NAC decisions you need to make now

The pros and cons of different approaches to network access control

One important piece of a multilevel security defense for companies of almost any size is network access control (NAC), which lets you enforce policies for end-user machines.

The basic idea behind NAC -- which can include hardware, software or a combination -- is deceptively simple. Before any end user's computer -- an endpoint -- is allowed on the corporate network, a NAC makes the computer prove that it complies with the company's security policies. For example, you could set up a NAC to refuse to let a user's PC on the company LAN until the PC reports that it has all the latest patches for its operating system and office software and that it has the latest updates for the corporate antivirus program. If it doesn't have the goods, the device is not getting on the network.

Although the theory behind NAC is deceptively simple, the marketplace reality is anything but. It requires that network administrators piece together hardware and software from multiple vendors, unless you're willing to go with an all-in-one solution and risk vendor lock-in. And, with NAC, whatever you decide to do, there are usually multiple ways to do it.

NAC's capabilities have evolved. Nowadays, NAC systems also include automated ways for failed endpoints to update their software so they will be allowed on the network. In addition, NAC now includes provisions for rechecking endpoints periodically and monitoring their behavior while they're on the network.

Further, NAC also encompasses the range of mobile devices -- laptops, especially, but also smartphones.

While you can roll your own solution, there are three major NAC approaches already available to corporate customers: Cisco's NAC (Network Admission Control), the Trusted Computing Group's TNC (Trusted Network Connect) and Microsoft's NAP (Network Access Protection). There are at least a dozen products geared toward midsize to large customers that implement these various approaches; here's a recent review of these.

In short, while there are still too many standards, or would-be standards, you will often be able to successfully mix and match standards-compliant equipment from different vendors (see sidebar, at left). That said, you should still pay close attention to which standards a NAC system uses and what interoperability claims its vendor makes for it.

In particular, if you stick with Cisco and Microsoft, you should be able to avoid major NAC incompatibility woes. But even that's no guarantee. As with any other significant IT infrastructure buy, you'll need to get the gear in hand and test all the bits and pieces together on a trial basis before committing to any single platform or combination of hardware and software.

1 2 3 Page 1
Page 1 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon