Good NAC vs. bad NAC

I love market forces. They have a way of twisting even bad ideas until they match up with what the world really needs.

One way to explain how Cisco's Network Admission Control technology took on a life of its own is to look at the two key elements that make it up. One - using system health to grant or deny access privileges - is just a bad idea. The other - applying network-level controls to user access - is an idea whose time has come. I have written often enough about the absurdity of deploying the infrastructure to check the state of a device. No need to harp on that here. Search Google for the phrase "secure network fabric" if you want to read my rants on that topic.

The exciting development, however, is in access control. The most common practice I see today is that credentials are required to gain access to a corporate network via Microsoft domain authentication. It usually stops there. If you have your user name and password, you are on the network and free to roam (hack).

I first heard about the concept of the user-defined network from John Roese, CTO of Enterasys Networks, about five years ago. The idea was that there would be a detailed policy for every user that would define a custom network enforced with virtual LANs (VLAN), that gave access only to resources needed to do the user's job.

Not only would an engineer, say, not be able to log into the payroll server but she could not even see it on the network. This subdividing of the network would limit the exposure to risk from the devices connected to it. Infected laptops could not spread their malware to others. Malicious employees would be hampered in their ability to scan the network for targets. Visitors would be limited to Internet access only.

Recent network access control (NAC) offerings from vendors are executing on this concept. They contribute the two elements of this architecture that were missing in the past: a policy manager that can discover and define the limited set of resources to which each device or person can connect, and an enforcement point that can handle that many dynamically assigned VLANs.

My advice is to do NAC and run as fast as you can from system-health monitoring and quarantine. Don't be afraid, though, if you hear the word NAC coming from a vendor's mouth. It may have components of a good security architecture you can use. Just make sure you can yank the agents and system-state chaff out of the product and keep the policy and enforcement wheat. In doing so, you will help the market evolve by cutting out unwanted change and encouraging the development of secure networks.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies