Guide to Network Access Control

Mapping Your NAC requirements to available NAC products

By Zeus Kerravala, Network World, 08/13/07

Given all the hype surrounding NAC, it's important to sort through both the capabilities NAC can provide you and the LAN security requirements you have. Different NAC architectures lend themselves to solving different business problems, and ultimately, you need to map your needs to the right architecture.

NAC got its start as an admission control technology, authenticating users and scanning their machines for security compliance before allowing them onto the LAN. And frankly, much of the industry discussion of NAC remains focused on this limited definition of the technology.

But NAC designed as a full network access control solution can do a lot more than simply control who comes onto the LAN. It can help you restrict what people can do after they're already on your LAN - controlling what servers they can reach, what data they can access, and even what applications they can run.

The extent of control you can wield in a NAC solution will depend heavily on its architecture. If all you need is simple guest access control - that is, restricting those who are "not one of us" to the Internet and letting those who are "one of us" go anywhere on the LAN - then a simple, out-of-band architecture can easily meet those needs.

If you need more control, restricting what users can do after they are on the LAN, then investigate inline NAC architectures. Since these devices see all the traffic passing through them, they provide a much stronger baseline for control. How much you'll be able to control is still determined by the feature set of a given vendor. For instance, application understanding is critical to controlling users, but some NAC solutions see applications only via Layer 4 information while others decode applications at Layer 7. The greater the feature set, the greater the control you'll have.

You asked what NAC can and can't do for you. A full-featured access control solution should let you perform the following functions:

* Control who can get onto your LAN and limit what resources they can reach;

* Protect your valuable IP;

* Limit the reach of less-trusted or less-known users, such as contractors, technicians, remote users, or offshore workers;

* Restrict who can access sensitive financial or customer records;

* Control access to data based on role, time of day, location, and application;

* Segment users to meet compliance requirements;

* Protect against known and unknown malware;

* Simplify incident response;

* Protect critical application services such as VoIP

Of course, NAC should not be your only security measure. For example, NAC won't help you with the following tasks:

* Protect information that leaves the premises via e-mail, laptop theft, printouts, or USB storage devices;

* Defend against social engineering;

* Block known malware from entering over the WAN connection;

* Prevent users with authorized access from using data inappropriately

Auditing capabilities in your NAC solution may allow you to find out what files users accessed, so if need be you can demonstrate someone was looking at information not pertinent to his or her job. However, NAC won't prevent that kind of data from leaving your organization.

In summary, other security techniques such as leak prevention technologies and USB lockdown tools will be key to complementing your NAC deployment, but choosing a full-featured solution can give you significant control over who can access what data on your LAN.

Other stories in the Network World archive on point include:

  • Users that have gone before you onto the NAC battleground, detail their victories and setbacks.  Link to stories at:;;




Six tips for selecting the right all-in-one NAC product

By Joel Snyder, Network World Lab Alliance, 07/23/07

The market is swimming in NAC all-in-one appliances. Here is some advice about how to narrow the field to offerings that suit your network's needs.

NAC products vary in how they mix these four components. We found that all-in-one NAC products tend to emphasize endpoint security over authentication, access control and management, because this is the biggest pain-point for network managers looking for an immediate NAC solution. This doesn't mean you can't find an all-in-one product that has strong authentication or enforcement features, but you will need to look a little deeper to be sure you understand how each product works in those areas to make sure they will meet your requirements.

Most all-in-one NAC products have some inband component(s) - even if it's inline only at some point during the user-connection process. Any time a device is in the critical path between users and their data, there is the potential for a performance bottleneck. All-in-one NAC products that are completely inline between users and the rest of the network are going to require careful performance engineering. Many all-in-one NAC vendors try to avoid the perception of a performance problem by taking a hybrid approach: Their products sit inline only during authentication, endpoint-security checking and/or enforcement procedures; then they get out of the way by reconfiguring your switching infrastructure on the fly.

Some of these same vendors are responsible for spreading FUD about competing NAC implementation approaches. Avoid the FUD factor by realizing that all approaches have trade-offs, and there is no silver bullet that makes all performance problems disappear in all environments. Instead, make sure you know what your true performance requirements are - or will be - and communicate those to potential vendors clearly, whether their products sit inline or operate in some hybrid fashion. Put these same specifications in any purchasing documents so you have written backup in case there are performance problems. 

