Network World

I believe posture checking is a valuable service, but would never have proposed that this is the initial and foremost reason behind Network Access Control deployments. As the name suggests, our customers have predominantly selected NAC products for identify-based access control.

This compartmentalizing of access becomes necessary as devices become more mobile within the enterprise, whether wired or wireless, and network administrators can no longer use port segmentation and ACLs tied to VLANs, since different types of users/devices could access the same port.

Keep in mind, Cisco purchased Perfigo in 2004 to launch a network access control product. This implies that a market was already forming, with several vendors helping to fulfill market requirements.

Posture checking, like identity, location, schedule, device-type, authentication method, etc is just a criteria for developing a network access control policy. As networks and endpoints advance, other criteria will be added to policy creation as necessary.

Seth Goldhammer
Dir Product Management, NAC
TippingPoint

Take a look at www.bumpinthewire.com for a real life blow by blow blog on how one organization solved their access control issues.

Dominic Wilde
VP Marketing
Nevis Networks
www.nevis-blog.com

Tim- I think the dirty little secret is that most of these solutions are not really NAC solutions in spite of them calling themselves such. It only confuses the market. Also, the comment from the Tipping Point fellow about Cisco entering the market with the Perfigo acquisition really does show he does not know NAC. Get the facts straight! Yes post-connect and identity are part of NAC but it began and still includes pre-connect posture checks. I have written more about this on my blog here and here

Alan Shimel
Chief Strategy Officer
StillSecure

Having implemented NAC solutions for hundreds of customers (including organizations with a few hundred users to tens of thousands of users), I can say the vast majority (90%+) do in fact run endpoint posture checks. And for most, posture checking was a key factor that led them to look at NAC in the first place.

Yes, posture checking is used as part of the criteria for access policies, as one of the other posts here suggests. But it is also used to reduce the burden on IT staff by automatically checking that systems are up to snuff and helping users to update their own systems if they’re not. This capability alone can drive enough savings in IT to justify the investment in NAC.

That said, it’s also true that customers look to NAC solutions for much more than just posture checking. Some examples include:

- Automatic registration and authentication of new devices (not just PCs/laptops) and users (including guests) on the network

- Enforcement of role-based access policies for users and devices across all access methods (wired, wireless, VPN, etc.)

- Automated or assisted remediation capabilities for non-compliant devices (again, reducing burden on IT staff)

- Visibility into who and what is on the network at any given time, where they are, and how they’re connecting

- Audit trails for all connection attempts, successes/failures, remediation and/or policy enforcement actions taken, etc.

Once they have NAC in place for one or more of these reasons, customers often recognize the added value of using its other capabilities.

Back to my main point – yes, NAC is much more than endpoint posture checking, but posture checking is still a fundamental capability (and in fact a “building block”) of a true NAC solution.

Sincerely,
Frank Andrus
Chief Technology Officer
Bradford Networks
www.bradfordnetworks.com