NAC decisions you need to make now

One important piece of a multilevel security defense for companies of almost any size is network access control (NAC), which lets you enforce policies for end-user machines.

The basic idea behind NAC -- which can include hardware, software or a combination -- is deceptively simple. Before any end user's computer -- an endpoint -- is allowed on the corporate network, a NAC makes the computer prove that it complies with the company's security policies. For example, you could set up a NAC to refuse to let a user's PC on the company LAN until the PC reports that it has all the latest patches for its operating system and office software and that it has the latest updates for the corporate antivirus program. If it doesn't have the goods, the device is not getting on the network.

Although the theory behind NAC is deceptively simple, the marketplace reality is anything but. It requires that network administrators piece together hardware and software from multiple vendors, unless you're willing to go with an all-in-one solution and risk vendor lock-in. And, with NAC, whatever you decide to do, there are usually multiple ways to do it.

NAC's capabilities have evolved. Nowadays, NAC systems also include automated ways for failed endpoints to update their software so they will be allowed on the network. In addition, NAC now includes provisions for rechecking endpoints periodically and monitoring their behavior while they're on the network.

The standards situation

You might think that with three different ways to do the same thing, the industry would be on its way to yet another standards war like what happened with 802.11n. And while there has been no agreement on even a standard definition of NAC, never mind how to get there, some progress has been made.

Cisco and Microsoft have been working together to make sure their components are interoperable. So, for example, you can use Windows Server 2008 R2's Network Policy Server to set overall NAC policy while using Cisco's Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling module for user authentication on Windows Vista or Windows 7 clients.

At the same time, the IETF (Internet Engineering Task Force) is making a standard of Posture Attitude-TNC, which defines a set of endpoint health checks, including antivirus status. Another standard in the works, by a different group, is Posture Broker-TNC, which defines how to perform a health check of network endpoints, including laptops and printers. There is no connection between the two; at this point, they're independent efforts, with the IETF's plan considered the more "official" of the two.

Further, NAC also encompasses the range of mobile devices -- laptops, especially, but also smartphones.

While you can roll your own solution, there are three major NAC approaches already available to corporate customers: Cisco's NAC (Network Admission Control), the Trusted Computing Group's TNC (Trusted Network Connect) and Microsoft's NAP (Network Access Protection). There are at least a dozen products geared toward midsize to large customers that implement these various approaches; here's a recent review of these.

In short, while there are still too many standards, or would-be standards, you will often be able to successfully mix and match standards-compliant equipment from different vendors (see sidebar, at left). That said, you should still pay close attention to which standards a NAC system uses and what interoperability claims its vendor makes for it.

In particular, if you stick with Cisco and Microsoft, you should be able to avoid major NAC incompatibility woes. But even that's no guarantee. As with any other significant IT infrastructure buy, you'll need to get the gear in hand and test all the bits and pieces together on a trial basis before committing to any single platform or combination of hardware and software.

Appliances vs. server- or switch-based NAC

NAC solutions are deployed in two different ways. In the first, NAC appliances -- dedicated network devices -- are used to manage end users. This is fine for small to midsize businesses or branch offices, but appliances might not scale well at the enterprise level. That's where network switches and/or server-based NAC comes in.

The major network switch players have multiple NAC products for different audiences. Cisco, for example, offers a NAC Appliance (formerly Cisco Clear Access), a NAC Network Module for Cisco Integrated Services Routers and Cisco Secure Access Control Server, among other products.

For its part, Microsoft concentrates its NAC efforts on servers instead of on switches or appliances. To do so, Microsoft uses a client/server-based architecture called NAP. With NAP, client agents report on the operating system and software status to the network's Health Requirement Servers to make sure that the PC is secure enough and has the right updates to be allowed on the network.

Other vendors, such as networking hardware provider Juniper Networks, offer a different all-in-one type of approach. In Juniper's Adaptive Threat Management architecture, data-sharing software enables SSL, VPN and Unified Access Control devices to publish log information to a common UAC server.

