But just as important in selecting a product is the technical approach that your organization wants to take in enforcing NAC policy. Enforcing NAC may not be a top priority for many companies yet, but eventually you will want to be able to "throw the switch in case of an emergency," said Gartner Inc. analyst Lawrence Orans.
He enumerated four common technical approaches for enforcing NAC policy and rated them in terms of cost, complexity and adaptability:
- Virtual LAN steering. This approach simply moves the user from one VLAN port to another. A noncompliant endpoint, for example, could be moved from the production environment to a quarantine VLAN or guest network.
- Dynamic Host Configuration Protocol (DHCP). Enforcement involves assigning an IP address in a quarantine subnet, a subtle difference from assigning someone to a different VLAN. A drawback? Users can bypass DHCP security by using static IP addresses.
- In-line enforcement puts an intrusion prevention system or similar system on the network to check out the endpoint before it connects. If the endpoint does not authenticate, every packet from that endpoint is dropped.
- Address Resolution Protocol (ARP) modification is employed in some solutions that do not have an agent. An appliance in the network that acts as a "honeypot" for all traffic can modify the ARP tables of the endpoint.
In-line enforcement is typically the most expensive of the bunch, Orans said. "Anytime you put a bump in the wire, it has to be high-performance, so it does not add latency to the network. It has to be transparent to users, and from a topology standpoint, you have to have it at all key points, so you are more likely to deploy more boxes than if you took an out-of-band approach."
On the other hand, in-line enforcement tends to be less complex to deploy than VLANs, he said, since appliances can be inserted in-line without making changes to the switches themselves.
VLANs are low-cost but they can be complex to deploy, due to the burden of managing multiple VLANs in large environments, Orans said. One or more VLAN may need to be added to every switch to enforce the NAC policy. "And you have to make sure that the endpoints that have been quarantined can get back from some remediation server, so that can be complicated," he said.
DHCP is also cheaper and less complex, but it's the least-secure NAC policy enforcement option, Orans said. Likewise, ARP modification is low in cost and complexity, but it isn't commonly deployed and does not support enforcement in Secure Sockets Layer virtual private network (VPN) environments.
In terms of adaptability, all four approaches will allow you to put NAC in the LAN, but some are not good for wireless networks (VLANs) and others are not ideal for VPN-based approaches, where an in-line appliance excels.
Googling NAC: "You get really confused, really quickly"
"The key thing is that before you go looking at the 20-some NAC vendors is to think through the enforcement mechanisms that will be important to you and which will work in your environment," Orans said.
So, if DHCP seems to make a lot of sense, that would rule out market leader Cisco Systems Inc., Orans pointed out, because not surprisingly the network provider believes the hardware itself should enforce NAC, not DHCP, which it does not support. "If you're Microsoft and don't sell switches, then there is nothing wrong with using DHCP, a great approach for reassigning someone to a quarantine subnet," he said.
Indeed, as our companion piece on defining a usage case points out, NAC requires IT to do its homework before shopping.
"If you start by Googling NAC and talk to eight vendors, you get really confused, really quickly," Orans said. "Many of them have valid solutions but totally different approaches to NAC. Go in knowing what you want to do."
Let us know what you think about the story; email: Linda Tucci, Senior News Writer