Network access control (NAC) is a common term within IT organisations today, but there is much discussion around what NAC is and what it does - and does not - do. There is also debate over its architecture: closed or open.
Some view NAC as simple registration and authorisation of network connected end systems. Others view NAC as a solution to protect the network environment from viruses and worms. Yet others see NAC as a 'gatekeeper', controlling how end-systems and guest systems, which are not compliant with corporate computing guidelines, can access the network.
A well-architected NAC solution is actually all of these things. It is the integration of several technologies to provide a solution that proactively and reactively controls end-system communication on the network.
There are a number of individual functions that make up a comprehensive NAC solution. It must:
* Detect and identify new devices connecting to the network
* Authenticate users and/or devices
* Assess end-systems regarding their compliance and/or vulnerabilities
* Authorise the use of the network based on the results of the authentication and the assessment
* Monitor users and devices once they are connected to the network
* Quarantine problem end-systems and/or users to prevent them from negatively impacting the overall network environment
* Remediate problems associated with the end-system and/or user
At your service
A NAC solution is called upon to integrate highly advanced, policy-enabled network infrastructure, along with advanced security applications and centralised management, to deliver all of the required functions for pre- and post-connect secure network access.
Many NAC offerings only address pre-connect issues, without factoring in the importance of enforcing network usage and security policies while the end-system is connected to the network.
For example, if a user or device does not pass assessment and authentication when connecting to network equipment, they should be prevented from accessing business-critical services and only allowed to access pre-determined remediation or guest services.
When connected to another vendor's networking equipment, the NAC solution should be able to quarantine the end-system in a virtual local area network (VLAN) using standards-based methods.
It therefore follows that to achieve these goals requires a commitment to an open architecture and standards-based approach. Because an open architecture ensures maximum interoperability, implementing a NAC solution forces many changes to business processes and needs to be done with minimum disruption to day-to-day operations.
This complex process must be staged to align with the security and business requirements of the organisation.
Getting started
A first step is to deploy device and user authentication services, plus centralised management, auditing and reporting. This deployment may then be enhanced with end-system health state and compliance assessment, and ongoing security assessment thereafter.
Finally, automated threat management - including the isolation, quarantine and self-serve remediation of non-conforming end-systems - should be added.
It is the integration of several technologies to provide a solution that proactively and reactively controls end-system communication on the network.
Andy Robb is CTO of Duxbury Networking.
Such an approach will enable an organisation to use best-of-breed assessment technologies from industry-leading vendors and assure that will be fully integrated with the authentication, authorisation and policy-enforcement capabilities of the NAC solution.
By supporting both agent-based and agent-less assessment services for end-systems, an open architecture NAC solution can assess end-systems running popular operating systems, such as Windows, Solaris, Linux and MacOS - as well as end-systems of any type - for vulnerability and threat.
What's more, by leveraging interoperability with vulnerability assessment technologies, such a solution will be able to deliver proactive network security by determining if an end-system is compliant with an organisation's network communications security requirements.
Ideally, secure guest access should be provided so organisations can safely and securely enable visitors or unmanaged users to connect to the Internet without threatening critical IT assets.
Leveraging multiple authentication methods such as 802.1X, Mac-based and Web-based, as well as agent-based and agent-less assessment, any end-system and user can be assessed and authenticated for connectivity to the network where they can securely access the services needed for their role in the business.
In conclusion, an open architecture NAC solution will provide simplicity in deployment, scalability in operation, effectiveness in risk mitigation and ease of management.
* Andy Robb is CTO of Duxbury Networking.
Share