Network access control technology: Over-hyped or underused?


Network access control technology: Over-hyped or underused?

Over the past two years, network access control (NAC) technology has reached full-fledged buzzword status within the information security community. But has NAC lived up to the hype?

Last year, I joined many in the field in predicting that 2009 would be "The Year of NAC."

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

That prediction doesn't seem to have been fully realized, but I think that slower adoption of the technology is more due to economic pressures than a lack of willingness or desire to adopt NAC. I'm still confident that NAC is an underused technology and, as a market, will see significant growth, especially as the economy begins to turn around.

Network access control (NAC) technology overview
NAC technology offers two primary benefits to the enterprise: network authentication and endpoint security screening. By combining these features, NAC allows security pros to gain confidence in both the individuals and systems accessing the network. It aims to protect against both the threat of an unauthorized user accessing a network and an authorized user accessing a network with vulnerable (or, worse yet, infected) equipment.

The key to a NAC product's success lies in the quality of its posturing agent: the software that runs on the endpoint and determines whether the device complies with the organization's security policy. The best products are able to combine detection of both the presence and compliant operation of security software with OS-specific verification of security configuration parameters.

Generally speaking, today's NAC products do a great job at meeting these goals, especially when also leveraging the security features of an existing network infrastructure (usually by purchasing a NAC product from the same vendor as that of your other network technology). In such a case, when a NAC product detects a user that improperly authenticates or a device that fails to meet the organization's posturing requirements, it is able to revoke access by restricting the device to a quarantine VLAN directly at the switch port.

Is NAC worth the cost?
The million-dollar question is whether the substantial financial and time investment necessary to deploy a NAC product will generate sufficient return for your enterprise. In considering this question, I encourage you to take a look inward and answer a few questions:

  • For our environment, does NAC constitute a solution to an existing problem or a solution in search of a problem? Don't buy a NAC product simply because everyone's talking about NAC. Verify that you have legitimate business objectives that are best met through NAC.
  • Do we have an issue with the configuration of endpoint security controls? If you have a network consisting entirely of managed systems and you enforce the presence of malware protection software and security settings through a configuration management system, you may have little need for the posturing protections provided by NAC.
  • Do we have a large number of unknown users on our network? If you're running a network that hosts a large number of guest users, such as a college or university network, NAC is a great way to both verify that your guests have permission to access your network and prevent them from bringing infected equipment onto your network.

Answering these questions honestly will provide a realistic assessment of the value that NAC can bring to your enterprise. If you're interested in deploying NAC in your organization, I'd encourage you to read my article Phased NAC deployment for compliance and policy enforcement, which details NAC roll-out strategies. You may also be interested in my podcast on making NAC work with your existing security tools. NAC is a complex technology, but it can work well with proper configuration and management, so don't let the hype dissuade you from considering NAC if you think there's a solid business case for implementing it.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was first published in August 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.