***Editor's Note: If you like this topic, make sure you sign-up for the ebizQ webinar, Threatscape 2008, that'll explore in-depth what threats to expect in 2008 and how to effectively combat them.

Network Access Control (NAC) is a hot topic in network security. Unfortunately, most NAC discussions focus on inline vs. out of band, or pre-connect vs. post-connect. This emphasis on architectures obscures the real issue: how best to realize an enterprise’s security objectives.

It All Starts with Policy

NAC is widely considered a solution to three distinct problems: (1) control of access based on identity; (2) enforcement of health/compliance policies; and (3) malware containment. Many enterprises initiate NAC projects in response to one of these driving issues. For instance, universities may worry more about student machines without adequate virus protection, while enterprises may be more concerned about avoiding access by malicious users.

A successful NAC deployment ultimately begins with an accurate assessment of security needs and policy objectives. Without laying this groundwork, an enterprise can easily find itself in a situation where policy is dictated by the choice of NAC architecture, resulting in failed or limited deployments. To optimize the value of a NAC deployment it’s essential to think about future requirements, not just near-term policy drivers.

Available NAC Architectures

In general, vendors have developed three architectural approaches to NAC: edge, inline and protocol. Edge solutions using VLANs offer the strongest enforcement approach, while protocol and inline enforcement offer faster rollouts.

Each approach aligns to one or two of the typical NAC objectives. While a few vendors claim to know everything about everyone on the network, there is no current NAC product that fully addresses all three objectives on its own. Doing so requires interoperability with existing security and network infrastructure.

Edge-based NAC utilizes VLAN enforcement on switches and WAPs to control access, as shown in Figure 1. VLAN enforcement is very secure, controlling access before users and devices join a network, making it more difficult for malicious users to circumvent. Some out-of-band NAC solutions offer strong device assessment. These attributes make edge enforcement best for user control and compliance-driven initiatives.