Over the past two years, network access control (NAC) technology has reached full-fledged buzzword status within the information security community. But has NAC lived up to the hype?
Last year, I joined many in the field in predicting that 2009 would be "The Year of NAC." That prediction doesn't seem to have been fully realized, but I think that slower adoption of the technology is more due to economic pressures than a lack of willingness or desire to adopt NAC. I'm still confident that NAC is an underused technology and, as a market, will see significant growth, especially as the economy begins to turn around.
Network access control (NAC) technology overview
NAC technology offers two primary benefits to the enterprise: network authentication and endpoint security screening. By combining these features, NAC allows security pros to gain confidence in both the individuals and systems accessing the network. It aims to protect against both the threat of an unauthorized user accessing a network and an authorized user accessing a network with vulnerable (or, worse yet, infected) equipment.
Generally speaking, today's NAC products do a great job at meeting these goals, especially when also leveraging the security features of an existing network infrastructure (usually by purchasing a NAC product from the same vendor as that of your other network technology). In such a case, when a NAC product detects a user that improperly authenticates or a device that fails to meet the organization's posturing requirements, it is able to revoke access by restricting the device to a quarantine VLAN directly at the switch port.
Is NAC worth the cost?
The million-dollar question is whether the substantial financial and time investment necessary to deploy a NAC product will generate sufficient return for your enterprise. In considering this question, I encourage you to take a look inward and answer a few questions:
- For our environment, does NAC constitute a solution to an existing problem or a solution in search of a problem? Don't buy a NAC product simply because everyone's talking about NAC. Verify that you have legitimate business objectives that are best met through NAC.
- Do we have an issue with the configuration of endpoint security controls? If you have a network consisting entirely of managed systems and you enforce the presence of malware protection software and security settings through a configuration management system, you may have little need for the posturing protections provided by NAC.
- Do we have a large number of unknown users on our network? If you're running a network that hosts a large number of guest users, such as a college or university network, NAC is a great way to both verify that your guests have permission to access your network and prevent them from bringing infected equipment onto your network.
Answering these questions honestly will provide a realistic assessment of the value that NAC can bring to your enterprise. If you're interested in deploying NAC in your organization, I'd encourage you to read my article Phased NAC deployment for compliance and policy enforcement, which details NAC roll-out strategies. You may also be interested in my podcast on making NAC work with your existing security tools. NAC is a complex technology, but it can work well with proper configuration and management, so don't let the hype dissuade you from considering NAC if you think there's a solid business case for implementing it.
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.