Guide to Network Access Control
NAC makes headway in enterprise networks
User-based access control gets embedded, enjoys increased interoperability
By Tim Greene, 10/1/07
Network Access Control (NAC) is still a relatively young prospect, so many NAC trends are all about the technology reaching its full potential.
Key among these trends are some of the basics - like NAC technology is mature enough to scale across an entire enterprise and that most point products can interoperate more predictably with complementary offerings.
In more detail, important NAC trends include:
1.) NAC is becoming more embedded in network infrastructure.
NAC appliances can be inserted into networks with little upgrade to the network itself, but these devices are placed near the access layer of networks and large deployments of NAC require a large number of appliances - a scaling issue with which most customers prefer not to deal.
Embedding NAC directly into the network gear for enforcement and adding a NAC policy engine is a better option for the widespread deployments customers are interested in, says Lawrence Orans, an analyst with Gartner. While progress toward this goal is being made, it's not yet a given.
"Many organizations want this – NAC will be embedded in their infrastructure – but, today, much of the infrastructure is not ready, and the vendors truly are not ready yet either," Orans says.
Bradford Networks, ConSentry, Forescout, Lockdown Networks, and Vernier among others, use appliances that sit near switches. Cisco and Juniper have architectures that use their own network gear - firewalls, switches, VPN gateways - as enforcement points.
2.) NAC standards and interoperability are improving
As customers look beyond NAC appliances toward corporate-wide NAC deployments, they are looking for more of a range of features that will perhaps require more than one vendor's participation. "You cannot create, enforce, remediate and scale in an appliance. You need to integrate it into the network," says Rob Whiteley, an analyst with Forrester Research.
Progress has been made in the Trusted Computing Group through the participation of more than 60 vendors and the formulation of its own set of NAC standards. But two major NAC players - Cisco and Microsoft - have developed their own extensive NAC partnership programs that certify interoperability with their equipment. And Cisco won't participate at all with TCG.
"There are not a lot of standards to pursue yet, and we need more wholesale adoption," Whiteley says.
3.) Post-connect NAC vendors are adding NAC agents to their offerings.
Vendors such as ConSentry, Forescout, Mirage Networks and Nevis Networks focus on post-connect NAC and scan either without agents or with dissolvable agents. Post-connect NAC keeps an eye on the behavior of machines after they have successfully gained network access.
Post-connect NAC takes various forms, but overall it can monitor traffic and determine whether devices are attempting to access resources for which they are unauthorized. It can also detect whether devices are engaged in apparently malicious behavior such as probing IP addresses and generating large volumes of traffic against individual devices as in a DoS attack.
The post-connect NAC platforms can notify IT staff or can be set to automatically quarantine offending devices, drop the suspicious traffic or shut down network access altogether.
But that is insufficient, says Orans. "It's not enough to do post-connect. You want to know before an endpoint gets on the network the health of that endpoint - preventing rather than reacting," he says.
4.) Identity of the user is becoming more important to NAC policy making.
With knowledge of a user's identity, NAC can go beyond protecting the network from attacks that threaten the network itself to protecting network resources from abuse, Orans says.
Devices can be categorized by security posture, type, location and access method to assess how great a risk the device itself poses to a network. But such decisions about devices don't affect what network resources the person using the machine ought to access. User policies can link an individual or group to a set or resources that they are authorized to use rather than giving them full access to the network. This can prevent abuse and loss of corporate data.
"User policies give control over access to information," Orans says.
5.) Endpoint-checking agents and endpoint-security agents are merging or becoming more compatible.
Endpoint checking agents can gather information on their own or they can tap into other security agents already on endpoints to collect even more detailed information. Some of these security agents, such as McAfee's ePolicy Orchestrator, support numerous security functions such as anti-virus and patch compliance. Information about these functions can be useful in making NAC decisions.
So if Microsoft's NAC agent built into Vista can cull information from anti-virus agents on the same machine, for example, it can deliver better detail about the state of the machine it is reporting on.
Vendors that make endpoint security packages, such as Symantec, are adding NAC agents to these packages. That way the NAC agent doesn't have to be deployed separately and it can harvest valuable endpoint data from the security component of the client software package.
This will help NAC adoption by curbing the number of separate agents that desktop and laptop administrators have to maintain. Adding more software to endpoints is a mark against any technology, not just NAC, Orans says. "A significant inhibitor to adoption has been yet-another-agent. It's true for NAC and for other technologies," he says.