Introduction to the benefits of NAC

Clients may be confused as to how network access control technologies do what they do, but they aren't confused as to what the technologies do. Value-added resellers and systems integrators are in a good position to help clients sort through NAC offerings to determine which can meet their network security goals.

By Yuval Shavit, Features Writer

Definitions of network access control (NAC) vary, but it's essentially a level of network security that allows or restricts clients' access to a LAN depending on whether they have the correct security software -- like up-to-date antivirus -- installed. Systems integrators (SIs) and value-added resellers (VARs) are in a good position to sort through the variety of products and determine the benefits of NAC for clients based on their specific goals.

Because NAC is still an emerging set of technologies, there's no solid definition yet of what it is. If you ask 10 people in Fortune 1000 companies what NAC is, you'll probably get 10 different answers, said Steve Barone, president and CEO of Creative Breakthroughs Inc., a network security consultancy in Troy, Mich. But all 10 will say they want it, he said.

Several vendors offer different versions of NAC, and the functionality itself can vary from basic allow/deny rules to remediation methods to upgrade noncompliant computers' systems.

There are three general approaches to NAC technology: software installed on the endpoint; hardware that ties in directly with the network infrastructure; and appliances that companies drop onto the LAN. Appliances are the cheapest and simplest option for getting some of the benefits of NAC, but they are also the least robust and don't offer as many features.

Essentially, NAC systems scan computers as they log onto a network to make sure they are up to date with antivirus software and patches. If a computer is not compliant with security policies, the user may be told how to remediate the system; this can be as simple as being told how to reach a member of the IT staff, though many systems can also direct users to Web sites where they can download and install the latest patches themselves.

Based on a computer's credentials and the software installed on it, a NAC system may give it full access to the LAN, deny it any access, or give it partial access -- such as only to certain sites or to a page where the user must log in or take some other action.

One of the most common benefits of NAC is the ability to control guest machine access to a network. About 58% of companies that have NAC installed or are planning its deployment list guest access as a significant driver, according to a NAC survey by BT INS, an SI in Santa Clara, Calif. Specifically, NAC lets outside parties -- for instance, a consultant coming in with a presentation on a laptop -- access the LAN without putting the network in danger.

About 35% of respondents in BT INS's survey said they were exploring NAC. A quarter of respondents had no plans for NAC; the rest were in various stages of deployment or testing. The report surveyed 101 companies including small and medium-sized businesses (SMBs) and larger enterprises with more than 10,000 employees.

NAC grew from a need to control unintentional attacks, such as when a user connects to a network without realizing his computer is infected with a worm, said Jon Oltsik, senior analyst of information security at Enterprise Strategy Group, a research firm in Milford, Mass.

Restricting guest access can be especially important for complying with regulations like PCI-DSS or HIPAA, said Paul Vinciguerra, co-founder of Vinci Consulting Corp. in Long Beach, N.Y. Those regulations may require companies to restrict access to customer data for unauthorized computers, and they can also require that all clients on the network be fully patched and secure, so that they cannot be used as an entry point for hackers.

In the next installment of this series, we'll take a closer look at the three methods of deploying network access control.

Dig Deeper on Managed network security services