Did you like to blow things up when you were little? Come on, be honest. I'll come clean. More than a few mailboxes fell under the onslaught of my juvenile pyromania. Being an adult means wanton destruction is frowned upon. But maybe there is something we can do to regain the thrill.
Try this on for size: You should blow up your network. That's right - over the next 18 months you'll be overhauling your campus network. It's time. You know you are tired of those old Layer 3 switches. Those are so five years ago. Aren't those boxes depreciated yet? Get the finance guys on the horn.
The business has changed. The insider threat is real. Folks connect to your network from conference rooms and over VPNs from unsafe environments. You can't stick your head in the sand anymore. Compliance has teeth and you need to segment networks and protect sensitive data. Acknowledging this is a huge change for me, since I used to laugh when told that people needed to secure internal networks.
I remember talking years ago to companies that were pitching that customers needed to extend the protection deeper into the network. I laughed. The moat is deep and wide. The bad guys cannot get in. Well, now the bad guys are us and they may already be on the network. We need to make the network much less hospitable to them.
That's where network access control (NAC) comes into play. NAC lets you do a couple of things that are important to protecting the internal network. First, you can enforce a hygiene policy on the devices that connect to your network.
So if a computer is not patched, doesn't have updated anti-virus or violates some other policy, you can send it to a quarantine network to be fixed. Cesspools of malware need not even try - they aren't getting onto the network.
Second, NAC lets you manage the flow of traffic through your network based on the device and application. You can make sure only finance people get to the application housing critical and sensitive financial data. Sure, we've got a lot of work to do on the policy side to make it easy to deploy and manage, but this is the future. The days of unfettered access to pretty much whatever is connected to the network are over.
Network World President John Gallant is doing an assessment of the major vendors' NAC strategies on his Vortex blog. It's good stuff - you should read it. I don't have the room to evaluate each strategy in this column, so I'll leave that heavy lifting to him.
Why can't the existing switches get you there? Do you really need to blow up your network? Truth be told, there will be options to give your existing switches some more legs. Overlay NAC devices can either be deployed in-line to enforce the policies or on a spanning port to reconfigure the switches for policy enforcement. You will be able to limp along with your existing switches for a while.
But that's not good enough for you, is it? You're the kind of admin who needs the shiny new campus switches that have these capabilities built in. You'll have plenty of options to get these secure switches, ranging from the big (Cisco) to the little (ConSentry) and all sorts in between.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment