This SearchCIO.com Quick Guide brings you the latest thinking on network access control, from how to choose the right form of NAC and evaluating NAC vendors to enforcing NAC policy and implementing appliance-based, hybrid and software-based solutions.
DEFINITION: Network access control, or NAC, is a method of improving the security of a proprietary network by restricting the availability of network resources to endpoint devices.
WHY USE IT?: According to Forrester Research Inc. analyst Robert Whiteley, many companies are driven to NAC to address guest and contractor access.
BENEFITS OF NAC: By restricting access to data and resources, it can aid with compliance. It can also serve as a push for organizations to inventory devices, thus also helping with asset management.
Experts recommend CIOs, chief information security officers and network managers who are evaluating NAC products:
- Define the primary use case for NAC.
- Map out a plan for taking advantage of NAC's other uses.
- Determine if the NAC solution integrates with the existing network infrastructure, or if it will require changes to routers and switches or upgrades to bandwidth boxes.
- Ask if the NAC solution also handles nonemployees or unmanaged IT assets, including guests, contractors and business partners.
- Decide on an enforcement protocol.
Enforcing NAC may not be a top priority for many companies yet, but eventually you will want to be able to "throw the switch in case of an emergency," said Gartner Inc. analyst Lawrence Orans. He offered four common technical approaches for enforcing NAC policy:
- Virtual LAN (VLAN) steering. This approach moves the user from one VLAN port to another. VLANs are low-cost but they can be complex to deploy, due to the burden of managing multiple VLANs in large environments, Orans said.
- Dynamic Host Configuration Protocol (DHCP). Enforcement involves assigning an IP address in a quarantine subnet, a subtle difference from assigning someone to a different VLAN. A drawback? Users can bypass DHCP security by using static IP addresses.
- In-line enforcement puts an intrusion prevention system or similar system on the network to check out the endpoint before it connects. If the endpoint does not authenticate, every packet from that endpoint is dropped. Typically, the most expensive approach.
- Address Resolution Protocol (ARP) modification is employed in some solutions that do not have an agent. An appliance in the network that acts as a "honeypot" for all traffic can modify the ARP tables of the endpoint.
| Tools of the trade: Three approaches to NAC |
APPLIANCE-BASED NAC: Central Michigan University (CMU) used this approach to keep out-of-security-compliance devices off a university network. An appliance-based, or "out-of-band," NAC solution from Bradford Networks Inc. answered the call -- and then some. One of the most important factors in CMU's decision was that the appliance did not have to be put inline.
SOFTWARE-BASED NAC SOLUTIONS: Ball State University went with Microsoft Network Access Protection (NAP), a software-based network access control product that comes as a feature of Windows Server 2008. A Microsoft shop, Ball State saves about $75,000 per year in support and maintenance by using Microsoft NAP, and incurred only modest costs to set up five new servers.
HYBRID NAC SOLUTIONS: Eighteen months ago, the University of San Francisco deployed an in-line NAC solution from Cisco for its dorms. It worked so well that last summer Pereira's team expanded the deployment, adding an out-of-band system for the dorms, which have the university's highest network traffic and potentially most infected computers, and used the original in-line system on its wireless network.
