Post-admission NAC devices

Clarifying issues surrounding this emerging security architecture

One approach to NAC is installing an appliance that enforces policies that detail what devices trying to get on the network are allowed to do once they get there.

These post-admission NAC devices sit between access switches and distribution switches and perform a combination of internal firewalling and intrusion prevention.

These devices can determine when endpoints are attempting to access resources for which they are unauthorized and shut them down. This protects against the activity of worms and viruses that attempt to harm the network as well as individuals who try to access data they are not supposed to.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

One approach to NAC is installing an appliance that enforces policies that detail what devices trying to get on the network are allowed to do once they get there.

These post-admission NAC devices sit between access switches and distribution switches and perform a combination of internal firewalling and intrusion prevention.

These devices can determine when endpoints are attempting to access resources for which they are unauthorized and shut them down. This protects against the activity of worms and viruses that attempt to harm the network as well as individuals who try to access data they are not supposed to.

By contrast, pre-admission NAC determines if the security posture of the device meets corporate policy and uses that information to determine if the device gains network access. Some customers of post-admission devices say they chose them over pre-admission NAC products for two good reasons.

First, post-admission NAC requires no software on the end devices and that relieves customers from installing and maintaining it. Pre-admission software has value - it makes for a more thorough check of the end device and whether it's configuration complies with security policies - but some customers say that in their environments, the added security it affords isn't worth the aggravation.

For instance, if an antivirus software hasn't been updated recently, the device could be infected. But the risk of that infection isn't great enough to warrant barring an end user from the network.

Second, post-admission NAC acts as a backstop to whatever patching and updating routines the business already has. These routines may not provide perfect security, but they are effective enough, customers say. They feel post-admission NAC will catch more serious problems than either their routine updates or pre-admission NAC.

That is what some customers say. As in any security decision, potential users have to make their own decisions based on the specifics of their businesses' risk analyses.

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.