Check out eWEEK Labs' RFP for network access control solutions.
Controlling end-user network access is tied up with broader security concerns, including identity and authorization. Nonetheless, there are specific questions that IT managers should ask network access control vendors before moving ahead with an implementation of the technology, and most of these questions relate to endpoint configuration and remediation techniques.
After testing several NAC products, attending NAC conferences, and speaking with NAC vendors and implementers, eWEEK Labs has come up with a set of model questions that can serve as the basis of a NAC RFP.
First, though, IT managers must answer some important questions themselves: "Is there a problem?" and "What are the goals of the NAC project?"
The best place to look for answers to these questions is the company help desk. If external machines connecting to the corporate networksuch as devices used by contractors or traveling salespeoplehave caused significant application downtime because of viruses or other malware infections, then the answer to the first question is "yes." If such queries come back with inconclusive answers, then a legitimate case for considering NAC technology must be based on a thorough risk assessment.
eWEEK Labs has found that NAC solutions can go a long way toward controlling problems that are caused by unmanaged machines in the hands of trusted users. NAC solutions increase in effectiveness when used to control unmanaged trusted users who conduct legitimate work for the organization. In fact, the more contractors and other temporary workers are used in an organization, the more likely it is that the organization can benefit from a NAC solution.
What are the component pieces of the NAC solution? (Check all that apply.)
In-line enforcement hardware
Out-of-band enforcement hardware
Permanently installed client
Temporary (dissolving) client
Which of the following does the NAC solution use?
Switch span port
VLANs (virtual LANs)
DHCP (Dynamic Host Configuration Protocol) with route spoofing
NAC products are sometimes offered as part of a broader range of endpoint or network security tools. For example, Symantecs Symantec Network Access Control can use a single agent to also provide personal firewall and anti-virus protection.
What endpoints can be controlled? Check all that apply.)
Devices connected via wireless
Devices connected via wire
Client operating system
Which of the following endpoint assessments does the NAC system check for?
Programs that must be present to connect
Programs that must not be installed to connect
Client operating system
Windows Registry settings
Operating system patches
Anti-virus pattern file
Most NAC solutions are geared toward controlling Microsoft Windows-based endpoints. A few platforms, including Caymas Systems Caymas Access Gateway, also support Apple Computers Mac OS X-based endpoints.
What types of authentication integration are supported?
What quarantine measures are supported?
Move to VLAN
Direct to internal anti-virus remediation portal
Direct to external anti-virus remediation resource
Direct to internal patch server
Direct to external patch server
Direct to internal software update site
Direct to external software update site
Admit after successful remediation
Post-admission-monitoring capabilities are:
Periodic, based on time interval
Periodic, based on endpoint behavior
There are no post-admission-monitoring capabilities
Which access locations change assessment practices?
IPSec (IP Security) VPN
SSL (Secure Sockets Layer) VPN
NAC solution assumes that contractor/guest connections are:
The rule: The connections that will be controlled by this solution are almost always contractors or guests, not managed users
The exception: The NAC solution monitors all connections and operates most completely when endpoints are under full management control. Guest endpoints are assessed, but remediation may require outside resources
During installation and normal use, the end user will:
Not be aware of the NAC solution
Notice the NAC solution during installation but not with normal use
Always see a tray icon or screen artifact
All products provide warnings when end-user systems fail assessment and are not admitted to the network.
POLICY CREATION AND SYSTEM MAINTENANCEGiven the number of managed seats and locations we have specified, initial policy creation will likely take:
One to three days
Three to 10 days
More than two weeks
Given the number of managed seats and locations we have specified, initial policy creation will likely involve:
One to three FTE (full-time equivalent) staffers
Three to five FTE staffers
More than five FTE staffers
Given the number of managed seats and locations we have specified, day-to-day operations during an unexceptional month will likely require:
One FTE staffer
Two to three FTE staffers
More than three FTE staffers
REPORTINGReports can be run:
In real time
On a schedule
Based on system templates
Completely ad hoc
From data imported from an outside database support
What are the terms and availability of basic support?
What premium support services are available, and how much do they cost?
What online help and training tools are available?
What does the product cost, including base costs and costs for additional features and components?
What are the various pricing options available?
What cost advantages will be realized by choosing this solution?
Please provide reference customers that have completed a similar deployment, with similar numbers of users and applications in the same industry.
Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at email@example.com.