From the perspective of end users, a Network Access Control deployment should be transparent, as if it's running all by itself. As users log on to the network, their systems should be checked, quietly in the background, for their level of compliance to internal security policies.

Examples of what NAC would vet the endpoint for include its current patch levels and functioning, and up-to-date anti-virus and personal firewall software. Only when something has gone awry should users be made aware that their systems aren't up to par. Then, most commonly, they'll be guided to an intranet portal where the system is brought up to appropriate security levels.

For small businesses and large enterprises alike, there is much to be gained from this highly dynamic level of security. An NAC-enabled network not only runs more securely but also more productively, within regulatory compliance, and it generates fewer help desk calls. While the benefits of NAC are straightforward, the ways that different NAC solutions get the job done—whether they are hardware-based, inline, out-of-band, agent or agentless—is a little more complex.

Hardware-based NAC

Let's first consider how hardware-based approaches work. This form of NAC typically requires an appliance that operates either inline or out-of-band with network traffic. Some of these appliances displace access switches, while others operate between the access layer and network switches. Either way, there are a number of deployment, management and operational changes to consider.

First, hardware-based NAC solutions have a number of inherent drawbacks. The foremost is that they create a single point of failure on the network. They also can be disruptive to network traffic, and may not be ideal for geographically dispersed or highly segmented networks. Not only does an appliance have to be installed at every location, but the further up the network, the less visibility these approaches provide into network traffic. There's little sense believing you're more secure with NAC when you can't see or stop an intruder's traffic on a large subnet.

Also, out-of-band approaches, such as those that use 802.11, too often require a high level of network and server configuration change and ports to track. This not only increases administrative costs but also increases the risks of error.

Agent and agentless-based NAC

Next up is the much-maligned agent-based approach. No one wants yet another endpoint application to install, update and maintain. It's an additional burden for the IT team and another catalyst for flurries of help desk calls.

The upside of using agents is that, because they reside on the endpoint, a higher level of scrutiny can be conducted, which should help to improve security. The reality is that agents can be the least disruptive solutions available, especially when it comes to network traffic. This is because the agent runs quietly in the background, only sending periodic updates to the policy server and making sure security is enforced thoroughly. But let's face it: No one wants another application to install, no matter how high the security payback may be.

Next up: agentless NAC. A common approach with agentless NAC involves running vulnerability or policy assessment scans or both on endpoints before they're permitted to access the network fully. Needless to say, this can place undue traffic stress on busy networks. The scan results are sent to a policy server and remedial action, if necessary, is taken on any noncompliant systems.

The promise of agentless NAC is obvious: There aren't any agents to install. Unfortunately, it's not that simple. There's always a downside and, in this case, agentless approaches don't provide a consistent way to thoroughly evaluate the status of the endpoint. Also, because identity is ascertained by examining network traffic, users can fool this tactic.

Dynamic NAC

That brings us to dynamic NAC. With dynamic NAC, there are agents but they're only installed on a certain percentage of systems. Also known as peer-to-peer NAC, this approach doesn't require any network changes or software to be installed on every system. These agents, some of which become "enforcers," are installed on trusted systems and, much like a police force, only a small ratio of law enforcement to the general population is needed to make certain everyone is in compliance. In this way, it's possible to attain the high levels of security associated with agents and all of the benefits of NAC—without the hassles of hardware-based NAC or deploying software on every networked device.

For instance, suppose a number of enforcers are installed on desktops within a LAN, and an untrusted system attempts to log onto the network. These enforcers will restrict its network traffic until it has been vetted. Also, these agents communicate continuously with the central policy server about what remediation, if any, is necessary. So, a system could be fully quarantined or blocked from certain network segments, or only allowed Internet access.

As you can see, there are considerable differences in the ways that NAC systems work. It's important that you evaluate your options to find the most effective NAC solution for your network that is also the most cost-efficient to operate.

 Paul Gann has more than 10 years of experience in the networking industry. Currently, he is a network and security engineer for Ipreo, an industry-leading global financial software company based in New York. Paul holds a diploma in network engineering and data communications from the Chubb Institute. He can be reached at paul.gann@ipreo.com.