Guide to Network Access Control
Six tips for selecting the right all-in-one NAC productBy Joel Snyder, Network World Lab Alliance, 07/23/07
The market is swimming in NAC all-in-one appliances. Here is some advice about how to narrow the field to offerings that suit your network's needs.
NAC products vary in how they mix these four components. We found that all-in-one NAC products tend to emphasize endpoint security over authentication, access control and management, because this is the biggest pain-point for network managers looking for an immediate NAC solution. This doesn't mean you can't find an all-in-one product that has strong authentication or enforcement features, but you will need to look a little deeper to be sure you understand how each product works in those areas to make sure they will meet your requirements.
Most all-in-one NAC products have some inband component(s) - even if it's inline only at some point during the user-connection process. Any time a device is in the critical path between users and their data, there is the potential for a performance bottleneck. All-in-one NAC products that are completely inline between users and the rest of the network are going to require careful performance engineering. Many all-in-one NAC vendors try to avoid the perception of a performance problem by taking a hybrid approach: Their products sit inline only during authentication, endpoint-security checking and/or enforcement procedures; then they get out of the way by reconfiguring your switching infrastructure on the fly.
Some of these same vendors are responsible for spreading FUD about competing NAC implementation approaches. Avoid the FUD factor by realizing that all approaches have trade-offs, and there is no silver bullet that makes all performance problems disappear in all environments. Instead, make sure you know what your true performance requirements are - or will be - and communicate those to potential vendors clearly, whether their products sit inline or operate in some hybrid fashion. Put these same specifications in any purchasing documents so you have written backup in case there are performance problems.
Some enterprises look to NAC endpoint-security measures to determine whether a user's desktop or laptop complies with corporate security policy. While no virus-checker or personal firewall can guarantee that a system is not compromised, a well-designed policy dramatically reduces the risk of problems. Other enterprises are not as concerned with security-policy compliance as they are with detecting and isolating misbehaving systems and users.
Decide which camp you're in and use your position to narrow the field of all-in-one products. We found that no single NAC product does both very well, so even if you are looking for both features, decide which is the more important and emphasize it in your own testing. Because you probably can't test every possible endpoint-assessment combination, decide upfront what's most important to you and look at vendors that focus on the same area as you for their primary endpoint-security strategy.
There is no consensus on the right way to handle NAC client-side agent software. While not every NAC product requires a client all the time, we found that having an installed client can simplify many NAC scenarios dramatically. NAC implementations that don't use an installed client have some very brittle points: browsers with features disabled, users with personal firewalls and a wide variety in platforms that causes significant indigestion for NAC products that try to download a "dissolvable" client when the user is trying to get onto the network.
If your NAC strategy will require a client at some point, don't let years-old experiences with other products put you off the idea of using one for NAC. You may not have liked Gorgonzola cheese as a child, but things have changed, both in how the cheese is made and how it tastes to your adult palate. Software vendors have learned a lot about easing the installation and maintenance of client software, and in many cases they have done a good job. Don't go into an all-in-one NAC project assuming that an installed client is an impossibility.
At the same time, however, don't let any vendor get away without a good answer for how its product works with Microsoft's Vista. Microsoft is providing some serious tools in Vista to help with all aspects of NAC, including a series of APIs and its own Network Access Protection framework. You may not plan to jump to Vista tomorrow, but you'll be there eventually. If you can use the built-in features of Vista to avoid installing a NAC client, that's obviously a safer product. Make sure your all-in-one NAC vendor is not so all-in-one that it's refusing to integrate with Microsoft's built-in NAC features in Vista - if not already, at least in the near future.
A strong point to all-in-one NAC products is that a single vendor controls most, if not all, of the components. A single-vendor product can lead to a great user experience with a minimum of interoperability hiccups and maximum of integration among its parts. However, don't let a flashy user experience blind you to the necessity for a good management and operations experience.
Remember that the goal of NAC is to get devices and users onto the network, not to keep them off. When someone can't connect, it's critical to identify the problem and solve it as quickly as possible. Many of the all-in-one products we tested were especially weak in the areas of management and operations. It's critical that the network manager be alerted about any problem and be able to identify the cause and quickly debug and solve it. No number of fancy GUIs on the users' systems will make them happy if the network manager can't get them back onto the network quickly.
When evaluating NAC products, make sure you spend some time looking at the management interface. Evaluate whether the product's configuration is easy or hard to understand, whether you can get usable status and exception reports, and whether there are sufficient logs and debugging tools to let you get people back onto the network when the inevitable problems occur.
Every NAC approach has some potential security weakness, and all-in-one products are particularly vulnerable when it comes to intense architectural analysis. For example, most NAC implementations are susceptible to a "lying client" that falsely claims to be in compliance with security policy.
In every case, it is important to consider why you're installing NAC in the first place: What is the security risk that you're trying to reduce? Just because a NAC product has a rough spot doesn't mean it can't be a valuable tool in increasing your overall security.
Because of the intense heat of the NAC market, security researchers working for competing NAC vendors are quick to point out the flaws of their competition, while asserting that their own products are much more secure. The reality of NAC is that no software or hardware will protect you completely against a determined insider who knows what product you installed, has physical access to your building or is determined to cause trouble.
Solve this problem for your organization by understanding the vulnerabilities of the products you're considering and balancing these weaknesses against your reasons for putting NAC into your network in the first place.