Implementing NAC products

By Yuval Shavit, Features Writer

Network access control (NAC) products are an emerging set of technologies that aim to allow or deny access to endpoints based on information about those endpoints. NAC most frequently refers to a pre-admission process in which an endpoint is scanned before it is allowed to connect to the network.

As with many new technologies, network access control means different things to different people, and there are several ways of implementing it.

Hot Spot Tutorial: Network Access Control Learn more about NAC products in our Hot Spot Tutorial for value-added resellers.

The three major categories are infrastructure-based products, drop-in appliances and endpoint software. These are not mutually exclusive and, in fact, are often used in conjunction. A company may install software on its employees' computers to ensure that patches and antivirus are up to date, for instance, while using an appliance to restrict guest computers to a virtual LAN that keeps them off the intranet.

Generally speaking, infrastructure and endpoint software NAC products are more robust, but they can also require costly upgrades and be difficult to set up. Appliances tend to be easier to install but often provide only limited functionality. According to a NAC survey by BT INS, 40% of companies looking into NAC are using a combination of more than one approach. About 21% use only appliances, 17% use only infrastructure-based technologies, and just 5% use only endpoint software. The rest of the respondents to the survey had not yet settled on a method.

NAC appliances

There are a wide variety of NAC appliances on the market today, from dozens of vendors. NAC appliances can work either in-band, sitting between the access point and your customer's router, or out-of-band, by scanning machines and working with a NAC-enabled router to enforce the policies they define. NAC products of this sort often address only a specific part of the network, such as the VPN.

Although a lot of NAC's work is done during pre-admission, you should look for an appliance that also does post-admission scanning, said Peter Giannoulis, an information security consultant with Access 2 Networks Inc., a network consultancy in Toronto. Those appliances continue to scan packets coming from a computer after it has been allowed onto the LAN, and if it looks like that computer is sending unauthorized data -- such as a worm -- the appliance can disconnect the computer.

NAC endpoint software

The best way to see if a computer is fully patched is to conduct a scan of the machine with a software agent. Endpoint software NAC products are installed on employees' computers to ensure they have all system patches, up-to-date antivirus definitions and other configuration specifications you define. For guest access, some vendors offer scanning software that runs within a Web browser. While this isn't as comprehensive as a true standalone application, it does not require installation and thus can be useful for guest access.

Endpoint software is limited in its ability to restrict computers' access to the LAN, however, and your customer will have to come up with a policy for computers that don't have the software installed and can't or won't use a browser-based alternative -- for instance, if the software only runs on Windows. For this reason, endpoint software is often used in conjunction with other NAC products that are in charge of enforcing policy based on information the software gathers.

NAC infrastructure

For many companies, appliances are a good way to get started with NAC, but they can be limited in their scope, according to Jon Oltsik, senior analyst of information security at Enterprise Strategy Group, a research firm in Milford, Mass. At a certain point, your customer may want to install NAC across its infrastructure so that it can enforce a consistent policy across all access points, including LANs, VPN and wireless.

This approach is the most comprehensive, and it is also usually the most expensive. Your customer will require complex integration work to ensure consistent policy definition and enforcement, and many companies will also need to upgrade their networks to replace old switches and other hardware with NAC-compatible products.

There are several infrastructure standards for NAC products, but Cisco's dominance in network hardware has given it a de facto advantage for many companies, experts said. Microsoft is also coming out with its own standard, Network Access Protection, which will be released later this year along with the company's Longhorn server operating system. The Trusted Computing Group, a consortium of security vendors, has also defined a NAC standard.