The technology has moved beyond simply checking and isolating an endpoint device that doesn't have up-to-date security protection to compliance, according to Forrester analyst Robert Whiteley. Now companies are using NAC to check endpoints continually for anomalous behavior and even to monitor employees' roles and rights to network access. NAC can shine a light on stuff you never knew or long forgot belonged to you, thus also helping with asset management.
Companies are turning to NAC to provide limited access for guests and contractors, and to accommodate remote and wireless employees. The consensus is that NAC deployments also have become easier, provided that organizations choose the appropriate solution for their networks and security requirements.
Vendors also insist that NAC is not just for big companies.
"Bunk to that. NAC is easy enough now, depending on what you want to do, that there is no reason why the midmarket can't use and benefit it from it as well," said Alan Shimel, chief strategy officer at Superior, Colo.-based StillSecure, which debuted its Safe Access NAC product in 2004.
Getting started with network access control
Before you hop on NAC, you'll want to study the three main architectures:
- In-band (also called in-line), where the systems are installed between users and the upstream network, or between the access switch and the core switches;
- Out-of-band, or systems that communicate with the NAC ecosystem outside the data communication path; and
- Software-based solutions, where agents are installed directly on the endpoint and provide automatic remediation.
You should sift through vendors, a list that has its share of hop-on-the-NAC-bandwagon providers. Forrester counts Bradford Networks, Cisco Systems Inc., Juniper Networks Inc. and Microsoft as top contenders. Others include Symantec Corp., McAfee Inc., Nevis Networks Inc., Mirage Networks Inc., StillSecure, TippingPoint Technologies Inc. and HP ProCurve. Gartner published an NAC market scope in 2008. Analysts caution that the field is ripe for consolidation.
There are a number of other considerations and lessons learned on NAC deployments that we culled from interviews with several leading NAC vendors and their customers:
- Know your endgame before you start installing. Companies tend to let their type of network, their problem du jour and their security systems determine their NAC vendors. Many companies are driven to NAC to solve the problem of guest and contractor access, Whiteley said, so when they find out their incumbent networking vendors offer solutions for guest access, they forge ahead. Then sometime down the road, if they decide they also want role-based access control for internal employees, they find that the solution they chose for guest management is not necessarily the best solution for segmenting employees, Whiteley said.
"What we're finding is that a lot of companies are spending really good money to get NAC in place, and then six to 12 months down the road, that investment either is obsolete or requires more money be thrown at the problem," he said.
Instead, take a business approach to NAC. Begin by defining the various scenarios that require access control. The most successful NAC solutions, Forrester has found, can support at least four scenarios relevant to the business.
The business analysis should extend to three additional areas, advised Seth Goldhammer, director of NAC product management at TippingPoint: user identification, posture assessment and access enforcement. "In each area the business should determine their organization priorities and limitations based on user types and network areas. This will be useful later in helping determine the best set of technologies that can fulfill their requirements," he said.
- Never, ever do a big-bang deployment of NAC. The experts are unanimous: Do not underestimate the complexity of an NAC deployment. It is not unusual for it to span nine months, though the users we interviewed (all universities) managed to get their NAC systems in place over a summer. Both analysts and vendors recommend that companies roll out their NAC capability in three phases: monitor what's on the network, map network traffic and then enforce policy.
"Take it in bite-sized chunks, and validate as you go," said Jerry Skurla, vice president of marketing at Concord, N.H.-based Bradford Networks.
Goldhammer said phasing should also include locations and users: conference areas, wireless access, internal and external user groups (guests vs. employees).
- Rally the troops across IT. It's almost a misnomer to call this network access control. People in at least three areas of IT must work in tandem to deploy NAC: the network, security and desktop teams. The network team defines how the network will take the enforcement actions and how it will get done in the network, but the security team is often in charge of the policy. And when an endpoint requires remediation -- which many NAC systems can do automatically -- the desktop team needs to be looped in to make sure the fixes are done correctly.
- Educate end users. Another lesson learned by NAC customers and vendors we interviewed: Inform users, well in advance, of changes to network admission or access due to NAC, and any new steps they may need to take. (Universities try to take their students through the NAC process before they even arrive on campus.)
"If planned correctly, the end-user education, coupled with phasing, should achieve what NAC was envisioned for: reduced calls to the help desk, while maintaining an updated, risk-averse end-user population," Goldhammer said.
- Warn your network manager: Don't get bedazzled by the NAC data. NAC provides a tremendous amount of data about your network that you've never had before. That's good. But don't get carried away with reports, especially those going up the management chain. Stick to red light, green light.
"A lot of executives, including the CIO, simply want to know, 'Is this going to be a normal threat day or lunatic threat day?'" Bradford's Skurla said.
Let us know what you think about the story; email: Linda Tucci, Senior News Writer
This was first published in February 2009