NAC in Practice

By Cameron Sturdevant  |  Posted 2007-03-05 Print this article Print

NAC in practice Network, application and security managers who are considering a NAC solution should be clear about the reasons for pursuing controlled network access before entertaining any vendor.
eWEEK Labs offers sample questions for a NAC RFP. Click here to read more. Managers should also keep in mind that NAC falls into the category of products that should be deployed in an IT environment first and then slowly rolled out to the general population of computer users. In fact, a phased deployment is generally regarded as the best way to go with NAC technology. IT assets should be ranked in importance, with the most sensitive servers, networks and applications protected first. Phased deployments should enable IT managers to learn how critical functions of NAC work—before learning the hard way, with a flood a angry calls to the help desk when users cant connect. Indeed, enforcement of access policy necessarily means that when an endpoint fails inspection, the machine is blocked from all areas of the network except the remediation VLAN (virtual LAN) or Web site. In these locations, users can fix simple problems such as out-of-date anti-virus files or get more information on how to remove unauthorized software such as spyware or peer-to-peer applications. Once remediation is completed, users should be able to go through inspection and gain appropriate network access. This quarantine-remediation-retry loop must be working seamlessly before using NAC in a production network. As with any technology evaluation, IT managers should look ahead a few years to make sure that any product they evaluate will be viable in the foreseeable future. In the case of NAC, the future is 802.1x. DHCP (Dynamic Host Configuration Protocol) is often the first enforcement mechanism used to implement NAC, wherein requests for an IP address trigger a posture check on the requesting endpoint. 802.1x provides a method for authenticated communication in the network, but it can be daunting to implement, especially for devices such as printers that may not be able to run an 802.1x supplicant. Most of the RSA NAC panel agreed that while DHCP enforcement was likely to be seen in the first wave of NAC, IT managers should consider an upgrade path that includes 802.1x to build in greater network security. Microsofts NAP will come with Windows operating systems with built-in IPSec, Microsofts preferred method for securing communications. Microsofts Ahmed cited the ease of IPSec implementation, saying it was just an engineering issue. But the Trusted Computing Groups Hanna, speaking as an engineer, stated what was likely on the minds of many in the room: Implementing IPSec is a nontrivial problem. Technical Director Cameron Sturdevant can be reached at Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Cameron Sturdevant Cameron Sturdevant has been with the Labs since 1997, and before that paid his IT management dues at a software publishing firm working with several Fortune 100 companies. Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility, with a focus on Android in the enterprise. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his reviews and analysis are grounded in real-world concern. Cameron is a regular speaker at Ziff-Davis Enterprise online and face-to-face events. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel