Potential customers for network access control (NAC) solutions have to make sure they understand what they want from NAC first and then marry the right solution to their requirements, environment - and expectations.
Many vendors evangelise total, all encompassing NAC solutions to potential clients. This leaves customers expecting a network security 'silver bullet' without necessarily understanding what needs to be done to the current network to support NAC and what exactly the NAC deliverables will be.
Firstly, customers need to identify why they are looking to implement NAC in the first place. Is it to mitigate security risks? Provide secure guest and remote access? Or for compliancy?
Secondly, they need to decide on how they want to deploy NAC, be it pre- or post-NAC. They may want to start off by only detecting and authenticating devices to the network. Then migrate to assessing end-user devices and authorising them. And then look to remediating devices that do not comply.
This can be a phased approach that becomes significantly more manageable than trying to address all NAC aspects 'off the bat'.
In many instances, customer networks will be fundamentally insecure, so they will be benefitting from additional security in each phase, while allowing for a more scalable, affordable NAC solution.
Getting started
One of the first steps to be taken in implementing a NAC is the definition of policies, such as the types of computers or roles of users permitted to access defined areas of the network, and enforce them in switches, routers and network middleware.
NAC solutions need to be dynamic, persistent and ongoing. They should provide granular security policies which can be enforced at any time, and which understand the context of the communications between the endpoint and the IT infrastructure.
These solutions must also offer an open-architecture, standards-based approach to enable an organisation to use best-of-breed assessment technologies from industry-leading vendors.
An open-architecture approach will also ensure NAC solutions fully integrate with the authentication, authorisation and policy-enforcement capabilities of the existing network.
Because the NAC philosophy will be part of an integral, secure network architecture, users will be assured of both pre-connect and post-connect security through proactive and reactive technologies - all integrated into one system.
Critical factor
One of the most important aspects to consider is return on investment (ROI). Users must ensure they receive an appropriate ROI from their NAC investment by establishing a set of 'delivery expectations' from both their and the vendors' sides.
Many NAC implementations on the market today provide only basic one-time access control, with some form of endpoint health check assessment. This does not address the problem in enough depth.
What's more, many NAC solutions do not rely on an end-system authentication challenge as part of the access control process.
NAC solutions need to be dynamic, persistent and ongoing.
Andy Robb is chief technology officer at Duxbury Networking
Authentication should be a critical foundation to any NAC solution and is required to achieve scalability, flexibility, visibility and strong enforcement requirements of network usage and security policies.
Once a user or a machine is authenticated - and credentials have been verified - the authorisation process takes place, altering the configuration of the source network physical port or virtual flow to enable communications based on a set of policy rules.
Such a solution will ensure visibility and control of whom and what is allowed to connect to the network. Dangerous and non-compliant end systems will be isolated and kept from negatively impacting the business processes that the network supports, contributing significantly to ROI.
It will also provide a comprehensive approach to the requirements of assessing any end system, authorising network usage based on a variety of important context (such as location, time of day, MAC address and user identity overrides) and enforcing security and better business communication policies.
NAC's biggest benefit is its ability to thwart 'zero-day' attacks by preventing laptops and desktop computers that lack anti-virus, patches or host intrusion prevention software from accessing the network and placing the entire infrastructure at risk.
As a result, NAC should be seen as an essential component for any organisation's overall security posture, mitigating the risks associated with the threats found in today's information technology environments.
* Andy Robb is chief technology officer at Duxbury Networking.
Share