The tradeoff between risk mitigation and productivity

Clarifying issues surrounding this emerging security architecture

NetClarity is shipping a new version of the software for its NACwall appliances that automatically checks the vulnerability of devices such as laptops that have been unplugged from networks and then return in an unknown security state.

These devices can immediately be allowed back onto the network by policy without undergoing a NAC scan if they are classified as trusted. Then after they are on, they are scanned in the background.

The rationale given by NetClarity is that thorough scans can take a long time and it hurts users’ productivity to wait. Under this scheme, users gain immediate access and get to work. If the machine is found to be insecure, its access can then be restricted.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

NetClarity is shipping a new version of the software for its NACwall appliances that automatically checks the vulnerability of devices such as laptops that have been unplugged from networks and then return in an unknown security state.

These devices can immediately be allowed back onto the network by policy without undergoing a NAC scan if they are classified as trusted. Then after they are on, they are scanned in the background.

The rationale given by NetClarity is that thorough scans can take a long time and it hurts users’ productivity to wait. Under this scheme, users gain immediate access and get to work. If the machine is found to be insecure, its access can then be restricted.

This diverges from what NAC was set up to do - check the security posture of devices before they get on the network. But it is a tradeoff between risk mitigation and productivity. Even if a device passes a NAC scan there is no guarantee that it is uninfected.

The new version of NetClarity software also can block devices performing malicious activities with in 10 milliseconds on average, the company says. So if a machine is allowed onto the network either with or without an endpoint check and then misbehaves, its access can be cut off quickly, limiting damage it can do.

NACwall enforces policies via instructions to switches, using common line SSH or TELNET instructions.

In addition to blocking access, the devices can send alerts, audit the offending machines or any combination of these options.
The software also enables the NACwall appliance to preside over eight physical subnets, which is up from just one and makes for a more efficient NAC deployment in networks with multiple virtual LANs. (Compare NAC products)

Read more about security in Network World's Security section.

Tim Greene is senior editor at Network World.