This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
A NAC for access control
Network access control technology is fine for evaluating system health, but IT wants to extend those capabilities to users, not just machines.
NAC and other endpoint security technologies have garnered a lot of press and attention in the last year, and much of that attention has focused on the products' ability to check the security posture of machines attempting to connect to the network. Vendors have touted the ability to admit or deny users based on the relative health of their machines as the key to keeping their networks clean.
However, some users say that while the health check capability is all well and good, the true value of network access control lies in its ability to limit network access for specific users, and not just their machines. Deployed at strategic points inside a network, and not simply at the network edge, NAC systems can function as gatekeepers and prevent unauthorized users from accessing network segments or resources they're not meant to see.
"What I was looking for was an admission control system that could automatically assign users to a VLAN based on the user, not the machine," says George Owoc, director of business administration at EADS Astrium North America, a manufacturer of satellites and other space systems. EADS Astrium uses a NAC appliance from Lockdown Networks. "We have a lot of contracts that are controlled
This access-control role in the past has been played with varying levels of success by inward-facing firewalls and simple password protection on sensitive servers. In some cases, classified or otherwise restricted material is placed on a separate network, but this approach can hamper the ability of legitimate users to access files. So NAC systems have begun taking over that function in some large, distributed enterprises like EADS Astrium with clear needs to segment their user populations.
"I needed a way to isolate visitors and others by their access to data," Owoc says. "And I didn't want something with a client, because the administrators of those visitors' machines have locked them down as much as they can, and probably have them set to deny any software that's pushed down to them."
The forthcoming NAC-NAP offerings from Cisco Systems and Microsoft will be uniquely well positioned to perform this access-control function as well. Cisco's position as the provider of networking infrastructure for many enterprises, and Microsoft's equally dominant position in the server realm, give them the ability to determine who can access what resources and when.
This was first published in April 2007