Over the past two years, network access control (NAC) technology has reached full-fledged buzzword status within the information security community. But has NAC lived up to the hype?
Last year, I joined many in the field in predicting that 2009 would be "The Year of NAC."
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Network access control (NAC) technology overview
NAC technology offers two primary benefits to the enterprise: network authentication and endpoint security screening. By combining these features, NAC allows security pros to gain confidence in both the individuals and systems accessing the network. It aims to protect against both the threat of an unauthorized user accessing a network and an authorized user accessing a network with vulnerable (or, worse yet, infected) equipment.
The key to a NAC product's success lies in the quality of its posturing agent: the software that runs on the endpoint and determines whether the device complies with the organization's security policy. The best products are able to combine detection of both the presence and compliant operation of security software with OS-specific verification of security configuration parameters.
Generally speaking, today's NAC products do a great job at meeting these goals, especially when also leveraging the security features of an existing network infrastructure (usually by purchasing a NAC product from the same vendor as that of your other network technology). In such a case, when a NAC product detects a user that improperly authenticates or a device that fails to meet the organization's posturing requirements, it is able to revoke access by restricting the device to a quarantine VLAN directly at the switch port.
Is NAC worth the cost?
The million-dollar question is whether the substantial financial and time investment necessary to deploy a NAC product will generate sufficient return for your enterprise. In considering this question, I encourage you to take a look inward and answer a few questions:
- For our environment, does NAC constitute a solution to an existing problem or a solution in search of a problem? Don't buy a NAC product simply because everyone's talking about NAC. Verify that you have legitimate business objectives that are best met through NAC.
- Do we have an issue with the configuration of endpoint security controls? If you have a network consisting entirely of managed systems and you enforce the presence of malware protection software and security settings through a configuration management system, you may have little need for the posturing protections provided by NAC.
- Do we have a large number of unknown users on our network? If you're running a network that hosts a large number of guest users, such as a college or university network, NAC is a great way to both verify that your guests have permission to access your network and prevent them from bringing infected equipment onto your network.
Answering these questions honestly will provide a realistic assessment of the value that NAC can bring to your enterprise. If you're interested in deploying NAC in your organization, I'd encourage you to read my article Phased NAC deployment for compliance and policy enforcement, which details NAC roll-out strategies. You may also be interested in my podcast on making NAC work with your existing security tools. NAC is a complex technology, but it can work well with proper configuration and management, so don't let the hype dissuade you from considering NAC if you think there's a solid business case for implementing it.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in August 2009