By Joel Snyder
STATETECH, October-November 2007
Original Article on Network World Web Site
Network access control (NAC) is one of the hottest buzzwords of the year. It’s based on a simple premise — your access to the network is based on who you are and your end-point security posture. If you’re thinking of deploying the technology to strengthen IT security, these tips will help ensure success.
Perhaps you’re trying to balance a more mobile workforce with a need to compartmentalize and segregate pieces of the network, restricting user access to the part of the network they need to do their jobs. In that case, the granular access control part of NAC might be your reason for investigation. Or your organization might be fighting viruses, Trojan horses and bots, making validation of end-point security posture a primary reason to add NAC.
Sharpen your focus to what matters most to you and what will help you the most before looking at a single product.
NAC is not something you buy. Rather, it’s a combination of technologies you mix together to increase your level of control.
NAC is like dynamic network routing with Router Information Protocol, Open Shortest Path First or Border Gateway Protocol: You didn’t buy “dynamic routing.” You bought routers, firewalls and virtual private network equipment. NAC is the same concept: different products working together to build an interoperable NAC solution.
Approach NAC as a technology rather than a purchase order. You’ll be able to re-use infrastructure you’ve already deployed, saving dollars and time. When you talk to vendors about deploying NAC, focus on integration and interoperability with what you already own.
Whether you use an installed client such as Cisco Systems’ or Juniper’s, a built-in supplicant such as the Microsoft Network Access Protection supplicant in Vista or a so-called dissolving client such as the option Trend Micro offers, you’ll find that building security policy and enforcing posture assessment are straightforward for Windows clients. The challenge lies in working with non-Windows users, guests and embedded devices.
Users may bring their own notebooks using different versions of Windows, Macintosh or Linux operating systems. And what about that snazzy Nokia E61i smartphone your boss just got? Palm devices, Windows Mobile, Symbian — all are being deployed for an increasingly mobile workforce that needs to access the network.
Guests represent another edge case to consider carefully in your NAC deployment, especially if you have deployed a wireless local area network. With personal firewalls and a variety of browsers, you will find checking end-point security offers little, if any, useful information. Yet guest users might have a real need to get on the network: Think contractors, auditors or participants in a multiagency meeting.
Finally, make sure you handle embedded devices, such as printers. You can’t leave their ports unprotected, yet printers are not going to run a NAC client to report end-point status.
NAC affects all of the devices on your network, not just the ones you think the most about.
NAC can check to see if an end-point complies with security policy, but it can’t ensure that an infected system is blocked from your network. Tools such as intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) can help verify that trusted systems and users are behaving in a trusted way.
Consider IDS/IPS as part of your NAC solution, by using the IDS/IPS to identify misbehaving users and machines and NAC to map problems back to individual users. Keep the pressure on your NAC vendor to ensure that an automated link between IDS/IPS and your NAC solution is available as quickly as possible.
NAC crosses boundaries of security teams, network infrastructure teams and desktop/operating system support teams. Each must bring something to the table in defining NAC policies, applying access controls and implementing NAC throughout the network. The greatest chance of success occurs when all of the major stakeholders come together early on and work out issues and obstacles.
Many government agencies use a combination of staff, contractors and outsourcing, which can make agreement and cooperation difficult, especially for a new technology. If your organizational and political challenges seem insoluble, then focus on NAC-like solutions that reside entirely on the end-point, such as those available from Microsoft, Senforce and Symantec, because they don’t require such broad agreement within the organization.
In the world of NAC, most vendors are focused on the enterprise LAN, but your security concerns might extend equally to remote-access environments.
Searching for a single NAC product that can work equally well in both environments will lead you to compromises in one direction or the other. You’ll find that some vendors, including Check Point, Cisco Systems, Juniper and Symantec, are closer to having a single unified solution, but no one has the perfect answer.
When NAC is in place, the network becomes a monitored, controlled and gated facility that a user can’t just plug into. In agencies focused on education or research, or those with broad service mandates, this might be an abrupt change and require some rethinking and re-educating.
Some early education up and down your staff hierarchy on benefits and costs in terms of convenience will go a long way toward reducing surprises and increasing acceptance.