Network access control technology: Over-hyped or underused?

Over the past two years, network access control (NAC) technology has reached full-fledged buzzword status within the information security community. But has NAC lived up to the hype?

Last year, I joined many in the field in predicting that 2009 would be "The Year of NAC." That prediction doesn't seem to have been fully realized, but I think that slower adoption of the technology is more due to economic pressures than a lack of willingness or desire to adopt NAC. I'm still confident that NAC is an underused technology and, as a market, will see significant growth, especially as the economy begins to turn around.

Network access control (NAC) technology overview
NAC technology offers two primary benefits to the enterprise: network authentication and endpoint security screening. By combining these features, NAC allows security pros to gain confidence in both...

BROWSE BY TAG Network Security Tactics,   NAC and Endpoint Security Management,   Network Access Control Basics,   Enterprise Network Security,   Security Industry Market Trends, Predictions and Forecasts,   Information Security Management,   VIEW ALL TAGS

RELATED CONTENT Network Security Tactics How to properly implement firewall egress filtering What to do with network penetration test results How to use TrueCrypt for disk encryption Protecting enterprise networks from new mobile application downloads Maintaining security after a cloud computing implementation Preparing the network for a cloud computing implementation PuTTY configuration tips: How to connect to remote network systems A guide to internal and external network security auditing How to keep networks secure when deploying an 802.11n upgrade Screencast: Find rogue wireless access points with Vistumbler Network Access Control Basics Security vendors can learn from ConSentry Networks demise Best Network Access Control Products Perimeter defense in the era of the perimeterless network Symantec offers endpoint protection management, monitoring services Configuring access control lists What is the difference between a VPN and remote control? Quiz: Endpoint security on a budget Opinion: Gartner gets NAC wrong, again What security software should be installed on Internet café computers? What are the best network security books? Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Kerberos  (SearchSecurity.com) masquerade  (SearchSecurity.com) phreak  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

the individuals and systems accessing the network. It aims to protect against both the threat of an unauthorized user accessing a network and an authorized user accessing a network with vulnerable (or, worse yet, infected) equipment.

The key to a NAC product's success lies in the quality of its posturing agent: the software that runs on the endpoint and determines whether the device complies with the organization's security policy. The best products are able to combine detection of both the presence and compliant operation of security software with OS-specific verification of security configuration parameters.

Generally speaking, today's NAC products do a great job at meeting these goals, especially when also leveraging the security features of an existing network infrastructure (usually by purchasing a NAC product from the same vendor as that of your other network technology). In such a case, when a NAC product detects a user that improperly authenticates or a device that fails to meet the organization's posturing requirements, it is able to revoke access by restricting the device to a quarantine VLAN directly at the switch port.

Is NAC worth the cost?
The million-dollar question is whether the substantial financial and time investment necessary to deploy a NAC product will generate sufficient return for your enterprise. In considering this question, I encourage you to take a look inward and answer a few questions:

• For our environment, does NAC constitute a solution to an existing problem or a solution in search of a problem? Don't buy a NAC product simply because everyone's talking about NAC. Verify that you have legitimate business objectives that are best met through NAC.
• Do we have an issue with the configuration of endpoint security controls? If you have a network consisting entirely of managed systems and you enforce the presence of malware protection software and security settings through a configuration management system, you may have little need for the posturing protections provided by NAC.
• Do we have a large number of unknown users on our network? If you're running a network that hosts a large number of guest users, such as a college or university network, NAC is a great way to both verify that your guests have permission to access your network and prevent them from bringing infected equipment onto your network.

Answering these questions honestly will provide a realistic assessment of the value that NAC can bring to your enterprise. If you're interested in deploying NAC in your organization, I'd encourage you to read my article Phased NAC deployment for compliance and policy enforcement, which details NAC roll-out strategies. You may also be interested in my podcast on making NAC work with your existing security tools. NAC is a complex technology, but it can work well with proper configuration and management, so don't let the hype dissuade you from considering NAC if you think there's a solid business case for implementing it.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.