Businesses use NAC for something other than what it was designed for

Few customers of network access control use it for what it was intended, preferring instead to deploy the security technology to keep guests and contractors away from corporate production networks, according to a new report.

In 80% of deployments, businesses use NAC to grant limited access to users who have legitimate reasons to connect to the network but who aren’t full-time employees who warrant full network access, according to a report by Gartner. (Learn more about NAC.)

Establishing that endpoints meet a baseline profile – the reason NAC was invented – runs a distant second, with only 15% of deployments restricting network access based on endpoint posture as determined by NAC tests, according to the report, Network Access Control in 2009 and Beyond.

“The initial driver for NAC, the danger of an infected PC connecting to the network and spreading a worm, has dropped off considerably because Sasser (2003) and Blaster (2004) are distant memories,” according to the report, written by Gartner analysts Lawrence Orans and John Pescatore.

Businesses have two other main reasons for buying NAC, Gartner says. First is to promote identity-aware networking by pairing users’ IP addresses with the individual identities in order to better track what they are up to. The second is to contain the outbreak of worms and other malware as they start to exhibit suspicious behavior. (Compare Network Access Control products.)

Generally, buying NAC for one reason leads to expanding its use, Gartner says. The goal of businesses should be to have a clear understanding of why they are buying NAC, but they should be aware of its other possibilities and leave open the option to adopt them, too, the report says.

“Decide which usage case is the primary driver for NAC, and outline a path for adopting other usage cases to reach the full benefits of NAC,” Gartner advises.

Five years ago, NAC was thought up to inspect laptops and desktops as they connected to networks and to provide a mechanism for blocking access if they failed to meet NAC policies. These include having updated operating systems and security software as well as proper firewall settings.

But blocking access based on this assessment is a bad idea, Gartner says. “This approach is rarely used — to do so generally does more harm than good,” the study says. It is more common and more useful to remediate whatever shortcomings the NAC assessment finds, according to Gartner.

Whatever policy shortcomings and endpoint has, they demonstrate the device has vulnerabilities, not that they present a danger, so there is no pressing need to quarantine them. “Automated remediation while connected to the network is the more common and less disruptive approach in this case,” Gartner says.

Laptops and desktops that are clearly compromised and dangerous should be isolated, but most NAC products haven’t matured enough to handle this, the study says.

In light of the actual uses that businesses have for NAC, Gartner is revising its definition. It now defines NAC as follows: “A process that evaluates the security state of an endpoint as it connects to the network; monitors the security state of endpoints that are already connected; and implements network access policies based on the state of the endpoint, the threat environment and user identity.”