I read a lot of conflicting stories about NAC - some very positive and some dismissive. Is NAC over-hyped, or is there value in it?
The short answer is yes, and yes. The key is to figure out whether it will be over-hyped or of value for you. To do that, you need to look at what issues you're struggling with.
Two dynamics play a recurring role in whether NAC is portrayed as hyped or valuable. One is how NAC is defined, and the other is how much work is needed to deploy that version of NAC. Essentially, when NAC takes a lot of work and returns little value, it should be no surprise that it's portrayed as over-blown. But when NAC doesn't take too much work and returns a good degree of security as well as other useful functions, then - again no surprise - it's seen as providing good value.
If you look in detail at most of the negative stories about NAC, they tend to showcase an example or understanding of NAC as basically a pre-admission technology. In other words, the Network Admission Control version of NAC - validating that a user can successfully authenticate onto the network and that the user's machine is in compliance with some degree of endpoint posture check.
We'd be the first to agree that this version of NAC is both too much work and returns insufficient value. Often, the endpoint checks require the installation of software, and the IT team gets very little real security or control in return for pretty exhaustive work. Network World, in fact, recently profiled an organization that struggled with just such an implementation. This definition of NAC emerged two to three years ago, in response to virus outbreaks, and it fails to address the primary business drivers for implementing access control.
When NAC is portrayed as providing more control over how users can access the LAN, the coverage tends to be far more positive. So when enterprises use NAC, for example, to segment users on the LAN and limit access to sensitive corporate data, those customers tend to be much more positive about the benefits of NAC.
The key is that these kinds of NAC implementations, in addition to providing stronger controls, must also not create an operational burden for IT. Initial deployment and policy creation will always take some work, but NAC that's rooted in role-based controls, leveraging information in existing identity stores, vastly simplifies IT's job in LAN segmentation. IT doesn't need to change the endpoints, network infrastructure, or directories, and they can avoid the significant operational expenses associated with achieving and maintaining LAN segmentation via VLANs and ACLs.
So the task for you to complete - before you investigate potential solutions - is to determine what NAC means in your organization. What kind of LAN security are you looking for? If it's simple endpoint checking, then looking at the software already on your users' desktops is a great starting point. Can that software play a role in validating the endpoints? Will Microsoft's Vista be a way to answer that problem?
If your issues are broader, such as needing to control contractors, ensure offshore locations have monitoring and control, achieve compliance, or protect vital intellectual property, then look for solutions that can enable you to do LAN segmentation, based on user role, without the cost and complexity of today's brute-force tools. In those cases, you could easily find yourself in the happy position of doing less work on the network and getting more return for your investment.
Jeff Prince is CTO of ConSentry Networks.