment and can I afford to wait for standards and interoperability testing for my chosen scheme?
- How important is NAC compared with other security initiatives I am working on?
- How much network disruption can I afford when implementing NAC?
Ask your vendors
- Where does your product fit into the broad NAC architecture? Does it authenticate, scan endpoints, check policy compliance, enforce policy, create policies or manage policies as the status of individual machines changes?
- What is your road map for how your NAC products will evolve over time?
- Do you support mobile access?
- How much network infrastructure would need to be upgraded or replaced to support your NAC equipment?
- Can you demonstrate an ROI for your products?
Available products that fall into this category include those that make up Cisco's Network Admission Control architecture and Juniper's unified access-control environment. Single devices fitting the bill include products from ConSentry Networks, StillSecure and Vernier Networks. Other NAC vendors, such as Lockdown Networks and Mirage Networks, work in conjunction with partners.
The Trusted Computing Group (TCG), an industry group writing NAC standards to promote multivendor interoperability, also has a NAC scheme. The Trusted Network Connect (TNC) specifies product interfaces that vendors can use to fit their gear into the TNC architecture. The TCG defines NAC as "an open, nonproprietary specification that enables the application and enforcement of security requirements for endpoints connecting to the corporate network."
So, a vendor might build its products to TNC's NAC standards but rely on other products to flesh out an operable NAC deployment.
That's the high level. In practice, NAC is a process for scanning computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is their virus-scanning software up-to- date? Is their operating system patched? Do they have a personal firewall in use?
That process requires an engine capable of matching scan results to policies to see whether the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.