Problem solve Get help with specific problems with your technologies, process and projects.

Phased NAC deployment for compliance and policy enforcement

Thinking about NAC? You're not alone. Many organizations are taking a new look at the latest generation of network access control tools, with the hopes of mapping security policy requirements to technical controls. For those about to take the NAC plunge, Mike Chapple reviews the proper phases of deployment. Security School
This tip is part of's Integration of Networking and Security School lesson, Using NAC to create a strong endpoint security strategy. Visit the school and lesson pages for additional learning resources.

If you're not already using a network access control product in your enterprise, chances are that you're either preparing to deploy one or having serious internal debates about an implementation's benefits and drawbacks. You're not alone; enterprises around the world are struggling with these issues.

In fact, almost 30% of respondents to a recent survey stated that mapping security policy requirements to technical controls will be their top compliance challenge in 2008. To address that dilemma, many professionals will turn to NAC, a technology that restricts the availability of network resources to endpoint devices based on adherence to a defined security policy.

Policy before purchase
Once the decision has been made to explore a NAC deployment, proper preparation is essential. Before purchasing a product, be sure the organization has defined the policy and compliance requirements it intends to enforce. It's also essential to prepare your directory and networking infrastructures to support a NAC implementation. You may be surprised at the level of effort and cost associated with this preparation. A recent study by Infonetics Research revealed that organizations deploying NAC for the first time spent about two-thirds of their project budgets on upgrades to the network switch infrastructure. For example, you may need to add attributes to your directory structure to support role-based NAC decisions. Additionally, your switches may require hardware and/or firmware upgrades to support dynamic VLAN assignments.

Once you've made a commitment to a NAC product, I recommend a four-stage deployment process.

Phase one: Pilot deployment
As with any significant technology project, it's always wise to begin with a pilot launch. This is particularly true with NAC deployment projects, as they affect every single network user and their desktop experience. During the pilot deployment, you'll want to work with a group of "friendlies." These are users willing to experiment with new technologies and don't mind a little inconvenience in the interests of progress. Working with a group willing to install a NAC client on their desktop and experiment as you tinker with NAC policies facilitates the process. That said, don't limit the pilot group to tech-savvy individuals. Get a representative sample of users from different functional units, people with different job roles and varying degrees of technical experience. A diverse pilot group will better assess the user impact of an enterprise-wide NAC rollout.

The pilot period provides an opportunity to experiment with the effect of client-based and clientless tools. Think of the pilot group as a testbed; if you're not sure how a particular client or product will affect a subset of users, include that subset in the pilot deployment and try it out first. The introductory phase should be used to fine-tune directory and single sign-on issues and assess the impact of potential policy decisions.

Phase two: Roll out in monitoring mode
After successfully completing a pilot deployment, it's time to begin rolling NAC out across the enterprise. In most cases, a phased rollout strategy is preferred over launching across the entire network in a "big bang" style.

There are several ways that deployment can be phased in. One option is to pursue a geographically segmented approach where individual cities, buildings or floors receive NAC in waves. Alternatively, you might decide to deploy NAC to your wireless network in advance of the wired network. Perhaps a deployment by business unit makes sense for your organization. The criteria for designing a successful deployment strategy varies from one organization to another.

The key to a successful rollout is beginning with a low-impact deployment that uses a "monitoring first" approach. Let the NAC product monitor the network and inform you of the decisions that it would make, but don't actually block admission to the network.

More from this lesson

In this video, Joel Snyder answers hard questions about NAC deployments.

In this podcast, Mike Chapple explains how to make NAC work with your existing security tools.
Phase three: User education and remediation
Depending upon the results of the "monitoring first" deployment, you may have significant work ahead of you. If significant portions of the client base fail compliance checks, it's time to do a little digging. What's causing these policy violations? Don't rule out the idea that the policy in question may simply be too stringent.

If the policy is deemed solid, the next step would be to launch a combined program of user education and system remediation. Enforcing network admission criteria in an enterprise where a significant portion of devices will fail the policy checks is a recipe for disaster. You'll soon experience the combined pressures of a frustrated user community and overwhelmed technical support staff. For example, if you require users to update antivirus signatures on a daily basis but know that a significant subset of the user base has their software configured for weekly updates, it makes sense to reach out to those individuals and provide them with remediation instructions rather than simply disconnecting them when they fail to comply. Chances are good that your next step will be to chuck your NAC product in the closet for "future consideration."

Phase four: Compliance checking
Only after completing a successful pilot deployment, monitoring mode assessment and user education/device remediation campaign is it time to consider running the NAC approach in enforcement mode. View NAC as an enterprise system that maintains the healthy state of a compliant organization, not a tool to browbeat users into complying with draconian security policies.

There's nothing to fear about deploying network access control technology in your organization, provided that you take a reasoned, careful approach to the deployment. Following the four-step process will enable infosec professionals and their organizations to reap the policy-enforcement and compliance-checking benefits NAC has to offer.

About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated. He also answers your questions on network security.

This was last published in March 2008

Dig Deeper on Network Access Control technologies