Some enterprises look to NAC endpoint-security measures to determine whether a user's desktop or laptop complies with corporate security policy. While no virus-checker or personal firewall can guarantee that a system is not compromised, a well-designed policy dramatically reduces the risk of problems. Other enterprises are not as concerned with security-policy compliance as they are with detecting and isolating misbehaving systems and users.

Decide which camp you're in and use your position to narrow the field of all-in-one products. We found that no single NAC product does both very well, so even if you are looking for both features, decide which is the more important and emphasize it in your own testing. Because you probably can't test every possible endpoint-assessment combination, decide upfront what's most important to you and look at vendors that focus on the same area as you for their primary endpoint-security strategy.

There is no consensus on the right way to handle NAC client-side agent software. While not every NAC product requires a client all the time, we found that having an installed client can simplify many NAC scenarios dramatically. NAC implementations that don't use an installed client have some very brittle points: browsers with features disabled, users with personal firewalls and a wide variety in platforms that causes significant indigestion for NAC products that try to download a "dissolvable" client when the user is trying to get onto the network.

If your NAC strategy will require a client at some point, don't let years-old experiences with other products put you off the idea of using one for NAC. You may not have liked Gorgonzola cheese as a child, but things have changed, both in how the cheese is made and how it tastes to your adult palate. Software vendors have learned a lot about easing the installation and maintenance of client software, and in many cases they have done a good job. Don't go into an all-in-one NAC project assuming that an installed client is an impossibility. 

At the same time, however, don't let any vendor get away without a good answer for how its product works with Microsoft's Vista. Microsoft is providing some serious tools in Vista to help with all aspects of NAC, including a series of APIs and its own Network Access Protection framework. You may not plan to jump to Vista tomorrow, but you'll be there eventually. If you can use the built-in features of Vista to avoid installing a NAC client, that's obviously a safer product. Make sure your all-in-one NAC vendor is not so all-in-one that it's refusing to integrate with Microsoft's built-in NAC features in Vista - if not already, at least in the near future.

A strong point to all-in-one NAC products is that a single vendor controls most, if not all, of the components. A single-vendor product can lead to a great user experience with a minimum of interoperability hiccups and maximum of integration among its parts. However, don't let a flashy user experience blind you to the necessity for a good management and operations experience.

Remember that the goal of NAC is to get devices and users onto the network, not to keep them off. When someone can't connect, it's critical to identify the problem and solve it as quickly as possible. Many of the all-in-one products we tested were especially weak in the areas of management and operations. It's critical that the network manager be alerted about any problem and be able to identify the cause and quickly debug and solve it. No number of fancy GUIs on the users' systems will make them happy if the network manager can't get them back onto the network quickly.

When evaluating NAC products, make sure you spend some time looking at the management interface. Evaluate whether the product's configuration is easy or hard to understand, whether you can get usable status and exception reports, and whether there are sufficient logs and debugging tools to let you get people back onto the network when the inevitable problems occur. 

Every NAC approach has some potential security weakness, and all-in-one products are particularly vulnerable when it comes to intense architectural analysis. For example, most NAC implementations are susceptible to a "lying client" that falsely claims to be in compliance with security policy.

In every case, it is important to consider why you're installing NAC in the first place: What is the security risk that you're trying to reduce? Just because a NAC product has a rough spot doesn't mean it can't be a valuable tool in increasing your overall security.

Because of the intense heat of the NAC market, security researchers working for competing NAC vendors are quick to point out the flaws of their competition, while asserting that their own products are much more secure. The reality of NAC is that no software or hardware will protect you completely against a determined insider who knows what product you installed, has physical access to your building or is determined to cause trouble.

Solve this problem for your organization by understanding the vulnerabilities of the products you're considering and balancing these weaknesses against your reasons for putting NAC into your network in the first place.

NAC makes headway in enterprise networks

User-based access control gets embedded, enjoys increased interoperability

By Tim Greene, 10/1/07

Network Access Control (NAC) is still a relatively young prospect, so many NAC trends are all about the technology reaching its full potential.

Key among these trends are some of the basics - like NAC technology is mature enough to scale across an entire enterprise and that most point products can interoperate more predictably with complementary offerings.

