Part 2 of 2. In second part of our look at important network-access control issues, we take a look at important questions surrounding Cisco, NAC implementation and NAC policies. Review part 1 here. 

Shouldn’t I just wait for Cisco?

Should I deploy a NAC appliance in-line or out-of-band?

What is the best method of enforcing NAC policies?

  Shouldn’t I just wait for Cisco?

There’s really no need to wait because depending on what you want out of NAC, Cisco may already have it.

And if Cisco doesn’t yet offer what you want, there is still no need to wait because you can get alternatives from other vendors.

Cisco has a NAC appliance that can check devices before they get network access for virus software that it is updated and turned on and whether patch levels meet policy.

That said, the device is criticized by some for what it cannot do. “Cisco remains behind many of the other vendors in this space because of the inability to perform assessment checks beyond initial connection,” says Mandy Andress in her recent review of the appliance for Network World.

For example, the device does not perform periodic rechecks of devices once they have been admitted to the network to make sure they maintain their security posture.

The Cisco NAC Appliance does afford multiple enforcement methods, including placing the device inline with traffic where it can restrict traffic directly, having it work in tandem with 802.1X authentication or running it out of band where it controls an access switch. It can also enforce NAC for devices attaching via SSL or IPSec VPN through Cisco gear.

There are other appliances from other vendors that do more, and if Cisco’s appliance comes up short, these others can fill the bill.