DHCP is a core technology for network access control

The long view of security strategies for your network.

Network access control is the process of controlling users' and devices' access to a network. Because of increased employee mobility and the growing number of end-user network-capable devices, tracking and controlling network access has become essential to maintaining data security in corporate networks.

In January, Infonetics Research released the results of a study suggesting a significant growth of the NAC market (an 11-fold increase predicted from 2005 to 2008). The firm's press release describes NAC as follows:

“Network access control, or NAC, is considered the holy grail of network security, as it is an intelligent network infrastructure that can identify users, identify and do integrity checks on the computers they are using, and then grant them access to specific locations and/or resources and set policies based on user and machine identity.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Network access control is the process of controlling users' and devices' access to a network. Because of increased employee mobility and the growing number of end-user network-capable devices, tracking and controlling network access has become essential to maintaining data security in corporate networks.

In January, Infonetics Research released the results of a study suggesting a significant growth of the NAC market (an 11-fold increase predicted from 2005 to 2008). The firm's press release describes NAC as follows:

“Network access control, or NAC, is considered the holy grail of network security, as it is an intelligent network infrastructure that can identify users, identify and do integrity checks on the computers they are using, and then grant them access to specific locations and/or resources and set policies based on user and machine identity.”

Tim Greene wrote in Network World at the beginning of May that NAC products would be highly visible at Interop Las Vegas. Greene wrote:

“Infonetics breaks NAC designs into three components: clients that check end devices for compliance, enforcement points that impose policies and back-end servers that dictate policies to the enforcement points. NAC identifies and authenticates users and machines, ensures machines meet security policies, sets policies based on user and machine status, and grants access to specified resources. An Infonetics survey recognizes Cisco's Network Admission Control, Microsoft's Network Access Protection (NAP) and the Trusted Computing Group (TCG) consortium's Trusted Network Connect as the three NAC schemes best known among IT executives.” [links added by me]

Richard Kagan is vice president of marketing at Infoblox, a firm that delivers network infrastructure for any NAC deployment scheme; he recently sent me a brief summary of key issues underlying NAC for network architects and security personnel. The following is a lightly edited version of his comments.

* * *

What NAC solution is best for your organization? Stand-alone security applications? 802.1x? Cisco? Microsoft? End-point security is critically important and must take into account the following requirements:

* Networks are largely operating anonymously, with IT departments having limited awareness or control over how the network is being used or by whom.

* Increasingly strict regulatory pressures and security concerns are forcing organizations to establish identity-driven networks which require more control over user access and devices, and in turn, better monitoring of network data.

* NAC products must be able to interact with gear from multiple vendors and systems.

* Ideally, NAC products should not require an infrastructure overhaul.

* Network identity services such as Dynamic Host Configuration Protocol (DHCP) are essential to any NAC solution.

DHCP is the method used in all IP networks for automatically assigning the IP address for networked devices. Address acquisition is the first step for access over IP, so DHCP is a must for any NAC implementation. NAC products must link the DHCP server to the network to enable authorized access; otherwise, IP addresses would be provided to all requesting devices. Consequently, the NAC products you deploy must have a robust DHCP infrastructure that enables today’s advanced services such as voice over IP and wireless applications to support an increasingly mobile workforce.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.