In more detail, important NAC trends include:

1.) NAC is becoming more embedded in network infrastructure.
NAC appliances can be inserted into networks with little upgrade to the network itself, but these devices are placed near the access layer of networks and large deployments of NAC require a large number of appliances - a scaling issue with which most customers prefer not to deal.

Embedding NAC directly into the network gear for enforcement and adding a NAC policy engine is a better option for the widespread deployments customers are interested in, says Lawrence Orans, an analyst with Gartner. While progress toward this goal is being made, it's not yet a given.

"Many organizations want this – NAC will be embedded in their infrastructure – but, today, much of the infrastructure is not ready, and the vendors truly are not ready yet either," Orans says.

Bradford Networks, ConSentry, Forescout, Lockdown Networks, and Vernier among others, use appliances that sit near switches. Cisco and Juniper have architectures that use their own network gear - firewalls, switches, VPN gateways - as enforcement points.

2.) NAC standards and interoperability are improving
As customers look beyond NAC appliances toward corporate-wide NAC deployments, they are looking for more of a range of features that will perhaps require more than one vendor's participation. "You cannot create, enforce, remediate and scale in an appliance. You need to integrate it into the network," says Rob Whiteley, an analyst with Forrester Research.

Progress has been made in the Trusted Computing Group through the participation of more than 60 vendors and the formulation of its own set of NAC standards. But two major NAC players - Cisco and Microsoft - have developed their own extensive NAC partnership programs that certify interoperability with their equipment. And Cisco won't participate at all with TCG.

"There are not a lot of standards to pursue yet, and we need more wholesale adoption," Whiteley says.

3.) Post-connect NAC vendors are adding NAC agents to their offerings.
Vendors such as ConSentry, Forescout, Mirage Networks and Nevis Networks focus on post-connect NAC and scan either without agents or with dissolvable agents. Post-connect NAC keeps an eye on the behavior of machines after they have successfully gained network access.

Post-connect NAC takes various forms, but overall it can monitor traffic and determine whether devices are attempting to access resources for which they are unauthorized. It can also detect whether devices are engaged in apparently malicious behavior such as probing IP addresses and generating large volumes of traffic against individual devices as in a DoS attack.

The post-connect NAC platforms can notify IT staff or can be set to automatically quarantine offending devices, drop the suspicious traffic or shut down network access altogether.

But that is insufficient, says Orans. "It's not enough to do post-connect. You want to know before an endpoint gets on the network the health of that endpoint - preventing rather than reacting," he says.

4.) Identity of the user is becoming more important to NAC policy making.
With knowledge of a user's identity, NAC can go beyond protecting the network from attacks that threaten the network itself to protecting network resources from abuse, Orans says.

Devices can be categorized by security posture, type, location and access method to assess how great a risk the device itself poses to a network. But such decisions about devices don't affect what network resources the person using the machine ought to access. User policies can link an individual or group to a set or resources that they are authorized to use rather than giving them full access to the network. This can prevent abuse and loss of corporate data.

"User policies give control over access to information," Orans says.

5.) Endpoint-checking agents and endpoint-security agents are merging or becoming more compatible.
Endpoint checking agents can gather information on their own or they can tap into other security agents already on endpoints to collect even more detailed information. Some of these security agents, such as McAfee's ePolicy Orchestrator, support numerous security functions such as anti-virus and patch compliance. Information about these functions can be useful in making NAC decisions.

So if Microsoft's NAC agent built into Vista can cull information from anti-virus agents on the same machine, for example, it can deliver better detail about the state of the machine it is reporting on.

Vendors that make endpoint security packages, such as Symantec, are adding NAC agents to these packages. That way the NAC agent doesn't have to be deployed separately and it can harvest valuable endpoint data from the security component of the client software package.

This will help NAC adoption by curbing the number of separate agents that desktop and laptop administrators have to maintain. Adding more software to endpoints is a mark against any technology, not just NAC, Orans says. "A significant inhibitor to adoption has been yet-another-agent. It's true for NAC and for other technologies," he says.

How Does NAC Work Anyway?

It's simple: Who you are should govern what you're allowed to do on the network.

By Joel Snyder, Network World Test Alliance, Network World, 04/03/06

Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network.

When all of the parts are in place, NAC will be a way to apply a policy for network access across LAN, wireless and VPN infrastructures. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible.

