As the threat of data breaches grows, the need for network protection increases. For this reason, network access control (NAC) has become a required element in networking and security solution providers' repertoires. Implementation and configuration of NAC products, which restrict the availability of network resources to endpoint devices based on adherence to a defined security policy, can be complex, and customers may have a hard time deciding which NAC product best suits their needs. VARs and integrators can provide a valuable service to their customers by narrowing down the decision to the NAC product that best suits the customer's environment.
NAC protects against network threats by ensuring that OS revisions and antivirus software are up to date before permitting end-user access to the network. Systems not up to date can be automatically connected to software that brings them up to date. NAC can also verify user credentials and either block or restrict access.
Different customers require different operations from NAC products. For example, if employees take laptops home and connect to home networks, it is imperative for the NAC product to verify immediately upon return to the corporate network that those endpoints have not been infected. If computers aren't allowed to leave the facility, no such verification is required.
Similarly, if non-employees are allowed to connect their laptops to the network, it is imperative to check
Products are available from the large network equipment vendors, including Cisco Systems Inc., Enterasys Networks Inc., Extreme Networks Inc., Juniper Networks Inc. and 3Com Corp., through its subsidiary TippingPoint. The market also includes a number of smaller equipment vendors such as Aep Networks Inc., ForeScout Technologies Inc. and StillSecure, plus antivirus software vendors McAfee Inc., Sophos plc and Trend Micro Inc. Microsoft offers its Network Access Protection (NAP) for use with its servers and client operating systems.
Choosing a NAC product
Because of the complexity of NAC products, it's difficult for a VAR or integrator to become an expert in more than a few vendor offerings. The choice among them is primarily dictated by existing vendor relationships, the type of customers served and the size of their networks.
Products vary by customer problems that need to be addressed. Some products are focused on detecting an out-of-date OS and antivirus revision levels. Others focus on authenticating users and a few claim to be comprehensive products with equal focus on both issues.
For a current Cisco channel partner, the decision to offer the Cisco NAC product (in Cisco's case, the NAC acronym stands for network admission control) is obvious. Cisco has developed a set of products that address its range of markets and has enlisted a large number of smaller companies offering products certified to operate with Cisco NAC solutions.
The Cisco Press offers a series of books on its NAC products, providing an overall description of the architecture and detailed information on implementation and troubleshooting.
Partners specializing in Microsoft products will want to consider its NAC offering, NAP, which is tightly integrated into Microsoft server and client operating systems. Like Cisco, Microsoft has attracted a long list of both hardware and software vendors to its partner program and has joined with Cisco to create a joint architecture for compatibility between their two NAC solution sets.
Microsoft Technet and Microsoft Press offer detailed guides to NAP architecture and implementation. Client support was initially limited to XP and Vista, but Microsoft partners Avenda Systems Inc. and UNETsystem now offer Microsoft NAP versions that are compatible with Linux and Mac environments.
The other large equipment vendors, mentioned above, also offer products and services aimed at their customers' NAC requirements and designed to integrate with the vendors' product line. None offer the breadth of products and partner programs of Cisco and Microsoft, but existing channel partners should evaluate what their current vendor partners offer for NAC products.
Still, choosing products from the vendor dominant in a customer's network is not always the best choice. Each situation must be evaluated based on the specific issues the customer needs to address and the required degree of integration required.
Selecting a smaller vendor
Products offered by one of the aforementioned smaller vendors may be appropriate for customers with networks of limited size and scope or for those with specialized requirements. For example, StillSecure offers products designed for Department of Defense (DoD) installations and has received security certifications from DoD organizations.
In this case, it's important to determine vendor stability. Many of the companies that entered the market earlier in the decade have closed their doors because of the competition from larger and better-known vendors, coupled with the economic downturn. For instance, so far this year, ConSentry Networks Inc., Lockdown Networks and Autonomic Networks have ceased operation. Vendor financials must be carefully evaluated before offering products that may leave customers without updates or support.
The bottom line: There are a number of tradeoffs that VARs and integrators must weigh when selecting a NAC vendor. Look first at products available from the vendor dominant in the customer's network, but don't stop there. Look carefully at the problem to be solved and look for solutions from other vendors that may be less expensive but still address the customer's requirements.
About the author
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
This was first published in September 2009