If your network manager hasn't made an impassioned case for a network access control (NAC) solution, just wait
This is being hailed as the year when NAC, which has not entirely lived up to its splashy debut of a few years back, comes into its own. First and foremost a gatekeeper to your organization's network, network access control can help with compliance. It can shine a light on devices you never knew or long forgot belonged to you, thus also helping with asset management -- and proving its value.
Forrester Research Inc., predicting a blockbuster year for NAC, says this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Nearly 25% of all enterprises have already adopted NAC and an additional 15% will do so by the end of 2009, according to the Cambridge, Mass-based firm.
Meantime, Gartner Inc. has spent the past three years encouraging enterprises to look at NAC as an important piece of network hygiene, said research director Lawrence Orans. "This is such a valuable defense that you can add to your network. Our advice is start doing NAC now."
Initially, network access control systems were designed to continuously scan endpoints against your corporate security criteria to ensure corrupted systems don't gain access to the network. But Forrester says the technology has moved beyond simply checking and isolating an endpoint device, to compliance. Now companies are using NAC to check endpoints for anomalous behavior and even to continually monitor employees roles and rights to network access. And, by the way, those endpoints on your network may well include noncomputing devices, from printers and Voice over Internet Protocol phones to video cameras and badge readers.
NAC technology has gone through several iterations since it burst upon the scene in the wake of the Blaster attacks, but it is stabilizing, according to Forrester. There are three types of NAC architectures, often used in combination: infrastructure-based (also known as inline), appliance-based and software-based. Leading NAC vendors include Bradford Networks, Cisco Systems Inc., Juniper Networks Inc. and Microsoft.
Whichever approach or vendor you choose, a successful implementation will require your network, security and infrastructure and operations teams to work together, for starters. The implementation will take longer than you think, and it can fail to measure up to your expectations if you think NAC will solve all your security problems. It can also really frustrate your users if not properly deployed.
Still interested? We asked a leading vendor and a couple of analysts to give us their do's and don'ts for deploying NAC. Step one? Ignore everything you've just read and start by defining what NAC means to your organization.
1. Don't let your network or the problem at hand determine your NAC vendor (unless you like wasting money).
Companies tend to let their type of network, their problem du jour and their security systems determine their NAC vendor. Many companies are driven to NAC to solve the problem of guest and contractor access, Forrester analyst Robert Whiteley said, so when they find out their incumbent networking vendor offers a solution for guest access, they forge ahead. Sometime down the road, they decide they also want role-based access control for internal employees. But whatever solution they put in place to address guest management is not necessarily the best solution to help with segmenting employees, Whiteley said.
This is such a valuable defense that you can add to your network. Our advice is start doing NAC now.
Lawrence Orans, research director, Gartner Inc.
"What we're finding is that a lot of companies are spending really good money to get NAC in place and then six to 12 months down the road, that investment either is obsolete or requires more money be thrown at the problem."
NAC appliance systems like those from Bradford Networks start at about $8,000 for the appliance, software and 250 user licenses.
Instead, take a business approach to network access control. Begin by defining the various scenarios that require access control. The most successful NAC solutions, Forrester has found, can support at least four scenarios relevant to the business.
2. Never, ever do a big-bang deployment of NAC.
The experts are unanimous: Do not underestimate the complexity of an NAC deployment. It is not unusual for it to span nine months. Both Whiteley and Orans recommend that companies roll out their NAC capability in three phases: monitor what's on the network, map network traffic, and then enforce policy.
"Take it in bite-sized chunks, and validate as you go," said Jerry Skurla, vice president of marketing at Concord, N.H.-based Bradford Networks. "If adding security causes the business to slow down, you may not have the window to try it again."
3. Before signing off on a deal, ask your network manager two questions:
- Does the NAC solution integrate with the existing network infrastructure, or does it require changes to routers and switches or upgrades to bandwidth boxes?
- Can the NAC solution also handle nonemployees or unmanaged IT assets -- guests, contractors, business partners?
4. Don't let your network team go it alone.
It's almost a misnomer to call this network access control. At least three groups must work in tandem to deploy NAC: the network, security and desktop teams.
The network team defines how the network will take the enforcement actions and how it will get done in the network, but the security team is often in charge of the policy. And when an endpoint requires remediation, which many NAC systems can do automatically, the desktop team still needs to be looped in to make sure the fixes are done correctly.
5. Warn your network manager: Don't get bedazzled by the NAC data.
NAC provides a tremendous amount of data about your network you've never had before. That's good. But don't get carried away with reports, especially those going up the management chain. Stick to red light, green light. "A lot of executives, including the CIO, simply want to know, 'Is this going to be a normal threat day or lunatic threat day?'" Skurla said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.