NAC in Practice
NAC in practice Network, application and security managers who are considering a NAC solution should be clear about the reasons for pursuing controlled network access before entertaining any vendor.eWEEK Labs offers sample questions for a NAC RFP. Click here to read more. Managers should also keep in mind that NAC falls into the category of products that should be deployed in an IT environment first and then slowly rolled out to the general population of computer users. In fact, a phased deployment is generally regarded as the best way to go with NAC technology. IT assets should be ranked in importance, with the most sensitive servers, networks and applications protected first. Phased deployments should enable IT managers to learn how critical functions of NAC workbefore learning the hard way, with a flood a angry calls to the help desk when users cant connect. Indeed, enforcement of access policy necessarily means that when an endpoint fails inspection, the machine is blocked from all areas of the network except the remediation VLAN (virtual LAN) or Web site. In these locations, users can fix simple problems such as out-of-date anti-virus files or get more information on how to remove unauthorized software such as spyware or peer-to-peer applications. Once remediation is completed, users should be able to go through inspection and gain appropriate network access. This quarantine-remediation-retry loop must be working seamlessly before using NAC in a production network. As with any technology evaluation, IT managers should look ahead a few years to make sure that any product they evaluate will be viable in the foreseeable future. In the case of NAC, the future is 802.1x. DHCP (Dynamic Host Configuration Protocol) is often the first enforcement mechanism used to implement NAC, wherein requests for an IP address trigger a posture check on the requesting endpoint. 802.1x provides a method for authenticated communication in the network, but it can be daunting to implement, especially for devices such as printers that may not be able to run an 802.1x supplicant. Most of the RSA NAC panel agreed that while DHCP enforcement was likely to be seen in the first wave of NAC, IT managers should consider an upgrade path that includes 802.1x to build in greater network security. Microsofts NAP will come with Windows operating systems with built-in IPSec, Microsofts preferred method for securing communications. Microsofts Ahmed cited the ease of IPSec implementation, saying it was just an engineering issue. But the Trusted Computing Groups Hanna, speaking as an engineer, stated what was likely on the minds of many in the room: Implementing IPSec is a nontrivial problem. Technical Director Cameron Sturdevant can be reached at email@example.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.