CIOs and chief information security officers whose network managers are evaluating network access control (NAC)
products are advised to lay down some guidelines for finding the right solution. NAC now has several uses and as many potential pitfalls. An organization should define its primary usage case for NAC, map out a plan for taking advantage of NAC's other uses and decide on an enforcement protocol. Otherwise, it risks choosing the wrong vendor or product.
But network access control technology has undergone a personality change since its splashy debut some six years ago. Then, worms were the latest plague and NAC products part of the solution. Today's NAC is all about the user, according to Gartner Inc. analyst Lawrence Orans -- in particular, corralling the ever-increasing population of outsiders who need access to corporate networks. In addition, companies must contend with employees using personal devices. Bring Your Own Computer has spread from the academy to the corporate world.
"Network managers are very interested in establishing policies that control access to the network," Orans said. "I speak to hundreds of network managers a year, and there is not one that says I don't want more control over which devices or endpoints access the network. NAC is still very much alive."
The four main use cases for network access control
Gartner has identified four common usage cases, and a recent survey shows their popularity among NAC users:
By far, the most common initial reason for deploying NAC products today is guest networking, mostly to give guests Internet access only. That's often on a wireless network in common areas. Endpoint baselining is the pre-connect diagnostic that checks whether the device has the patches, antivirus software, personal firewall and other custom checks prescribed by corporate policy.
"Make sure you have a path when you start NAC. Not only think about the first thing you want to accomplish, but ultimately how you would map it out to get to all four usage cases," Orans said.
This is important because some deployments will not easily allow you to add more NAC features. For example, many NAC users ask whether they can build their guest network using a MAC address as the authentication criteria, Orans said, referring to a computer's unique hardware number.
"It's a great solution for guest networking: If your MAC address is not in the database then you're not getting on the guest network," he said. "But the point is, you really can't build upon that MAC address for endpoint baselining," where a NAC agent comes into play.
The government and military, as well as financial services, tend to be especially interested in visibility into their networks and using NAC for identity-aware purposes, Orans said. Universities, the most aggressive users of NAC in both wired and wireless networks as several SearchCIO.com case studies detail, also employ this NAC function, as well as baseline checks and quarantining.
Vendors that have strong solutions for endpoint baselining, for example, are typically not the best choice for identity-aware networking (and vice versa), Orans said. A focused approach is to decide first on your primary NAC usage case, and then build a shortlist of vendors that can best satisfy that usage case.
He recommends building a chart with the usage cases across the top and ranking the criteria for each use case as a high, medium or low priority. For example, user and device authentication are critical for companies primarily interested in using NAC products for endpoint baselining; not so much for companies using them for identity awareness.
Guest networking was American System's primary concern, and monitoring devices after they connect to the network was the second driver, Ward said. "We wanted to give business partners and guests controlled access to different facets of the network and only give them access to certain resources," he said.
The company looked at technologies that would plug into its existing structure; tell them what was on the network, who was authenticated to its Active Directory and who was unmanaged; and segregate those unmanaged clients from controlled and sensitive information. For some of its federal clients coming onto the network, American Systems could not install any software on their machines, so it needed a solution that was clientless and would still allow the company to interrogate the device, regardless of whether it had rights over it.
The criteria ruled out several vendors, including market leader Cisco Systems Inc., and led the company to ForeScout Technologies Inc. The Cupertino, Calif.-based vendor offered a device that was agentless but also allowed American to install a Secure Sockets Layer applet to interrogate and quarantine noncompliant devices, before and after connection to the network.
"We got the best of both worlds," Ward said.
Coming next: Enforcement control for NAC products, how to make a short list of vendors and one user's list of best practices.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer