As network borders become increasingly difficult to define, and as pressure mounts on organizations to allow many different devices to connect to the corporate network, network access control (NAC) is seeing a significant resurgence in deployment. Once seldom used by organizations, endpoint protection is now a key part of IT security, and network access control products have a significant part to play in that. From a hacker's perspective, well-implemented and managed NAC products can mean the difference between a full network compromise and total attack failure.
Today, NAC is often positioned as a security solution to the BYOD era, but it is also increasingly becoming a very useful tool in network management -- acting as a gatekeeper to the network. It has moved away from being a system that blocks all access unless a device is recognized, and is now more permissive, allowing for fine-grained control over what access is permitted based on policies defined by an organization. By supporting wired, wireless and remote connections, NAC can play a valuable role in securing all of these types of connections.
Once an organization has determined that NAC will be useful to its security profile, it's time to consider the different purchasing criteria for choosing the right NAC product for its environment. NAC vendors provide a dizzying array of information, and it can be difficult to differentiate between their products. When you're ready to buy NAC products and begin researching your options -- and especially when speaking to vendors to determine the best choice for your organization -- consider the questions and features outlined in this article.
NAC device coverage: Agent or agentless?
NAC products should support all devices that may connect to an organization's network. This includes many different configurations of PCs, Macintoshes, Linux devices, smartphones and tablets. This is especially true in a BYOD environment. NAC agents are small pieces of software installed on a device that provide detailed information about the device -- such as hardware configuration, installed software, running services, antivirus versions and connected peripherals. Some can even monitor keystrokes and Internet history, though that presents privacy concerns. NAC agents can either run scans as a one-off (dissolvable) or periodically via a persistently installed agent.
If the NAC product uses agents, it's important that they support the widest variety of devices possible, and can use agentless NAC if required. In many cases, devices will require the NAC product to support agentless implementation, to detect BYOD devices and devices that can't support NAC agents, such as printers and closed circuit television equipment. Agentless NAC allows a device to be scanned by the network access controller and be given the correct designation based on the class of device. This is achieved by aggressive port scans and operating system version detection.
Agentless NAC is a key component in a BYOD environment, and most organizations should look at this as "must-have" when buying NAC products. Of course, gathering information via an agent will provide more information on the device, but it's not viable on a network that needs to support many different devices.
Does the NAC product integrate with existing software and authentication?
This is a key consideration before you buy a NAC product, as it is important to ensure it supports the type of authentication that best integrates with an organization's network. The best NAC products should offer a variety of choices -- 802.1x (through the use of a RADIUS server), Active Directory, LDAP or Oracle. NAC will also need to integrate with the way an organization uses the network. If staff use a specific VPN product to connect remotely, for example, it is important to ensure the NAC system integrates with it.
It is a significant overhead to support many different security systems that do not integrate with one another. A key differentiator between the different NAC products is not only what type of products they integrate with, but also how many systems within each category. Consider the following products that an organization may want to integrate with, and be sure the NAC product chosen supports the products already in place:
1. Security information and event management (SIEM): Integrating with SIEM can give context to alerts by providing detailed information regarding the device on the IP address that is the subject of the alert.
2. Vulnerability assessment
3. Advanced threat detection
Does the NAC product aid in regulatory compliance?
NAC can help achieve compliance with many different regulations, such as Payment Card Industry Data Security Standard, HIPAA, International Organization for Standardization 27002 (ISO 27002) and National Institute of Standards and Technology. Each of these regulations stipulates certain controls that should be implemented regarding network access, especially around BYOD and rogue devices connecting to the network.
NAC can help with compliance with many of these regulations by continually monitoring network connections and performing actions based on the policies set by an organization. These policies can, in many cases, be configured to match those of the mentioned compliance regulations. So, when buying NAC products, be sure to have compliance in mind and select a vendor that can aid in this process -- be it through specific knowledge in its support team, or through predefined policies that can be tweaked to provide the compliance required for your individual business.
What is the true cost of buying a NAC product?
When you are ready to buy NAC products, this can be the most significant consideration, depending on the budget available for the procurement. Most NAC products are charged per endpoint (device) that is connected to the network. On a large network, this can quickly become a significant cost. There are often hidden costs with NAC products that must be considered when assessing purchase criteria.
Consider the following costs before you buy NAC:
1. Add-on modules. Does the basic price give organizations all the information and control they need? NAC products often have hidden costs, in that the basic package does not provide all functionality required. The additional cost of add-on modules can run into tens of thousands of dollars on a large network. Be sure to look at what the basic NAC package includes, and investigate how the organization will be using NAC. Is there extra functionality that will be required for the NAC product to provide all the benefits required?
2. Upfront costs. Are there any installation charges or initial training that will be required? Be sure to factor these into the calculation, on top of the price per endpoint (of course).
3. Support costs. What level of support does the organization require? Does it need one-off or regular training, and does it require 24x7 technical support? This can add significantly to the cost when buying NAC products (more on support in the next section).
4. Staff time. While not a direct cost of buying NAC products, consider how much monitoring a NAC system requires. Time will need to be set aside not only to learn the NAC system, but to manage it on an ongoing basis and respond to alerts. Even the best NAC systems will require staff to be trained so if problems occur, there will be people available to address the issues.
NAC product support: What's included?
Support from the NAC manufacturer is an important consideration, from the perspective of the success of the rollout and from assessing the cost. Some of the questions that should be asked are:
- What does the basic support package (if any) include?
- What is the cost of extended support?
- Is support available at all times?
- Does the vendor have significant presence in the organization 's region? For example, some NAC providers are primarily U.S.-based, and if an organization is based in EMEA, it may not provide the same level of support.
- Is onsite training available and included in the license?
Support costs can significantly drive up the cost of deployment and should be assessed early in the procurement process.
What to know before you buy NAC
When it comes to purchasing criteria for network access control products, it is important that not only is a NAC system capable of detecting all devices that connect to an organization 's network, but that it integrates as seamlessly as possible. The cost of attempting to shoehorn existing processes and systems into a NAC product that does not offer integration can quickly skyrocket, even if the initial cost is on the cheaper side.
NAC should also work for the business, not against it. In the days when NAC products only supported 802.1x authentication and blocked everything by default, it was seen as an annoyance that stopped legitimate network authentication requests. But, nowadays, a good NAC system provides seamless connections for employees, third parties and contractors alike -- to the correct area of the network they are allowed to visit. It should also aid in regulatory compliance, an issue all organizations need to deal with now.
Assessing NAC products comes down to the small number of key questions highlighted in this article. They are designed to help organizations determine which type of NAC product is right them, and if so, which vendor provides the product that most closely matches those criteria.
Learn about the basics of network access control products in the enterprise
Find out what the top use cases for NAC products are