How to decipher confusing NAC claims

NAC can be confusing for very good reasons, not the least of which are that it is genuinely complicated and it has a great number of architectural options that only get greater when customers consider multivendor deployments (see slide show). 

As they try to sell NAC gear, vendors stake claims to make their products seem more attractive than that of their competitors, and some of these claims warrant investigation to figure out just what’s real. (Compare NAC products.)

In an effort to help clear away some of the confusion, here is a look at common claims by NAC vendors and what customers should do to get to the bottom of them.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

NAC can be confusing for very good reasons, not the least of which are that it is genuinely complicated and it has a great number of architectural options that only get greater when customers consider multivendor deployments (see slide show). 

As they try to sell NAC gear, vendors stake claims to make their products seem more attractive than that of their competitors, and some of these claims warrant investigation to figure out just what’s real. (Compare NAC products.)

In an effort to help clear away some of the confusion, here is a look at common claims by NAC vendors and what customers should do to get to the bottom of them.

Claim: NAC can be deployed without a client.

This is true. The question is whether clientless NAC gives as much data for evaluation as NAC with a client.

NAC gear can probe devices from the outside and come up with data about the configuration of the device. This information can then be used to create a health report about the device that in turn can be used to determine how much network access the device should get.

Click to see: Table showing the pros and cons of NAC

Clientless NAC checks registry entries, looks at Remote Procedure Call processes and file-sharing capabilities of end devices. Some vendors’ checks mimic the probing an attacker might perform to find weaknesses in systems.

NAC also can be deployed with a client, and this arrangement generally results in a more complete picture of an endpoint’s security posture, according to Infonetics Research, which calls such software informational clients. They can be preloaded on a computer or installed in the form of Java or Active X agents at network login. “Informational clients can provide all the information available in clientless NAC solutions and more,” the company says in report.

For example, clientless endpoint assessment might find that antivirus software is present and running but not be able to tell what version of signature files it is using.

“You really can’t get a comprehensive understanding of what’s happening with a device that’s connecting to your network without some presence on the desktop,” says Paul Roberts, an analyst with The 451 Group. “I think most NAC vendors realize that. The question is how do you do that.”

Which to deploy depends on individual users’ needs. If deploying and maintaining clients is too much of a strain in resources, clientless may be the way to go. If many guest machines are trying to gain access, clientless is the only option for NAC scanning. Otherwise all guest machines will be rejected or granted the same limited access without a posture evaluation.

In all cases customers should determine what they need to know about endpoints in order to make an informed decision about whether to grant network access and how much. They should then decide which model, client or clientless, best meets their needs.

Claim: A NAC solution protects wired, wireless and VPN connections.

This is true. In each case, the goal is to block access to users and devices that fail to meet NAC policies, and to do so as close to the network entry point as possible.