Top 9 things any NAC solution must do and do well

When evaluating any NAC solution you first need to figure out what features and functions are most important for your environment. I have created this list of the top things that any NAC solution must do and do well to help you in that end. Like most things in life the devil is in the details. So even if a vendor says that they perform these functions you want to make sure that they perform them well.
First let’s cover the top 5; these should be table steaks for any vendor’s NAC solution. However, the effectiveness of each vendor’s implementation of these requirements varies widely. In order to proactively defend the internal networks from malicious users, unauthorized users, botnets, viruses, worms, and other malice a NAC solution must support the following:

• Authentication - Controlling who is allowed access. This is typically done by forcing the user to login or authenticate before network access is granted. This authentication could be in the form of a username and password, a unique MAC address, or a system fingerprinting result.
• Host posture assessment - Determining if the client meets your host security requirements before allowing them onto your network. The end goal is to reduce your exposure to risk by checking the host’s security posture. This typically involves making sure the host has up-to-date operating system security patches, anti-virus software, anti-Spyware software, and is not actively infected with a virus or worm. Ongoing, continuous, host posture assessment is also desirable.
• Quarantine and Remediation - Any client that does not meet the client security requirements must be quarantined and offered remediation steps. While in network quarantine a host’s network access would be isolated to only those remediation resources that are needed for them to come into compliance. Since the remediation actions will be performed by the end-user the remediation process must be intuitive and undemanding. The more automated it is the better.
• Authorization - Controlling the amount of network access given to a connecting client. The end goal is to restrict network access, as much as is practical, to only those resources that the user truly needs. The amount of network access is typically determined based on the user’s identity and the security posture of their host.
• Automated hotfix/version updating – The solution must be able to regularly update its security checks. At a minimum, security checks that deal with inspecting the freshness of AV, AS, and operating system security fixes should be auto updating. Whether these updating checks are auto-enforcing as well depends on your environment, but the option should be available to you. The purpose of using auto updating checks is to remove the huge burden of manually having to track down what vendor released what updates and for what version of their product. Then translating that information into a security check that will do the inspection correctly. Without automating this process, the cost of ongoing maintenance required to find and maintain this information manually could prove prohibitive.

Here are four more requirements that I submit to you should also be included in your decision criteria:

• Centralized Management – Of course any NAC solution must be manageable but the key here is centralized management. Typically, a large NAC solution will involve several individual components. Ideally, a centralized management system should be able to manage all of the individual components. If the NAC solution requires the integration of multiple different vendor technologies then centralized management is more difficult to achieve. But the more components that can be centrally managed the better. Here are just a few of the benefits of centralized management:
  1. Centralized Admin user access control and accounting
  2. Increases consistency and accuracy of configurations across multiple NAC components
  3. Simplifies policy management of multiple NAC components
  4. Centralizes user tracking, reporting, and auditing
• Collaborative – A NAC solution must be able to interoperate with other network, security, and authentication devices. At a minimum, it must be able to work with existing LDAP, AD, and RADIUS authentication servers for user authentication. It must be able to interoperate with your existing LAN switches for port based VLAN switching. And finally, it must interoperate with Microsoft for patch management and popular AV vendors for keeping them up to date.

• Adaptable - A NAC solution must support being implemented pervasively throughout your internal network to be most effective. All clients trying to gain access, by whatever means, to the internal network resources must first be authenticated, posture assessed, and authorized. Common entry points include wired, wireless, VPN, and wan. The hardening of all entry points into your internal network in this way will give you ultimate control over who, how, when, where, and what connects to your internal resources.

• Highly Available – All critical components of the NAC solution must have the option to be made redundant and fault-tolerant. Ideally it should also be able to fail open in the event of a complete NAC meltdown.

• ?

So that’s my top 9 NAC solution requirements list, what should the tenth one be?
I’d also like to hear your comments regarding this list, so blog away!

• Security
• Cisco
• Heary
• NAC
• network access control
• networking
• security