- The 10 dumbest mistakes network managers make
- Six Windows 7 features admins will actually care about
- Why the iPhone can't be "killed"
- Nortel enterprise chief wants to bring back Bay
- More porn sneaks onto the iPhone
NAC vendors claim their technology can be used to meet requirements of governmental and industry regulations, and a California security consultant says he has used it for just that.
Mirage NAC gear installed in Evans Hotels in San Diego helps the chain meet Payment Card Industry standards, not all of the standards by itself, but some of them, says Peter Bybee, president and CEO of security consulting firm Network Vigilance.
For instance PCI calls for restricting connections between publicly accessible network segments and data about credit card holders. NAC policies can be set with the Mirage gear to block specific interactions among machines, effectively creating the type of separation called for by the standard, Bybee says.
PCI calls for implementing primary server functions on separate physical servers to isolate key applications and data from other services that may be insecure. Simplifying the configuration of each hardware server reduces the opportunity for compromise.
A NAC policy could restrict traffic to one of these dedicated servers to a certain type, thereby demonstrating to PCI auditors that the server is performing a single function. So DNS traffic would not be allowed to and from a DHCP server, for example.
PCI also calls for antivirus software to run on certain endpoints as well as maintaining certain patch levels for software and operating systems. Part of NAC checking includes these items, so it can be used to enforce these requirements and log that the enforcement has occurred.
In some cases PCI calls for and intrusion prevention system to perform some of these functions, but Bybee says NAC can fill the bill. “The auditor doesn’t care if it’s IDS, IPS or NAC, just whether it fulfills the requirement,” he says.
This case happens to deal with Mirage NAC equipment, but these examples could apply to NAC gear made by other vendors. The point is that it shows how NAC can be in the mix of tools used to meet network security regulations (Compare NAC products).
Tim Greene is senior editor at Network World.
Comments (1)
RE: Using NAC to comply with industry regulationsBy tuomoks on February 14, 2008, 2:04 pmYes, NAC can solve some or most of the technical requirements. But giving a clean bill based only on the NAC solution forgets, as usually, that the real endpoint...
Reply | Read entire comment
View all comments