Network access control (NAC) technology assesses the security posture of a client seeking access to a network in order to ensure the client's compliance against a set of defined security policies. NAC then makes an access decision based on the outcome of the assessment. Sound complicated? It is. But while NAC implementation is a lengthy and complicated process, it may turn out to be a business opportunity for partners and provide better security for their clients' networks. Network access control consultant Paul Roberts, of
What are some of the benefits of network access control?
Roberts: Increasingly, companies need to be able to not only keep their networks free of worms, viruses and malware, but they need to be able to attest to the security of the devices, the clients and the laptops on their network for regulatory compliance. NAC's simplest proposition is being able to say as an IT administrator, "Here are the policies that we as an organization have, and anybody who will be using our network either from home or branch offices has to adhere to these policies. We want to make sure that they do that as a condition for access, and we have the ability to track and trace hosts who aren't compliant." That's a very useful technology in some sense. That's something the enterprise very much wants and needs even if it's something many of them haven't realized yet.
What are some of the downsides of network access control?
Roberts: NAC is still very complicated. This isn't like outpatient surgery; this is like brain surgery. It involves all parts of your network: user repositories, the endpoints, the machines that people use. It may involve your switching and routing infrastructures and back-end policy servers to create the security policies and to administer compliance with them. It means third-party security products such as antivirus, antispam, antispyware and intrusion prevention. There are many different components to any NAC implementation.
This has really been the rub with NAC. There are many different ways to do it and there are many different approaches that we can take that have their strengths or weaknesses -- all of which are valid. It isn't simple, like a firewall. Check Point had a very straightforward proposition in selling firewalls: "We close off these ports and prevent people from scanning your network and you have unimpeded access to your resources." People said, "Give me one of those, I need that, I know where to put it and what it does." NAC is not as simple a proposition.
Some people say that network access control tries to do too many things at once. Do you think this is the case?
Roberts: In some ways, it is a valid criticism. The definition of what NAC is and does has changed over the past four or five years. I don't think there is a common understanding, but I do think the definition has definitely changed. It went from preventing worm and virus infections behind the firewall to something that is pre- and post-admission screening of devices. With NAC, I want to know not only what your situation was before you requested access to the network, but I want to see the network at work and quarantine you if needed.
The main drivers behind NAC have changed from worm and virus infections to insider threat and data leak, which are the things that get people rubbing their foreheads these days. Also, compliance, such as PCI and HIPAA, are drivers for NAC as well. Back in 2003 and 2004, they were not. NAC is trying to address those issues and the vendors have to change up their messaging to try to attract business. We (at The 451 Group) have a report coming out very shortly on NAC. It will say that in 2008, you're going to see a good amount of NAC adoption in the enterprise, but it indicates that some of those vendors who are selling NAC products for a long time coming might be at the end of their rope.
Does network access control change the business model for resellers?
Roberts: There are tremendous opportunities for resellers in the NAC market, and certainly most of the NAC vendors that I've talked to have channel models and work through resellers rather than direct sales. I think the complexity of NAC is something that channel partners and resellers can exploit profitably. Companies, unless they are very large and wealthy with many internal IT resources, are going to need a lot of hand holding with the NAC technology at the deployment stage and then around policy creation and policy management. I think these are all areas where skilled resellers and channel partners can come in and provide a valuable service. There's a lot of complexity in these deployments and I think that's something good for channel partners and resellers.
Is it cost-effective for the company that wants network access control?
Roberts: It depends on the company and the industry they're in. We're seeing that within the retail industry, PCI compliance is a driver for companies to look at NAC, even though PCI doesn't call for NAC specifically. If the downside of not being PCI-compliant is considerable, then certainly, NAC is worth the investment for the extra security.
I think it's generally worth the investment for most companies, even if it's hard to put a dollar value on what you get back for NAC. Cost has been an issue in the past with NAC. The textbook example is with Cisco itself, which spent tons of money on its marketing arm for NAC. But the solution was this huge infrastructure-based NAC control which upgraded switches and routers to NAC-compliant Cisco gear. Many companies looked at what was a multi-million-dollar prospect and said no, NAC isn't worth the price. They could end up paying $1,100 or $1,200 a seat to do it, and access control is something they want but not something they want to spend that much money on. The juice isn't worth the squeeze. There is a price limit that I think companies are willing to pay. The pricing has since changed, but it is still an issue.
NAC SECURITY BEST PRACTICES
Introduction: NAC security
Network access control defined
Pros and cons of network access control
Forms of network access control
NAC's role in regulatory compliance
Implementing NAC security products
Network access control policy for endpoint protection
CISSP: Access control policy and system basics
This was first published in February 2008