Software-based NAC security useful despite drawbacks

Despite some shortcomings, software-based network access control technology that enforces policies on network endpoints is often the first choice of customers who adopt the technology.

Often a corporation already uses a suite of endpoint-security software to which it can add a NAC endpoint client, minimizing the training and investment required, they say.

For example, Hidalgo County, Texas, looked into a Cisco NAC appliance deployment to solve its endpoint-compliance problems, says Renan Ramirez, the county's CIO. "The Cisco solution was going to cost six figures," he says, but the county chose a Sophos NAC, which cost about $50,000. (Compare Network Access Control products.)

The county was already about to buy Sophos antivirus software and the incremental cost of NAC made it worthwhile, he says. "Cost overrules everything," Ramirez says.

Click to see: Pros and cons of software-based NAC offerings

Ramirez and other potential customers have three basic options when picking NAC products, and endpoint-based NAC is one of them. The other two are infrastructure-based that uses switches to enforce policies, and appliance-based using a dedicated appliance to enforce policies (perhaps in conjunction with other network elements).

Each has its shortcomings. For example, NAC products that enforce policies via Dynamic Host Configuration Protocol (DHCP) proxy servers do nothing to stop machines that obtain static IP addresses and don't use DHCP to make their network connections. That makes significant portions of corporate networks invisible to the NAC access control products, says Ofir Arkin, CTO of NAC vendor Insightix. He is the author of a paper outlining NAC flaws.

Every customer must decide which architecture is best for them, says Rob Whiteley, an analyst with Forrester Research. "There is no one-size-fits-all," he says.

The upside of NAC that uses endpoint software to enforce policies is that it can provide comprehensive data about the endpoint as well as a remediation mechanism when the NAC agent is part of an endpoint security suite. It also gathers a wealth of data that can be used to prove to regulators that industry or governmental policies have been upheld.

The major downside to endpoint-enforced NAC is largely theoretical so far and one that customers seem willing to overlook. The problem is that rootkits can take over machines to make them lie about their health. This underlying endpoint problem can be mitigated by software that monitors behavior of machines to determine if they are acting badly. And lying endpoints haven't actually proven a problem for many customers.

"[Lying endpoint] is more theoretical to us than practical," says Seth Shestack, associate director of information security at Temple University in Philadelphia, the 28th-largest university in the U.S. "We've had three years of experience with [Symantec NAC] and we haven’t run across it in our experience."

Shestack's main goal was to keep compliant the laptops that came and went from Temple's five campuses, and NAC that involved appliances wouldn't scale. "We would need so many of these devices that it would have been cost-prohibitive," he says. The school has rolled out NAC to 15,000 endpoints, he says.