Skip Links

Network World

  • Social Web 
  • Email 
  • Close

Using NAC to comply with industry regulations

How NAC can be used to meet network security regulations
Security: Network Access Control Alert By Tim Greene , Network World , 02/14/2008
Tim Greene
  • Share/Email
  • Tweet This
  • Comment
  • Print

NAC vendors claim their technology can be used to meet requirements of governmental and industry regulations, and a California security consultant says he has used it for just that.

Mirage NAC gear installed in Evans Hotels in San Diego helps the chain meet Payment Card Industry standards, not all of the standards by itself, but some of them, says Peter Bybee, president and CEO of security consulting firm Network Vigilance.

Lippis Report 125: Cisco Launches Cloud-Based Global Correlation Threat Defense: Download now

For instance PCI calls for restricting connections between publicly accessible network segments and data about credit card holders. NAC policies can be set with the Mirage gear to block specific interactions among machines, effectively creating the type of separation called for by the standard, Bybee says.

PCI calls for implementing primary server functions on separate physical servers to isolate key applications and data from other services that may be insecure. Simplifying the configuration of each hardware server reduces the opportunity for compromise.

Related Content

A NAC policy could restrict traffic to one of these dedicated servers to a certain type, thereby demonstrating to PCI auditors that the server is performing a single function. So DNS traffic would not be allowed to and from a DHCP server, for example.

PCI also calls for antivirus software to run on certain endpoints as well as maintaining certain patch levels for software and operating systems. Part of NAC checking includes these items, so it can be used to enforce these requirements and log that the enforcement has occurred.

In some cases PCI calls for and intrusion prevention system to perform some of these functions, but Bybee says NAC can fill the bill. “The auditor doesn’t care if it’s IDS, IPS or NAC, just whether it fulfills the requirement,” he says.

This case happens to deal with Mirage NAC equipment, but these examples could apply to NAC gear made by other vendors. The point is that it shows how NAC can be in the mix of tools used to meet network security regulations (Compare NAC products).

Tim Greene is senior editor at Network World.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comments (1)
Login
Forgot your account info?

RE: Using NAC to comply with industry regulationsBy tuomoks on February 14, 2008, 2:04 pmYes, NAC can solve some or most of the technical requirements. But giving a clean bill based only on the NAC solution forgets, as usually, that the real endpoint...

Reply | Read entire comment

View all comments

Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Most Read

View more Most Read

Videos

rssRss Feed

Latest News

rssRss Feed