6 tips for selecting the right all-in-one NAC product

* Some advice about how to narrow the field of NAC all-in-one offerings

6 tips for selecting the right all-in-one NAC product

By Joel Snyder

The market is swimming in NAC all-in-one appliances. Here is some advice about how to narrow the field to offerings that suit your network’s needs.

1. Prioritize your requirements for authentication, endpoint security, access control and overall management before you start shopping.

NAC products vary in how they mix these four components. We found that all-in-one NAC products tend to emphasize endpoint security over authentication, access control and management, because this is the biggest pain-point for network managers looking for an immediate NAC solution. This doesn’t mean you can’t find an all-in-one product that has strong authentication or enforcement features, but you will need to look a little deeper to be sure you understand how each product works in those areas to make sure they will meet your requirements.

2. Don’t be frightened by the scalability bogeyman.

Most all-in-one NAC products have some inband component(s) — even if it’s inline only at some point during the user-connection process. Any time a device is in the critical path between users and their data, there is the potential for a performance bottleneck. All-in-one NAC products that are completely inline between users and the rest of the network are going to require careful performance engineering. Many all-in-one NAC vendors try to avoid the perception of a performance problem by taking a hybrid approach: Their products sit inline only during authentication, endpoint-security checking and/or enforcement procedures; then they get out of the way by reconfiguring your switching infrastructure on the fly.

Some of these same vendors are responsible for spreading FUD about competing NAC implementation approaches. Avoid the FUD factor by realizing that all approaches have trade-offs, and there is no silver bullet that makes all performance problems disappear in all environments. Instead, make sure you know what your true performance requirements are — or will be — and communicate those to potential vendors clearly, whether their products sit inline or operate in some hybrid fashion. Put these same specifications in any purchasing documents so you have written backup in case there are performance problems.

3. Clarify your reasons for implementing endpoint-security posture assessment. Needing NAC to carry out compliance-checking is very different from wanting a NAC box to detect malicious behavior. This sharp distinction nicely differentiates the all-in-one NAC products from one another.

Some enterprises look to NAC endpoint-security measures to determine whether a user’s desktop or laptop complies with corporate security policy. While no virus-checker or personal firewall can guarantee that a system is not compromised, a well-designed policy dramatically reduces the risk of problems. Other enterprises are not as concerned with security-policy compliance as they are with detecting and isolating misbehaving systems and users.

Decide which camp you’re in and use your position to narrow the field of all-in-one products. We found that no single NAC product does both very well, so even if you are looking for both features, decide which is the more important and emphasize it in your own testing. Because you probably can’t test every possible endpoint-assessment combination, decide upfront what's most important to you and look at vendors that focus on the same area as you for their primary endpoint-security strategy.

For the rest of Joel's tips, please click here.

Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022