***Editor's Note: If you like this topic, make sure you sign-up for the
ebizQ webinar, Threatscape
2008, that'll explore in-depth what threats to expect in 2008 and how to
effectively combat them.
Network Access Control (NAC) is a hot topic in network security. Unfortunately,
most NAC discussions focus on inline vs. out of band, or pre-connect vs. post-connect.
This emphasis on architectures obscures the real issue: how best to realize
an enterprise’s security objectives.
It All Starts with Policy
NAC is widely considered a solution to three distinct problems: (1) control
of access based on identity; (2) enforcement of health/compliance policies;
and (3) malware containment. Many enterprises initiate NAC projects in response
to one of these driving issues. For instance, universities may worry more about
student machines without adequate virus protection, while enterprises may be
more concerned about avoiding access by malicious users.
A successful NAC deployment ultimately begins with an accurate assessment of
security needs and policy objectives. Without laying this groundwork, an enterprise
can easily find itself in a situation where policy is dictated by the choice
of NAC architecture, resulting in failed or limited deployments. To optimize
the value of a NAC deployment it’s essential to think about future requirements,
not just near-term policy drivers.
Available NAC Architectures
In general, vendors have developed three architectural approaches to NAC: edge,
inline and protocol. Edge solutions using VLANs offer the strongest enforcement
approach, while protocol and inline enforcement offer faster rollouts.
Each approach aligns to one or two of the typical NAC objectives. While a few
vendors claim to know everything about everyone on the network, there is no
current NAC product that fully addresses all three objectives on its own. Doing
so requires interoperability with existing security and network infrastructure.
Edge-based NAC utilizes VLAN enforcement on switches and WAPs to control
access, as shown in Figure 1. VLAN enforcement is very secure, controlling access
before users and devices join a network, making it more difficult for malicious
users to circumvent. Some out-of-band NAC solutions offer strong device assessment.
These attributes make edge enforcement best for user control and compliance-driven