Many SSL VPN vendors assess the security of endpoints as part of their network-admission routine, but that doesn’t mean these assessments are equivalent to NAC.
The purpose of SSL VPN endpoint checking and NAC are similar - to evaluate the security posture of the device and impose an access policy based on that evaluation.
Most SSL VPN vendors that do this use downloadable software agents to do the work, supplemented by a permanent SSL VPN client for managed machines that need network-layer VPN access.
These agents gather data about the configuration of the device and forward it to a policy server that decides whether the device state warrants access, and if so, to what.
This roughly fits the description of NAC, but here are a few features that are key to NAC that can help distinguish whether SSL VPN checks measure up to the rigors of NAC.
* How is endpoint-check data sent? With NAC, methods range from 802.1x to piggybacking on other authentication schemes or using a captive portal that requires allowing the scan. SSL VPN vendors often lack the richness of options.
* Can the endpoint check gather data from third party clients? NAC vendors actively seek alliances with other software vendors, such as patch-management purveyors, as a means for gathering key information about configuration and security posture.
* How many operating systems does the integrity checker support? This varies from vendor to vendor, but some have a wide range of support including agents for smart phones.
SSL VPN integrity checks may offer sufficient protection even if they don’t include all the elements that NAC does. In fact, the SSL admission control may be appropriate for remote access purposes. It all depends on the needs of the individual customer.
Since NAC is generally applied to LAN-connected devices, not remote access devices, NAC and SSL VPN integrity checks are separate. But it is valuable to compare and contrast what they do in order to devise flexible overall admission policies.