- New attack fells Internet Explorer
- Steve Jobs is a man of a few words
- Oddball gifts for uber geeks
- Global warming research exposed after hack
- Google adding IPv6 to YouTube
Network executives planning to deploy network access control should start with very specific goals, not intricate schemes to quarantine and remediate insecure devices, shut down badly behaving machines and record every connection each device attempts to make on the network.
That's because comprehensive NAC rollouts are costly and complex, and the technology is young enough that even if the goals are simple, the implementation may not be.
For instance, Erickson Retirement Communities in Silver Springs, Md., wanted NAC to block intentionally malicious users from gaining access to the network. "If you can't authenticate successfully, you're going to end up in some dirty [virtual LAN] that gives you Internet access, and that's it," says Scott Erickson, the company's CTO, who oversees the firm's 14 campuses. "I want contractors to be able to get [traffic] in and out, and if auditors are here, for them to use their VPNs. That's really what I was after with NAC."
But even that focused agenda is difficult for Erickson to achieve, for two reasons. One, he has been trying to implement the technology while keeping an eye on his budget. And two, all the elements he needs are not ready, although vendors he works with talk about them as if they are.
This dilemma stems from the many definitions of NAC being bandied about. Initially, NAC as defined by Cisco was a response to the Blaster worm that ravaged networks in 2003. The goal was to check that endpoints had proper patches and updated security in operation before they gained network access.
Since then, useful additions such as internal intrusion-detection/prevention gear have been tacked on to the definition. Notoriety of the technology has soared, and based on the expanded definition, NAC has been split into two parts: preadmission and postadmission.
Erickson was interested in preadmission controls that tie users and machines to policies. He wanted machines to identify themselves as issued by the company or not, then have users identify themselves and use a combination of the two identity checks to determine what, if any, access they get. "Now, if it's a combination of the two, I'll put you into a full, accessible VLAN," he says.
Erickson figured he had all the elements he needed. His Cisco switches are software upgraded to handle 802.1x port-level policy enforcement, and his Cisco Access Control Server (ACS) RADIUS server is interoperable with Active Directory.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (1)
RE: NAC: Proceed with cautionBy prince on October 23, 2007, 12:21 pmthank you very much
Reply | Read entire comment
View all comments