Manage Learn to apply best practices and optimize your operations.

NAC solutions help SMBs control network, costs

Network access control, or NAC, offers a cost-effective way to protect an SMB network from unwanted visitors.

For large and small businesses alike, achieving optimal network security is a never-ending quest. But small and medium-sized businesses (SMBs), in particular, face many unique network security challenges due to their smaller budgets and staffs. Among them:

  1. Access control: SMBs face special challenges in tracking who has access to the network and if the level of access they have is appropriately set.
  2. Malicious code: Most attacks against small businesses are automated, and potentially debilitating to SMBs. These attacks can appear as viruses, worms, Trojans and bots.
  3. Mobile device security: Mobile devices such as USB drives, iPods and camera phones allow data and information to be moved in and out of the network without normal access controls, creating a definite security hazard.

One potential solution to these issues is network access control (NAC). NAC solutions offer administrators a way to verify devices meet certain health standards before they're allowed to connect to the network. Laptops, desktop computers or any device that doesn't comply with predefined requirements can be prevented from joining the network or can even be relegated to a controlled network where access is restricted until the device is brought up to the required security standards.

There are several different incarnations of NAC available. These include infrastructure-based NAC, endpoint-based NAC and hardware-based NAC:

  • Infrastructure-based NAC solutions require an organization to upgrade its hardware and/or operating systems. If your IT organization plans to roll out Microsoft Vista or has budgeted an upgrade of your Cisco infrastructure, you're well positioned to take advantage of infrastructure NAC.
  • Endpoint-based NAC requires the installation of software agents on each network client. These devices are then managed by a centralized management console.
  • Hardware-based NAC requires the installation of a network appliance. The appliance monitors for specific behavior and can limit device connectivity should noncompliant activity be detected.

Of the three methods of NAC deployment, most SMBs will find network appliances, or hardware-based NAC, the best fit. Deploying hardware-based NAC solutions doesn't require an upgrade of operating systems or the purchase of all new networking gear. However, it is important to remember that these devices are not truly plug-and-play. Eric Maiwald, senior analyst at Burton Group Inc. in Midvale, Utah, cautions those considering the deployment of hardware-based NAC to have realistic expectations. "Hardware devices will require some policy configuration. Devices like printers, IP cameras, etc. will require the development of specialized policies. This involves some work."

These devices level the playing field and make it possible for smaller businesses to have a level of control that used to be found exclusively in the enterprise market.

Jim Cowden
chief security strategistControl Point

Hardware-based NAC solutions are available from Cisco Systems Inc., Lockdown Networks and ConSentry Networks. While these systems may not be as capable as infrastructure- and endpoint-based NAC, hardware-based NAC will reduce risk and limit exposure for a reasonable cost.

"The real benefit to SMBs is that these devices level the playing field and make it possible for smaller businesses to have a level of control that used to be found exclusively in the enterprise market, " said Jim Cowden, chief security strategist at network security vendor Control Point in Newport Beach, Calif. "SMBs should query vendors as to the interoperability of their devices and assess what standards they are compliant with."

One such emerging standard is Trusted Network Connect (TNC). TNC is an effort to create interoperability among access control solutions from various vendors. Microsoft and Cisco offer two others: Microsoft's Network Access Protection (MNAC) and Cisco's Network Admission Control (CNAC). While all the standards attempt to build on the functionality of 802.1x, each is taking a somewhat different path.

While there may be no silver bullet when it comes to network security for SMBs, a hardware-based network access control solution is the next best thing. Hardware-based NAC offerings continue to mature from a technological perspective and they offer a network security solution at a reasonable price for SMBs.

Michael Gregg has been involved in IT and network security for more than 15 years. He is founder and CTO of Superior Solutions Inc., a risk assessment and security consulting firm, and the author of Hack the Stack: The Eight Layers of an Insecure Network.

Dig Deeper on Small-business infrastructure and operations