Within a NAC deployment, the IT manager uses three main elements to pick an access-control policy: authentication, endpoint-security assessment and network environmental information.

Authentication is the straightforward "Who are you?" transaction that users are accustomed to with other applications. As a concept, NAC doesn't have special requirements for authentication.

A good NAC deployment would use the same authentication system as other applications. For example, if you're applying NAC to a remote access IPSec VPN tunnel, you should use the same authentication to bring up the IPSec tunnel as you do to authenticate a user.

Endpoint security assessment is the most complex part of selecting a policy in NAC, but it's also the driving factor for deploying NAC in the first place.

The underlying idea is that the security posture of the connecting laptop, desktop or server should be a part of access control policies. For example, if a connecting system doesn't have the standard corporate anti-virus package, the user should get a different access control policy than if everything is installed and all the signatures are up-to-date. 

Network environmental information is a small but important part of selecting access policies in a NAC scheme. Environmental information might be circumstantial data about whether you're connecting via a wireless network or through a VPN, or whether you're in the building or in another country.

These circumstances play into the decision of what access control policy is assigned to the connecting system.

For example, if you're coming in on a VPN, you might not be able to get to as many parts of the network as if you were in the building.

NAC is a hot buzzword; therefore, this component-level definition of what NAC is won't map directly to all NAC products and architectures.

But most products being offered as part of an overall NAC strategy include at least some component, if not all, of this definition.

Mapping NAC terms across vendors
While we've pointed to the Trusted Computing Group's Trusted Network Connect architecture as the one to use to get a handle on NAC terminology in general, this chart shows how vendor-specific terms relate to each other.

  Trusted Computing Group Trusted Network Connect terminology (TNC) What is it? Cisco Network Admission Control terminology Microsoft Network Access Protection terminology Juniper Infranet terminology
Client-side components, collectively called the "Access Requestor" Integrity Measurement Collector Third-party software that runs on the client and collects information on security status and applications, such as is A/V enabled and up-to-date? Applications, through plug-ins to the Cisco Trust Agent, including Cisco's own Cisco Security Agent. System Health Agent uses its own API to communicate with Network Access Protection Agent. Supports third-party Integrity Measurement Collector, and you can use Juniper's Host Checker.
Trusted Network Connect Client "Middleware" that runs on the client and talks to the Integrity Measurement Collectors (IMC) collecting their data and passing it to Network Access Requestor. Cisco Trust Agent or, if none is there, Cisco Network Admission Control Agentless Host. Network Access Protection Agent uses its own API to communicate with Enforcement Client. Infranet Agent includes this function.
Network Access Requestor Client-side software that connects the client to the network. Typical examples might be 802.1X supplicant, IPSec VPN client, or (in Microsoft's NAP) DHCP client. Used to authenticate the user, but also as a conduit for IMC data to make it to the other side. Cisco Trust Agent incorporates the communications, with options for using integrated or standalone 802.1X supplicants. Enforcement Client Infranet Agent, using either Juniper's Enterprise Infranet Agent with their own framework or the Odyssey Agent which uses TCG protocols above.
Network-side components Policy Enforcement Point Component within the network that enforces policy, typically an 802.1X-capable switch or wireless LAN, VPN gateway or firewall. Network Access Device Enforcement Server Enterprise Infranet Enforcer
Network management components, collectively, the "Policy Decision Point" Integrity Measurement Verifier Third-party software that receives status information from Integrity Measurement Collectors on clients and validates the status information against stated network policy, returning a status to the TNC Server. Policy Decision Points also called the Policy Vendor Server. System Health Verifier API to Network Access Protection Administration Server below. No specific term but the function can occur directly on the Infranet Controller or can call out using the Host Check API.
Trusted Network Connect Server "Middleware" acting as an interface between multiple Integrity Measurement Verifiers (IMV) and the Network Access Authority. This function is incorporated into the Policy Server Decision Points. Network Access Protection Administration Server Part of Unified Access Control Policy incorporated into policy server, through Host Check Server Integration Interface, Host Check policies or through interfaces with TNC-TCG IMC/IMVs.
Network Access Authority A server responsible for validating authentication and posture information and passing policy information back to the Policy Enforcement Point. Access Control Server v4.0 Network Policy Server (replaces the Microsoft IAS RADIUS server) Enterprise Infranet Controller

Subscribe to the Best of PCWorld Newsletter