There are a lot of ways to handle Network Access Control, some good and some not so good. According to network engineer Paul Gann, deciding which is which depends on your management needs and your network.
From the perspective of end users, a Network Access Control deployment
should be transparent, as if it's running all by itself. As users log on to the
network, their systems should be checked, quietly in the background, for their
level of compliance to internal security policies.
Examples of what NAC would vet the endpoint for include its current patch
levels and functioning, and up-to-date anti-virus and personal firewall
software. Only when something has gone awry should users be made aware that
their systems aren't up to par. Then, most commonly, they'll be guided to an
intranet portal where the system is brought up to appropriate security levels.
For small businesses and large enterprises alike, there is much to be gained
from this highly dynamic level of security. An NAC-enabled network not only
runs more securely but also more productively, within regulatory compliance,
and it generates fewer help desk calls. While the benefits of NAC are
straightforward, the ways that different NAC solutions get the job done-whether
they are hardware-based, inline, out-of-band, agent or agentless-is a little
Let's first consider how hardware-based approaches work. This form of NAC
typically requires an appliance that operates either inline or out-of-band with
network traffic. Some of these appliances displace access switches, while
others operate between the access layer and network switches. Either way, there
are a number of deployment, management and operational changes to consider.
First, hardware-based NAC solutions have a number of inherent drawbacks. The
foremost is that they create a single point of failure on the network. They
also can be disruptive to network traffic, and may not be ideal for
geographically dispersed or highly segmented networks. Not only does an
appliance have to be installed at every location, but the further up the
network, the less visibility these approaches provide into network traffic.
There's little sense believing you're more secure with NAC when you can't see
or stop an intruder's traffic on a large subnet.
Also, out-of-band approaches, such as those that use 802.11, too often
require a high level of network and server configuration change and ports to
track. This not only increases administrative costs but also increases the
risks of error.
Agent and agentless-based NAC
Next up is the much-maligned agent-based approach. No one wants yet another
endpoint application to install, update and maintain. It's an additional burden
for the IT team and another catalyst for flurries of help desk calls.
The upside of using agents is that, because they reside on the endpoint, a
higher level of scrutiny can be conducted, which should help to improve
security. The reality is that agents can be the least disruptive solutions
available, especially when it comes to network traffic. This is because the
agent runs quietly in the background, only sending periodic updates to the
policy server and making sure security is enforced thoroughly. But let's face
it: No one wants another application to install, no matter how high the
security payback may be.
Next up: agentless NAC. A common approach with agentless NAC involves
running vulnerability or policy assessment scans or both on endpoints before
they're permitted to access the network fully. Needless to say, this can place
undue traffic stress on busy networks. The scan results are sent to a policy
server and remedial action, if necessary, is taken on any noncompliant systems.
The promise of agentless NAC is obvious: There aren't any agents to install.
Unfortunately, it's not that simple. There's always a downside and, in this
case, agentless approaches don't provide a consistent way to thoroughly
evaluate the status of the endpoint. Also, because identity is ascertained by
examining network traffic, users can fool this tactic.
That brings us to dynamic NAC. With dynamic NAC, there are agents but
they're only installed on a certain percentage of systems. Also known as peer-to-peer
NAC, this approach doesn't require any network changes or software to be
installed on every system. These agents, some of which become
"enforcers," are installed on trusted systems and, much like a police
force, only a small ratio of law enforcement to the general population is
needed to make certain everyone is in compliance. In this way, it's possible to
attain the high levels of security associated with agents and all of the
benefits of NAC-without the hassles of hardware-based NAC or deploying software
on every networked device.
For instance, suppose a number of enforcers are installed on desktops within
a LAN, and an untrusted system attempts to
log onto the network. These enforcers will restrict its network traffic until
it has been vetted. Also, these agents communicate continuously with the
central policy server about what remediation, if any, is necessary. So, a
system could be fully quarantined or blocked from certain network segments, or
only allowed Internet access.
As you can see, there are considerable differences in
the ways that NAC systems work. It's important that you evaluate your options
to find the most effective NAC solution for your network that is also the most
cost-efficient to operate.
Paul Gann has more than 10 years of experience in the networking industry. Currently, he is a network and security engineer for Ipreo, an industry-leading global financial software company based in New York. Paul holds a diploma in network engineering and data communications from the Chubb Institute. He can be reached at firstname.lastname@example.org.