There has been a significant amount of 'hype' surrounding network access control (NAC) recently, but increasing interest in NAC has not yet helped to deliver tangible benefits to customers.
NAC is defined as an approach to security that unifies network endpoint security technologies - such as anti-virus, host intrusion prevention and vulnerability assessment techniques - as well as user or system authentication and network security enforcement systems.
In essence, NAC ensures the 'right' people get access to the 'right' resources, making certain they do not harm the network or its systems in the process.
From a technical perspective, NAC is a concept that uses a set of techniques to assess network nodes prior to the nodes accessing the network.
It also integrates the automatic remediation process into the network (fixing non-compliant nodes before allowing access), allowing the network infrastructure elements - such as routers, switches and firewalls - to work together with back-end servers and end-user computing equipment to ensure the system is not contaminated before interoperability is facilitated.
Basically, NAC should prevent end systems from communicating on the network until the 'health' of the end system is determined - because they could pose a security risk to critical processes and services.
End systems can be defined as traditional PCs, printers, IP phones, IP security cameras and similar devices.
Complexity
Against this backdrop, it is surprising that NAC has not been more widely accepted - particularly as there are many networks out there that are prime candidates for this type of solution.
One of the reasons for this reticence might be the potential complexity of a NAC solution. The challenge facing NAC implementers is to marshal the many different components that have to work together without creating opportunities for errors and omissions.
The challenge facing NAC implementers is to marshal the many different components that have to work together without creating opportunities for errors and omissions.
Andy Robb is CTO at Duxbury Networking
For example, elements of end systems such as security patch levels, anti-virus/anti-malware presence, anti-virus/anti-malware signature updates, applications running, open ports, etc, all have to be investigated to determine their overall health.
In an ideal world, every end system connecting to the network (no matter what type of device) should be challenged by the NAC solution. This is becoming more complex with the increasing diversity in the network-connected end systems in typical networks.
Another problem with NAC is that there is a plethora of definitions being bandied about. This leads to conflicts in areas of management.
On patrol
For instance, NAC's initial role was that of the 'network policeman', checking that endpoints had proper patches and updated security in operation before granting network access. But as time progressed, other additions have been 'glued onto' the definition - such as internal intrusion-detection and prevention.
As a consequence, there are now two prevailing design philosophies surrounding NAC, based on whether policies are enforced before or after end-stations gain access to the network.
In the former case, called pre-admission NAC, end-stations are inspected prior to being allowed on the network. Typically, pre-admission NAC is used to prevent clients with out-of-date anti-virus signatures from talking to sensitive servers.
On the other hand, post-admission NAC makes enforcement decisions based on user actions after users have been provided with access to the network. If a device is found to have slipped out of policy compliance, then it can be placed into quarantine and remediated.
Another barrier to NAC's acceptance is the high cost of implementation. One vendor requires that its NAC framework be loaded onto every switch and router - a major undertaking in a large enterprise.
In addition, many current solutions use proprietary agents, which involve extensive roll-out processes and high levels of maintenance. Despite this, they are not very scalable and don't cater for infrastructure devices such as IP phones, IP cameras, etc.
Many of these points are not necessarily highlighted by potential vendors.
As a result, we are a long way from seeing large-scale deployments of comprehensive NAC solutions. But, perhaps this year the market will agree on the benefit of moving in this direction.
* Andy Robb is CTO at Duxbury Networking.
Share