Software-based NAC security useful despite drawbacks

NAC price, scalability and reporting are all strong points

Despite some shortcomings, software-based network access control technology that enforces policies on network endpoints is often the first choice of customers who adopt the technology.

Often a corporation already uses a suite of endpoint-security software to which it can add a NAC endpoint client, minimizing the training and investment required, they say.

For example, Hidalgo County, Texas, looked into a Cisco NAC appliance deployment to solve its endpoint-compliance problems, says Renan Ramirez, the county's CIO. "The Cisco solution was going to cost six figures," he says, but the county chose a Sophos NAC, which cost about $50,000. (Compare Network Access Control products.)

The county was already about to buy Sophos antivirus software and the incremental cost of NAC made it worthwhile, he says. "Cost overrules everything," Ramirez says.

Pros and cons of software-based NAC offerings

Ramirez and other potential customers have three basic options when picking NAC products, and endpoint-based NAC is one of them. The other two are infrastructure-based that uses switches to enforce policies, and appliance-based using a dedicated appliance to enforce policies (perhaps in conjunction with other network elements).

Each has its shortcomings. For example, NAC products that enforce policies via Dynamic Host Configuration Protocol (DHCP) proxy servers do nothing to stop machines that obtain static IP addresses and don't use DHCP to make their network connections. That makes significant portions of corporate networks invisible to the NAC access control products, says Ofir Arkin, CTO of NAC vendor Insightix. He is the author of a paper outlining NAC flaws.

Every customer must decide which architecture is best for them, says Rob Whiteley, an analyst with Forrester Research. "There is no one-size-fits-all," he says.

The upside of NAC that uses endpoint software to enforce policies is that it can provide comprehensive data about the endpoint as well as a remediation mechanism when the NAC agent is part of an endpoint security suite. It also gathers a wealth of data that can be used to prove to regulators that industry or governmental policies have been upheld.

The major downside to endpoint-enforced NAC is largely theoretical so far and one that customers seem willing to overlook. The problem is that rootkits can take over machines to make them lie about their health. This underlying endpoint problem can be mitigated by software that monitors behavior of machines to determine if they are acting badly. And lying endpoints haven't actually proven a problem for many customers.

"[Lying endpoint] is more theoretical to us than practical," says Seth Shestack, associate director of information security at Temple University in Philadelphia, the 28th-largest university in the U.S. "We've had three years of experience with [Symantec NAC] and we haven’t run across it in our experience."

Shestack's main goal was to keep compliant the laptops that came and went from Temple's five campuses, and NAC that involved appliances wouldn't scale. "We would need so many of these devices that it would have been cost-prohibitive," he says. The school has rolled out NAC to 15,000 endpoints, he says.

Another goal of installing NAC was to eliminate denial of service attacks caused by bot-infected machines, he says. "NAC cut DoS attacks on the core networks to zero. I credit NAC for it. That's exactly what stopped it," he says.

One downside of software-based NAC is it can't do much with unmanaged machines that don't have NAC agents running on them. "If you don't own the endpoint then putting an agent on it is either impossible or in many cases a liability. So you wouldn't do that. I think that reason alone is why endpoint solutions have gotten such a bad rap," says Whiteley.

To deal with this problem, McAfee, for instance, is adding enforcement of NAC policies based on behavior via its IPS appliance and next year via a dedicated NAC appliance.

The company recognizes that customers may use more than one category of NAC product. Vinit Duggal, CISO of the $2.2 billion satellite communications company Intelsat uses McAfee NAC. He tested 802.1x switch-based NAC but felt it didn't offer enough network visibility.

That visibility can be achieved by distributing software to endpoints, which is actually a relatively simple option for Intelsat. The company has made acquisitions of other companies, and putting the software on their endpoints brings needed access control and knowledge about network activity, Duggal says. "Our problem is all about visibility throughout Intelsat," he says.

Managed machines with NAC software and McAfee's security suite can be kept up to date or locked out if they are non-compliant, he says, until they are remediated. "It solves the issue that managed machines need to be up to date," Duggal says. "It doesn't solve the problem for those [unmanaged] machines you don’t know about."

The company has many contractors and partners who connect to the Intelsat network with their own laptops, and he needed a way to control them. They don't allow Intelsat to install NAC software. But McAfee has upgraded its IPS appliance to enforce NAC, and this solves the problem for Intelsat, Duggal says. The device discovers misbehaving machines, managed or unmanaged, and can block their access.

Price is a big factor for some customers. In general, endpoint-based NAC costs less than other options, says Whiteley, with $100 per endpoint being a ballpark figure.

For all its usefulness, software NAC doesn't answer all the problems. In Hidalgo County, Ramirez says it doesn't solve his problem screening guest users. "We're probably still in the market for a NAC appliance, too."

This is common, Whiteley says. "I think you'll find most of the software-based NAC products end up using some sort of back-end DHCP solution or a partnership with an appliance to discover unmanaged systems -- and it's not a graceful architecture," he says.

Standards observed by vendors of all types of NAC gear would ease the problem and perhaps make a single central NAC policy enforceable on any platform, he says, and he is hopeful that will come to pass. "If they don't support each other out of the box today, there's going to be a relatively easy upgrade path to get all of these things working together," he says.

Meanwhile, most software NAC customers wind up supplementing it with another form. "Roughly half of deployments are still in hybrid mode where the organization is using a combination of endpoint- and network-based solutions to get it up and running," he says.

Learn more about this topic

NAC solutions vulnerable to attack

NAC standards a slow work in progress

NAC still drawing crowds at RSA

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)