How to Get to ROI with Network Access Control

There are many reasons that NAC hasn't lived up to its promise, but the biggest reason is cost. Troy McDonald, IT manager for PROS, shows that it is possible to actually get a decent return on investment with network access control-if it's done the right way.


There are certainly plenty of promises being tossed about regarding the benefits of network access control. A couple of these include on-the-fly authentication of appropriate users and the ability to ensure that all endpoint devices get access only after they've been proven to comply with internal security policies. Such policies include making sure that security settings (such as firewall, anti-virus signatures and patch levels) are up-to-date.

When done right, NAC should create a network whose traffic flows cleaner, suffers fewer malware infections and other risks associated with security breaches, and boasts significantly reduced downtime. If all of this is indeed attainable, why does it seem so difficult to gain a return on investment from a NAC solution?

The answer is, many NAC solutions are designed in such a way that they require significant, and often convoluted, changes to existing network infrastructure. Whether it's network appliances that need to be installed at each location, or client-side agents that must reside on each endpoint, many NAC solutions require significant upfront investment. They also require many system and network changes, and continuous feeding and care. All of this overhead reduces the cost benefits that should be realized from a NAC solution.

The high cost of hardware-based NAC

Hardware-based NAC solutions typically raise the cost of NAC implementations for at least two reasons. First, more often than not, appliances need to be installed at every location. This is obviously expensive for organizations with many distributed sites. Although out-of-band approaches like 802.1x have lower capital costs, they still require a high level of network and server configuration changes and ports to track on the switch. This not only increases administrative costs, but also increases the risks of network configuration error.

Second, administrators have to accomplish a number of time-consuming tasks just to get the NAC deployment moving. They have to coordinate all NAC management processes, provide updates to the equipment, reconfigure networks, add new servers, install appliances, configure new VLANs (virtual LANs), and reconfigure routers and switches. Not only are these processes time-consuming, but the need for them is exacerbated due to the limited opportunities for network change management.

These processes are also especially costly when employing highly paid administrators for the task. And many of these steps need to be repeated each and every time a new switch is installed or updated. So, clearly, hardware-based NAC is not cheap.

The high cost of agent-based NAC

Agent-based NAC is very expensive too. It's obvious why: Not only must software agents be installed on every endpoint, but network changes for NAC must be maintained. And, just as is the case for in-band solutions, this is yet another unwanted cost and burden on the IT team. Also, each time something goes awry with the agent, a flurry of help desk calls ensues.

But despite these drawbacks, two important benefits do stem from the agent-based NAC approach. First, it provides a high level of scrutiny for each endpoint, which aids security. Second, agents can be much less disruptive to network traffic (if you can find an agent that runs quietly in the background) by sending updates to the policy server only when necessary, thereby not choking traffic.

In spite of these benefits, the need to have to install and manage another application on each endpoint-especially unmanaged and mobile endpoints-doesn't provide any savings if ongoing network changes and reconfigurations are required.

Dynamic NAC enters the picture

This all brings us to what has come to be known as DNAC (Dynamic NAC). DNAC leverages existing network infrastructure to attain the benefits of NAC-but without all of the overhead. With DNAC, there aren't any network changes required. This alone provides considerable implementation savings.

This is achieved because DNAC leverages existing PCs as the policy enforcers. Dedicated appliances and PCs are not required (as is the case with hardware and software-based NAC solutions). And, while appliances may be required for remote-access VPNs, they're certainly not required at each location or network segment. Not having to install appliances at each site provides significant savings for any enterprise with multiple locations.

Peer-to-peer NAC explained

While there are agents, they don't need to be installed on all endpoints (such as embedded devices or operating systems that aren't supported). Also known as peer-to-peer NAC-because enforcers constantly seek systems that are out of compliance-this approach doesn't require any network changes. It doesn't require software to be installed on every system either. These agents, some of which become "enforcers," are installed on trusted systems. Much as with a police force, only a small ratio of law enforcement to the general population is needed to make certain that everyone is in compliance.

Whenever necessary, additional systems can be "deputized" so that the system scales with network growth. In this way, it is possible to attain the deep auditing associated with agents and all of the benefits of NAC. It's possible to achieve all of this without the hassles of hardware-based NAC or intensive network configuration changes.

Suppose, for example, a number of enforcers are installed on desktops within a LAN. Soon an untrusted system attempts to log onto the network. These enforcers will restrict network traffic until they've been vetted, while communicating continuously with the central policy server about what remediation, if any, is necessary. So a system could be fully quarantined or blocked from certain network segments or only allowed Internet access.

Cost-saving benefits from a NAC solution

By selecting a NAC solution that significantly limits the number of hardware and configuration changes and requires no network changes, you'll save significantly on your deployment costs. You will also more quickly benefit from the ongoing cost savings associated with reducing endpoint infections, providing auditing and compliance reporting, and generating fewer costly help desk calls.

/images/stories/heads/t_roy70x70.jpg Troy McDonald has almost two decades of experience managing IT groups for large and midsize organizations. He is keenly aware of security requirements and compliance challenges. Currently, he is the IT manager for PROS, a world-class pricing and revenue optimization software company based in Houston, Texas. Troy holds a BBA in MIS from the University of Houston. Outside of the office, he enjoys spending time with his wife, sons and daughter, fishing, kayaking and trying to master the ripstick. He can be reached at