Network mapping for NAC implementation

* A comprehensive network inventory is necessary for NAC implementation, and can be full of surprises

One of the first things that needs to be done in NAC implementation is figuring out just exactly what devices are authorized to be on the network and how they should be authenticated.

Getting a comprehensive network inventory is always full of surprises. Network executives report they find devices like hubs that they’d long ago forgotten about still in use. Many offices have small, unauthorized switches attached to Ethernet drops. And many employees use the extra port in their cubicle for an unauthorized wireless access point.

Performing such an inventory by hand is daunting. It takes a team of at least two - one in the wiring closet, one in the office space - tracking down what device is plugged into what port.

This inventory is important because not all devices can be authenticated in the same way.

For instance, a network could demand 802.1x authentication from a properly equipped PC. That would not be possible with a printer or a VoIP phone that lacks 802.1x support, but they both have just as much right to be on the network as the PC.

There are tools that can help with this network mapping. One such tool is Great Bay Software’s Beacon Endpoint Profiler, which also has other benefits. These appliances map networks and categorize each machine that is attached, and they can assign 802.1x policies to non-802.1x devices. So if all the printers on a network can be assigned a policy that allows access only via certain TCP ports, the Beacon device can distribute that policy so 802.1x switches apply it to all printers on the network, for example.

Check with your NAC vendor to find out whether it has its own or a partner’s technology that can meet this need.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies