Many businesses using NAC today were forced into it by dire security implications, but that's not the best way to go, implementers of the technology told attendees at RSA Conference 2007.
"You want to be proactive," says Tim Hebert, CEO of network integrator Atrion Networking, which installed a NAC system at Rhode Island's Roger Williams College. "You don't want to make a decision when the network is in jeopardy."
The college was suffering repeated network failures during the first month of school and after long breaks as students came onto the network with infected machines. A move to increase the student body from 5,000 to 6,000 and complaints from parents that their children had no Internet access drove the school to seek a cure with just one-month lead time, Hebert says.
Chris Labatt-Simon, of D&D Consulting in the U.S. state of New York, says one of his clients in the energy industry flunked regulatory audits when the Zotob worm infected its network in 2005, knocking down the network for two days and resulting in more than US$1 million in productivity losses and more than US$1 million in regulatory fines and staff time off.
"The biggest hurdle we had was a very limited period of time to decide. As a result, one year later, we're still figuring out how to complete [the NAC project]," Labatt-Simon says.
These panelists at a RSA Conference 2007 recommend starting early on any NAC implementation. A third panelist, Preston Hogue of Network Computing Architects, says he has a three-year contract with a client to implement NAC that has gone more smoothly because he had time to evaluate and plan.
That included inventorying infrastructure, upgrading switches to enforce NAC and figuring out what assets to protect. He got business decision makers to evaluate risks and set down regulatory pressures that had to be met, he says. Then he worked on what NAC products to use.
All the panelists agreed that standards are needed, but the test of a standard is how many vendors follow it, Hebert says. "Standards that can make these things work are all over the place today," he says.
The true test of a standard is not whether it is officially sanctioned, but whether it promotes interoperability, says Labatt-Simon. If just a few devices are written to a NAC standard and interoperate, the standard isn't working for the end user, he says. But a proprietary method of doing the same thing that has hundreds of adopters is extremely valuable, he says.
That is why the scores of partners that have bought into Cisco, Microsoft and Trusted Computing Group NAC plans are important, he says. "Things are chaotic now, but if a vendor writes to standards others are following, two years down the road it may matter," he says.
Panelists say the toughest part is setting NAC policies that determine whether users and devices can get on the network and how much access they get if admitted. These policies must be made by a broad group of people representing end users, Hebert says. "If the administration sets the policy so the faculty can't do something it used to do, they will be upset," he says.