What is NAC anyway?

Click to see: Clear Choice Analysis logo

Generic network access control at its core is a simple concept: Who you are should govern what you're allowed to do on the network.

When all of the parts are in place, NAC will be a way to apply a policy for network access across LAN, wireless and VPN infrastructures. The access-control policy in NAC could range from simple, such as a go/no-go decision on network access or a choice of virtual LANs, or it could be as complex as a set of per-user firewall rules defining which parts of the network are accessible.

Within a NAC deployment, the IT manager uses three main elements to pick an access-control policy: authentication, endpoint-security assessment and network environmental information.

Authentication is the straightforward "Who are you?" transaction that users are accustomed to with other applications. As a concept, NAC doesn't have special requirements for authentication.

A good NAC deployment would use the same authentication system as other applications. For example, if you're applying NAC to a remote access IPSec VPN tunnel, you should use the same authentication to bring up the IPSec tunnel as you do to authenticate a user.

Endpoint security assessment is the most complex part of selecting a policy in NAC, but it's also the driving factor for deploying NAC in the first place.

The underlying idea is that the security posture of the connecting laptop, desktop or server should be a part of access control policies. For example, if a connecting system doesn't have the standard corporate anti-virus package, the user should get a different access control policy than if everything is installed and all the signatures are up-to-date.