Network access control evaluation tips: NAC systems insights for CIOs

By Linda Tucci, Senior News Writer 07 Jan 2009 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

More security resources Data protection trumps threat pursuit in SMBs' 2009 security spending Identity access management compliance: Consider roles people play

This is being hailed as the year when NAC, which has not entirely lived up to its splashy debut of a few years back, comes into its own. First and foremost a gatekeeper to your organization's network, network access control can help with compliance. It can shine a light on devices you never knew or long forgot belonged to you, thus also helping with asset management -- and proving its value.

Forrester Research Inc., predicting a blockbuster year for NAC, says this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Nearly 25% of all enterprises have already adopted NAC and an additional 15% will do so by the end of 2009, according to the Cambridge, Mass-based firm.

Meantime, Gartner Inc. has spent the past three years encouraging enterprises to look at NAC as an important piece of network hygiene, said research director Lawrence Orans. "This is such a valuable defense that you can add to your network. Our advice is start doing NAC now."

Initially, network access control systems were designed to continuously scan endpoints against your corporate security criteria to ensure corrupted systems don't gain access to the network. But Forrester says the technology has moved beyond simply checking and isolating an endpoint device, to compliance. Now companies are using NAC to check endpoints for anomalous behavior and even to continually monitor employees roles and rights to network access. And, by the way, those endpoints on your network may well include noncomputing devices, from printers and Voice over Internet Protocol phones to video cameras and badge readers.

NAC technology has gone through several iterations since it burst upon the scene in the wake of the Blaster attacks, but it is stabilizing, according to Forrester. There are three types of NAC architectures, often used in combination: infrastructure-based (also known as inline), appliance-based and software-based. Leading NAC vendors include Bradford Networks, Cisco Systems Inc., Juniper Networks Inc. and Microsoft.

Whichever approach or vendor you choose, a successful implementation will require your network, security and infrastructure and operations teams to work together, for starters. The implementation will take longer than you think, and it can fail to measure up to your expectations if you think NAC will solve all your security problems. It can also really frustrate your users if not properly deployed.

Still interested? We asked a leading vendor and a couple of analysts to give us their do's and don'ts for deploying NAC. Step one? Ignore everything you've just read and start by defining what NAC means to your organization.

1. Don't let your network or the problem at hand determine your NAC vendor (unless you like wasting money).

Companies tend to let their type of network, their problem du jour and their security systems determine their NAC vendor. Many companies are driven to NAC to solve the problem of guest and contractor access, Forrester analyst Robert

This is such a valuable defense that you can add to your network. Our advice is start doing NAC now. Lawrence Orans research director, Gartner Inc.

Whiteley said, so when they find out their incumbent networking vendor offers a solution for guest access, they forge ahead. Sometime down the road, they decide they also want role-based access control for internal employees. But whatever solution they put in place to address guest management is not necessarily the best solution to help with segmenting employees, Whiteley said.

"What we're finding is that a lot of companies are spending really good money to get NAC in place and then six to 12 months down the road, that investment either is obsolete or requires more money be thrown at the problem."

NAC appliance systems like those from Bradford Networks start at about $8,000 for the appliance, software and 250 user licenses.

Instead, take a business approach to network access control. Begin by defining the various scenarios that require access control. The most successful NAC solutions, Forrester has found, can support at least four scenarios relevant to the business.

2. Never, ever do a big-bang deployment of NAC.

The experts are unanimous: Do not underestimate the complexity of an NAC deployment. It is not unusual for it to span nine months. Both Whiteley and Orans recommend that companies roll out their NAC capability in three phases: monitor what's on the network, map network traffic, and then enforce policy.

"Take it in bite-sized chunks, and validate as you go," said Jerry Skurla, vice president of marketing at Concord, N.H.-based Bradford Networks. "If adding security causes the business to slow down, you may not have the window to try it again."

3. Before signing off on a deal, ask your network manager two questions:

1. Does the NAC solution integrate with the existing network infrastructure, or does it require changes to routers and switches or upgrades to bandwidth boxes?
2. Can the NAC solution also handle nonemployees or unmanaged IT assets -- guests, contractors, business partners?

4. Don't let your network team go it alone.

It's almost a misnomer to call this network access control. At least three groups must work in tandem to deploy NAC: the network, security and desktop teams.

The network team defines how the network will take the enforcement actions and how it will get done in the network, but the security team is often in charge of the policy. And when an endpoint requires remediation, which many NAC systems can do automatically, the desktop team still needs to be looped in to make sure the fixes are done correctly.

5. Warn your network manager: Don't get bedazzled by the NAC data.

NAC provides a tremendous amount of data about your network you've never had before. That's good. But don't get carried away with reports, especially those going up the management chain. Stick to red light, green light. "A lot of executives, including the CIO, simply want to know, 'Is this going to be a normal threat day or lunatic threat day?'" Skurla said.

Tags: Enterprise information security management,  Enterprise risk management,  Enterprise network management,  Strategy: Preparing for corporate data protection, NAC, security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Enterprise risk management Email archiving solutions and strategies for enterprise CIOs For CIOs, email deletion scandal shows need for email retention policy Swine flu preparedness: Business continuity during an H1N1 outbreak Talking swine flu and Conficker with the CIO of the CDC Tips from the CDC's CIO on H1N1 flu preparedness Tips for business continuity and contingency planning for swine flu Enterprise risk management quiz for CIOs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Business continuity plan needs the right leader, metrics to succeed Enterprise network management Data recovery solutions must address a range of concerns Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Network access control now addresses multiple needs For network access control, this shop chose Microsoft NAP; here's why Network access control case studies show varied options Network access control: A hybrid approach Appliance-based network access control keeps university network secure More CIOs consider IT managed services to deal with new technologies Survey: Economy puts nonessential IT projects on back burner

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary