FAQ on NAC

Network access control stands out as one of the most promising security technologies, but it also is one of the most misunderstood.

An FAQ on Network Access Control.

What are the major NAC initiatives?

Are Cisco and Microsoft playing nicely together?

Are there any NAC standards?

Are there stand-alone NAC products on the market?

What types of security functions are part of the NAC environment?

How does NAC work in practice?

Can other types of security products play a role in a NAC environment?

What are the key decision points regarding a NAC purchase?

What is NAC?

At a high level, as defined by Forrester Research, "NAC is a mix of hardware and software technology that dynamically controls client system access to networks based on their compliance with policy." But vendors, eager to get in on the NAC buzz, are often using the NAC label for products that are really only peripheral to the access control process.

What are the major NAC initiatives?

There are three: Cisco's Network Admission Control architecture; the Trusted Computing Group's (TCG) Trusted Network Connect (TNC) program; and Microsoft's Network Access Protection (NAP) architecture.

Are Cisco and Microsoft playing nicely together?

Microsoft's NAP architecture is a major factor in the NAC universe because of the pervasiveness of the company's server and desktop software. However, at this point, key components aren't available, making interoperability impossible to test beyond limited beta versions of Microsoft's NAP platforms. On the upside, 75 vendors have pledged to make their gear interoperable with Microsoft NAP components when they become available. This includes Cisco, with which Microsoft is developing NAP and Cisco-NAC interoperability. Cisco, which is pushing the IETF for NAC standards but does not participate in TCG, has about 30 partners shipping Cisco NAC-compatible gear and another 27 developing such products.

Are there any NAC standards?

The TCG is writing NAC standards to promote multivendor interoperability. The IETF has created a working group to develop NAC standards and Cisco, which does not participate in the TCG, supports the IETF effort.

Are there any stand-alone NAC products on the market?

Cisco, Microsoft and TCG list scores of partners whose gear fits in their NAC schemes and can claim to be NAC vendors. Plus, Juniper has its unified access-control environment. A NAC buyer must find out what a vendor means by "NAC support," but single devices fitting the NAC bill include products from ConSentry Networks, Nevis Networks, StillSecure and Vernier Networks. Other NAC vendors, such as Lockdown Networks and Mirage Networks, work in conjunction with partners. This is not a comprehensive list.

What types of security functions are part of the NAC environment?

Authentication; endpoint scans; policy compliance checks; policy creation, enforcement and management.

How does NAC work in practice?

NAC products scan computers and other devices before they get on the network to determine whether they possess a security posture in line with corporate policy. Is virus-scanning software up-to-date? Is the operating system patched? Is a personal firewall in use? That process requires an engine capable of matching scan results to policies to see if the device is qualified to gain access. And it entails devices that can enforce the policy engine's decision: to block access, to restrict access to certain resources or to allow access only to an isolated network segment where security functions can be brought up-to-date.

Can other types of security products play a role in a NAC environment?

Yes. For example, CA's eTrust antivirus and antispyware software play in Cisco's NAC environment by delivering status information to Cisco's Trust Agent. The agent gathers data from the CA software and other software on desktops and laptops to develop a profile of the computers trying to access the network. Similarly, IBM's Tivoli Security Compliance Manager is Cisco NAC-compatible because it scans machines coming onto the network. By itself it can't enforce whether the device gains access; it needs infrastructure from Cisco or some other vendor to enforce policy.

What key questions should network executives ask themselves regarding an investment in NAC?

- Do company decision-makers agree that the business needs different levels of access control? 

- Does the infrastructure have a specific need that NAC can address, or does network security in general need beefing up?

- Does my road map adequately address a potential move from current products to the eventual industry-standard products if an enterprisewide NAC deployment becomes appropriate?

- Does the NAC product need to fit into my existing infrastructure or will NAC be part of a wide-ranging overhaul?

- Are tracking, monitoring and logging events controlled by NAC important for this organization?


< Previous story: Performance management from the client's point of view | Next story: Having a NAC for network security>

Learn more about this topic

Having a NAC for network security

11/13/06

NAC competition: Juniper’s infranet

4/3/06

 
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT