Having a virtual security guard manning the gates of the corporate network has long been the dream of those charged with IT security. But it isn't all that simple or straight forward, as ARN discovers.
When heavyweights like Cisco and Microsoft announce a dalliance you can bet there's money to be made. So when Microsoft launched Windows Server 2008, complete with Network Access Protection (NAP), you could almost hear security software vendors, and resellers, rubbing their hands in glee.
Microsoft's NAP, or what everybody else calls Network Access Control (NAC), essentially refers to the technological solution which scans devices as they are attaching to the corporate network. "Network Access Protection is a new platform and solution that controls access to network resources based on a client computer's identity and compliance with corporate governance policy," Microsoft Australia's chief security advisor, Peter Watson, said. "NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy."
The handiest aspect of the NAP/NAC approach is that if a client doesn't have the right level of antivirus software, or hasn't downloaded the most recent patches, these features can be updated automatically before they can logon to the corporate network.
"Microsoft's NAP and Cisco's Network Admission Control represent each company's respective approaches for providing endpoint security and health policy compliance when accessing network resources," Watson said.
However, advanced technologies lead for security at Cisco, Colin Bradley, said that neither the approach nor the expectations were in any way new to the market. And while it sounded good in theory, in practice the technology had caused multi-million dollar LANs to slow to a crawl as the verification and updating process takes place. And that's before we even mention user frustration.
"A lot of people originally saw NAC as a silver bullet," Bradley explained. "This was going to be the technology that solved all the problems from a security perspective, especially with regards to guarding the endpoints, where devices actually plug into the network."
As usual, it's not the NAC/NAP approach at fault: as with most technologies, this security solution needs to be carefully implemented in such a way as to minimise the effect it has on the corporate network. "The reality is that NAC/NAP solutions are about policy enforcement, so they are only as good as the policy they are created to enact," Bradley said.