While Adaptive Threat Management works best with Juniper equipment, it also supports any equipment that is compliant with IF-MAP, a Trusted Computing Group network protocol that allows network security devices and switches to swap data with certain servers.

Picking the right NAC

Confused by the alphabet soup yet? I can't blame you. It is confusing, and it doesn't help any that every Tom, Dick and Harry claims to have a NAC. Before you get bogged down in vendorspeak, your first step should be to determine what you need from a NAC -- particularly, the level of security you're looking for.

Part of that decision is whether you want to incorporate identity management, used to determine who the user is -- not just the computer -- and how much network access he or she is allowed to have. This can become a complex issue. Some vendors, such as Microsoft with its reliance on Active Directory (AD) or Citrix with its Citrix XenApp SmartAccess, take it as a given that you want user identity authentication and management to work hand-in-glove with NAC.

There's nothing wrong with this approach, if you're comfortable with all-in-one packages and the vendor lock-in that can come with them. But if you'd rather have flexibility and be able to pick best-of-breed components for your network, then you're better off looking at hybrid solutions. One example of a hybrid approach is the popular mix of Cisco switches with Microsoft's AD or Novell's eDirectory for authentication.

Network infrastructure's benefits

Next up is whether you want to use a network infrastructure or an endpoint-based approach. Most of what I've talked about to this point has been about, in one way or another, network-based architectures. This is where NAC services are delivered by server software residing on an appliance or on a network switch.

This approach has several things going for it. By its very nature, it lends itself better to centralized control. If you want to easily set corporate computing standards throughout an enterprise, this is the way to go. Network-based systems also work well if your client PCs will include guest laptops or corporate notebooks that don't go through the company's VPN before accessing the Internet. This way you get some NAC protection even if you can't install endpoint software agents on the portable computers before the devices access the corporate network.

If you decide to go with a network-based approach, you'll also need to consider whether you'll want to embed the NAC functionality in the switches themselves or use an "out-of-band" appliance. For scaling purposes, an "in-band" product such as those from Cisco, Juniper, or Nortel will do the job for large enterprises. Appliances may be the more affordable option if your branch offices already have their own switches.

Endpoint security's benefits

With endpoint security, every PC must have a software agent on it that checks it to see if the box has the right patches, and ensures that the device hasn't been infected with malware and is essentially cleared before it can even log into the office network.

You can argue that an endpoint approach gives you better security, since a PC can't log onto the network until it has passed all the NAC checks. On the other hand, since the NAC software is located on individual PCs, it's more difficult to manage this approach. This is because the NAC software is part of the software kit that you'll need to maintain and update. It's really a mixed bag of benefit and additional overhead, so you're the only one who can decide which will work best for your users.

Endpoint products tend to be from the antivirus companies. Some of the more noteworthy ones, based on their range of features and market share, include McAfee ePolicy Orchestrator, Sophos NAC Advanced and Symantec Endpoint Protection. Another big consideration is that these products may prove more affordable than network-based wares for small companies.

Finally, no matter whether you rely on a NAC setup that's part and parcel of your network fabric or endpoint software that's separate, you need to make another decision: Do you want something that will simply check on the PC when it boots up or attempts to log into the network, or do you want a NAC that will keep checking up on the PC's health even after it is already on the network?

NAC systems that monitor PCs continuously are, as you might have guessed, more expensive than those that simply test PCs when they first arrive on the network. Again, which approach to choose comes down to what your company needs from a NAC and how much security is "enough" for the decision-makers in your company.

Personally, I'd rather pay the upfront costs of constant NAC monitoring than spend the time and money needed to fix a malware eruption or a break-in.

Regardless of which way you go, though, every network that means business needs to invest in some form of NAC. Even the largest and most technically sophisticated companies can be successfully attacked these days. A good, comprehensive NAC defense is a great start.

Steven J. Vaughan-Nichols has been writing about technology and the business of technology since CP/M-80 was cutting-edge and 300bit/sec. was a fast Internet connection -- and we liked it! He can be reached at


Copyright © 2010 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon