While network access control is generating great interest at Interop, show-goers were told Tuesday they need to carefully evaluate their need for NAC before jumping in -- and then to do so only carefully.

Hype about NAC is generating broad interest, but unless the technology can be tied to practical business needs, it won't warrant the investment, according to vendors on a NAC panel moderated by Joel Snyder, senior partner at Opus One and a member of the Network World Test Alliance.

Businesses should take a simple first step that some are failing to take now: identifying why they want it in the first place, Snyder and vendors said. "People don't even know what they want. It's really scary," said Thomas Howard, security solutions engineer for Cisco.

People working in business functions at corporations need to define just how much access groups of employees need so IT staff can write policies that allow that degree of access, said Denzil Wessels, technical marketing manager for Juniper Networks. "Get people in the right groups. You need business maturity to do this."

David Greenstein, chief architect for StillSecure, agreed that such policies should be created at the outset of designing a NAC infrastructure. "You need to say what your policy is, and this usually waits until the end," he said. Often customers wind up identifying their greatest risk and protecting against that without creating a broader hierarchy of threats, he said.

That is not necessarily a bad idea, said Steve Hanna, distinguished engineer working with the Trusted Computing Group (TCG) consortium developing multivendor NAC standards. "Decide what is your greatest pain. Start with particular users working with high-value assets," he said.

Businesses also need to get in place support for 802.1x port-based authentication, which major NAC architectures use to enforce access policies, said Paul Mayfield, group program manager for Windows enterprise at Microsoft.

Hanna urged extremely slow rollouts of NAC. He recommended that businesses turn NAC on in monitoring mode first to get a handle on how many laptops and desktops don't comply with assigned security postures. Many businesses are shocked to learn how many non-compliant workstations they have, and if the NAC is turned on suddenly, the users of these devices swamp help desks with calls, he warned. "You might find nobody is compliant and wind up with a massive problem Monday morning when everybody tries to access their e-mail," he said.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports