NAC and Geographically Dispersed Networks

By Stacey Lum  |  Posted 2009-01-26 Print this article Print

NAC and geographically dispersed networks

With a large network, there are many deployment, management and operational considerations. For example, hardware-based, in-line NAC solutions that sit upstream from switches create a potential single point of failure. They can be disruptive if they cannot keep pace with today's high-speed 10G network backbones.

Furthermore, in-line NAC solutions may not be ideal for geographically dispersed or highly segmented networks. Not only does there need to be an appliance at every location but the further up the network, the less visibility into network traffic these approaches provide.

There's little sense believing you're more secure with NAC when you can't see or stop an intruder's traffic on a large subnet. The out-of-band alternatives, such as the options that use 802.1x, too often require many network and server configuration changes. They require additional quarantine networks and configuration of ports on each switch, as well as access rules to be configured for routers and switches. This not only increases administrative costs, it also increases the risk of error. Clearly, hardware-based NAC isn't cheap or a panacea.

But hardware-based NAC can provide high levels of security and, because they focus on network traffic, can find exploits traveling across the wire.

With software-based approaches in geographically dispersed networks, manageability challenges remain but are now moved to the endpoints-which will require software agents to be installed on each. While the agentless NAC approach may alleviate some of this management burden, agentless NAC doesn't provide a consistent way to thoroughly evaluate the status of the endpoint-which means there's a significant security versus manageability trade-off.

Because dynamic NAC enlists only a certain percentage of systems as security enforcers, dynamic NAC actually could help you leverage the power of the distributed network to protect itself.

Stacey Lum is CEO, CTO and Co-founder of InfoExpress, a leading vendor of network access control solutions for enterprise networks. Prior to InfoExpress, Stacey developed network protocols and applications at Proxim and other wireless networking vendors. Stacey is an active speaker and panelist at various industry events, and holds a BS EECS from University of California at Berkeley. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel