Screening Laptops
The United Nations Population Fund (UNFPA), uses NAC to screen managed laptops that come and go from the agency's network and that were bringing in viruses, says Douglas Concepcion the network infrastructure/security specialist at UNFPA headquarters in New York City. (See how NAC is helping secure UNFPA.)
The ForeScout gear the UNFPA uses now checks for Symantec antivirus updates and current Windows patches before allowing the machines on the network, he says. If they fail the scan, the user is denied access and directed to call the help desk.
The agency is opening 11 sites worldwide and plans to install a ForeScout CounterACT NAC appliance at each. That will help protect the headquarters network from infection as remote workers access via the UNFPA VPN, Concepcion says.
Double-checking on other security platforms is another NAC capability that is attractive to potential users. "NAC can backup vulnerability scanning and patch management," says John O'Connor, vice president of management information systems at BankFive in Fall River, Mass., who is shopping for NAC to provide overlap protection in the bank's network. "It's an extra layer and can evaluate devices for patches, for example," he says. "If a patch has been distributed and not applied, NAC can pick up on it." In that way it could backstop the bank's patch management software.
Pick and Choose
Businesses should recognize the varied uses of NAC and pick the ones they want, says Joel Snyder, senior partner in Opus One consultancy. "NAC is not a thing you can buy and drop into your network," he says. "Not everybody has it or needs it but it's a set of useful tools you can choose from if it's on the table." (Read a transcript of a chat Snyder had on NAC.)
He says that standards will encourage this picking and choosing by making it possible to plug in gear from different vendors that make products that fulfill certain aspects of NAC -- endpoint checking, endpoint posture evaluation, policy decision making, enforcement, remediation and ongoing behavior monitoring. Businesses will be able to create the NAC environment they need without having to buy all NAC's capabilities, he says.
Those standards talks are still ongoing at the IETF, which so far is following the standards mapped out by the industry consortium Trusted Computing Group. While standards will help ease the use of NAC, the technology faces continuing challenges.
For example, with the advent of desktop virtualization, NAC faces further criticism, says Forrester's Whiteley. If a NAC appliance is being used, it will be tough for it to enforce policies on virtual machines that are communicating with each other inside a single physical piece of hardware. The traffic never passes through the NAC device, so the NAC gear can't see it or do anything about it.
Vendors are starting to issue NAC software specifically for virtual machines, but that won't halt attacks from those who bought NAC appliances and are frustrated because they don't help in virtual environments, he says.
"Because virtualization has a lot of buzz behind it, if it invalidates your NAC design, companies might say, 'Huh, NAC failed,'" Whiteley says. "It's not that it failed, it just wasn't designed with that scenario in mind."
NAC has matured to some degree, but still has a way to go, says Gartner's Lawrence Orans. At the moment, NAC is in a low spot in its evolution, but he expects that it will emerge better understood as a network security tool. "This is a natural thing for all technologies," he says.
Bottom line: NAC is becoming a tool that businesses are starting to understand and deploy and over time will come to rely on, just as they rely on firewalls, intrusion prevention and VPNs, which are practically ubiquitous technologies.
Ad Choices
Comments