NAC can be confusing for very good reasons, not the least of which are that it is genuinely complicated and it has a great number of architectural options that only get greater when customers consider multivendor deployments.Â
As they try to sell NAC gear, vendors stake claims to make their products seem more attractive than that of their competitors, and some of these claims warrant investigation to figure out just what's real. (Compare NAC products.)
In an effort to help clear away some of the confusion, here is a look at common claims by NAC vendors and what customers should do to get to the bottom of them.
Claim: NAC can be deployed without a client.
This is true. The question is whether clientless NAC gives as much data for evaluation as NAC with a client.
NAC gear can probe devices from the outside and come up with data about the configuration of the device. This information can then be used to create a health report about the device that in turn can be used to determine how much network access the device should get.
Clientless NAC checks registry entries, looks at Remote Procedure Call processes and file-sharing capabilities of end devices. Some vendors' checks mimic the probing an attacker might perform to find weaknesses in systems.
NAC also can be deployed with a client, and this arrangement generally results in a more complete picture of an endpoint's security posture, according to Infonetics Research, which calls such software informational clients. They can be preloaded on a computer or installed in the form of Java or Active X agents at network login. "Informational clients can provide all the information available in clientless NAC solutions and more," the company says in report.
For example, clientless endpoint assessment might find that antivirus software is present and running but not be able to tell what version of signature files it is using.
"You really can't get a comprehensive understanding of what's happening with a device that's connecting to your network without some presence on the desktop," says Paul Roberts, an analyst with The 451 Group. "I think most NAC vendors realize that. The question is how do you do that."
Which to deploy depends on individual users' needs. If deploying and maintaining clients is too much of a strain in resources, clientless may be the way to go. If many guest machines are trying to gain access, clientless is the only option for NAC scanning. Otherwise all guest machines will be rejected or granted the same limited access without a posture evaluation.
In all cases customers should determine what they need to know about endpoints in order to make an informed decision about whether to grant network access and how much. They should then decide which model, client or clientless, best meets their needs.
Claim: A NAC solution protects wired, wireless and VPN connections.
This is true. In each case, the goal is to block access to users and devices that fail to meet NAC policies, and to do so as close to the network entry point as possible.
For a LAN connected device, that point can be the access switch or a NAC appliance connected to the switch. It can also be a firewall that protects LAN segments or at the endpoints themselves.
In a wireless network, the closest device to the end user is the access point, and it can act as an enforcement point. Similarly, a VPN concentrator can enforce NAC policies.
But interoperability may be an issue, says Phil Hochmuth, an analyst with Yankee Group. "If a company makes this claim it opens up the question of the actual communications interface with those pieces of the network," he says.
The best thing to do is check that the NAC gear being deployed is compatible with the relevant wireless, VPN and other infrastructure before buying.
Claim: NAC can automate and document compliance with regulatory demands.
This is an overstatement. Depending on the regulation, NAC can contribute more or less data necessary to convince auditors that regulations were met, but no NAC product - or any single product of any kind - can meet regulatory security requirements. "There's a lot of different regulations and some are more specific than others," says Hochmuth.
For instance some come down to specific network firewall settings, something NAC wouldn't be able to help with, he says.
But NAC products can help in other areas having to do with network access and who in an organization has accessed what resources. Key questions to ask are what third-party reporting platforms is the NAC gear compatible with and does the vendor recommend its gear for specific regulatory needs.
"What are the check boxes that this thing is going to be able to discover and prove, and how does that produce something readable, examinable or verifiable by an auditor?" Hochmuth says.
Claim: NAC can admit guests and contractors safely.
This is true. The caveat is that the inspection of the endpoint may not be as rigorous as it might be.
"Most vendors have some solution around guest and contractor access," says Roberts. "Typically it is a captive Web portal that gives them a download that's going to do a security scan on their endpoint." If they aren't compliant, the NAC gear can give them access to a Web site where they can get whatever they need to become compliant.
Since these machines are not managed by the company, they may or may not accept downloadable NAC agents to do scans. If not, the NAC gear has to use less complete external monitoring to make its decision.
The best course for customers is to carefully limit and isolate as much as possible the access that guests and contractors are granted while still enabling them to do what they need to do.
Claim: NAC gear can screen printers, cameras, phones and other IP devices for NAC compliance.
This is an overstatement. NAC gear, and in some cases supplemental platforms, can discover and admit these devices, but because these devices don't accept agents, they also cannot receive in-depth NAC screening.
"What does it really matter if I know all of the laptops and all of the desktops that I manage are in compliance if that's not the full set of all the systems that are on our network?" Roberts says. Most vendors don't have a great answer to that question right now."
Once devices are identified, NAC gear that limits behavior on networks can restrict what they do. So a device identified as an IP phone can be restricted to sending and receiving only traffic associated with VoIP and denied from performing file transfers, for example.
Customers should check whether NAC vendors provide for network discovery within their own platforms or look to independent vendors that can supply the same functionality.
Claim: Vendors say they support both Layer 2 and Layer 3 NAC.
This is true, but customers must make sure they are buying from a vendor that supplies the type they want.
"It's like the difference between latching a door with a chain and having a deadbolt," Hochmuth says.
In a business environment with many guests and contractors, stronger Layer 2 NAC such as that enforced by 802.1x switches is more desirable than Layer 3.
In a college environment where thousands of students need access to the network but don't have access to essential university resources, Layer 3 may be appropriate. The concern there is more toward protecting the network itself, he says, and the costs of buying into a stronger NAC scheme might be prohibitive.