Request for Proposal: NAC Systems

 
 
By Cameron Sturdevant  |  Posted 2006-12-11 Email Print this article Print
 
 
 
 
 
 
 

Check out eWEEK Labs' RFP for network access control solutions.

Controlling end-user network access is tied up with broader security concerns, including identity and authorization. Nonetheless, there are specific questions that IT managers should ask network access control vendors before moving ahead with an implementation of the technology, and most of these questions relate to endpoint configuration and remediation techniques.

After testing several NAC products, attending NAC conferences, and speaking with NAC vendors and implementers, eWEEK Labs has come up with a set of model questions that can serve as the basis of a NAC RFP.

First, though, IT managers must answer some important questions themselves: "Is there a problem?" and "What are the goals of the NAC project?"

The best place to look for answers to these questions is the company help desk. If external machines connecting to the corporate network—such as devices used by contractors or traveling salespeople—have caused significant application downtime because of viruses or other malware infections, then the answer to the first question is "yes." If such queries come back with inconclusive answers, then a legitimate case for considering NAC technology must be based on a thorough risk assessment.

eWEEK Labs has found that NAC solutions can go a long way toward controlling problems that are caused by unmanaged machines in the hands of trusted users. NAC solutions increase in effectiveness when used to control unmanaged trusted users who conduct legitimate work for the organization. In fact, the more contractors and other temporary workers are used in an organization, the more likely it is that the organization can benefit from a NAC solution.

SYSTEM CAPABILITIES

  • What are the component pieces of the NAC solution? (Check all that apply.)

    • All-in-one appliance
    • Software
    • In-line enforcement hardware
    • Out-of-band enforcement hardware
    • Permanently installed client
    • Temporary (dissolving) client

  • Which of the following does the NAC solution use?

    • Switch span port
    • VLANs (virtual LANs)
    • 802.1x supplicants
    • DHCP (Dynamic Host Configuration Protocol) with route spoofing

    NAC products are sometimes offered as part of a broader range of endpoint or network security tools. For example, Symantecs Symantec Network Access Control can use a single agent to also provide personal firewall and anti-virus protection.

  • What endpoints can be controlled? Check all that apply.)

    • Handhelds
    • Laptops/desktops
    • Devices connected via wireless
    • Devices connected via wire
    • Client operating system

    Which of the following endpoint assessments does the NAC system check for?

    • Programs that must be present to connect
    • Programs that must not be installed to connect
    • Client operating system
    • Windows Registry settings
    • Operating system patches
    • Application patches
    • Anti-virus program
    • Anti-virus pattern file

    Most NAC solutions are geared toward controlling Microsoft Windows-based endpoints. A few platforms, including Caymas Systems Caymas Access Gateway, also support Apple Computers Mac OS X-based endpoints.

    What types of authentication integration are supported?

    • Internal
    • LDAP
    • Active Directory
    • eDirectory
    • RADIUS

    What quarantine measures are supported?

    • Captive portal
    • Move to VLAN
    • Individual isolation
    • Direct to internal anti-virus remediation portal
    • Direct to external anti-virus remediation resource
    • Direct to internal patch server
    • Direct to external patch server
    • Direct to internal software update site
    • Direct to external software update site
    • Admit after successful remediation

    Post-admission-monitoring capabilities are:

    • Periodic, based on time interval
    • Periodic, based on endpoint behavior
    • There are no post-admission-monitoring capabilities

    Which access locations change assessment practices?

    • LAN
    • Wireless
    • IPSec (IP Security) VPN
    • SSL (Secure Sockets Layer) VPN
    • None

    NAC solution assumes that contractor/guest connections are:

    • The rule: The connections that will be controlled by this solution are almost always contractors or guests, not managed users
    • The exception: The NAC solution monitors all connections and operates most completely when endpoints are under full management control. Guest endpoints are assessed, but remediation may require outside resources
    During installation and normal use, the end user will:

    • Not be aware of the NAC solution
    • Notice the NAC solution during installation but not with normal use
    • Always see a tray icon or screen artifact
    All products provide warnings when end-user systems fail assessment and are not admitted to the network.

    POLICY CREATION AND SYSTEM MAINTENANCE

    Given the number of managed seats and locations we have specified, initial policy creation will likely take:

    • One to three days
    • Three to 10 days
    • More than two weeks

    Given the number of managed seats and locations we have specified, initial policy creation will likely involve:

    • One to three FTE (full-time equivalent) staffers
    • Three to five FTE staffers
    • More than five FTE staffers

    Given the number of managed seats and locations we have specified, day-to-day operations during an unexceptional month will likely require:

    • One FTE staffer
    • Two to three FTE staffers
    • More than three FTE staffers

    REPORTING

    Reports can be run:

    • In real time
    • On a schedule
    • Based on system templates
    • Completely ad hoc
    • From data imported from an outside database support

    SUPPORT

  • What are the terms and availability of basic support?

  • What premium support services are available, and how much do they cost?
  • What online help and training tools are available?

    COST-BENEFIT ANALYSIS

  • What does the product cost, including base costs and costs for additional features and components?

  • What are the various pricing options available?

  • What cost advantages will be realized by choosing this solution?

    REFERENCES

    Please provide reference customers that have completed a similar deployment, with similar numbers of users and applications in the same industry.

  •  
     
     
     
    Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...
     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel