Network Access Control, as practiced by Forescout Technologies, combines fairly vigorous PC client checks with ongoing monitoring and modest 802.1x-like switch port control to reduce damage caused by network insiders.
The current state of the art for the fast-evolving and still nebulously defined NAC space usually adds a heavy dose of user identity to the characteristics listed above to achieve the level of control needed to satisfy auditing requirements and provide peace of mind for IT managers.
As this year unfolds, IT managers will likely be confronted with an increase in threats brought into the protected network by mobile machines, along with a growing list of vendors that have adapted products to provide some sort of NAC function.
Forescouts CounterAct, just one such product among many, started life as an anti-worm appliance. Version 5.1 of CounterAct adds extensive client configuration checking capabilities—if the client doesnt match the predefined admission policy, then network access is denied or severely curtailed.
There are some basic questions that IT managers should answer before embarking on a NAC project. One of the most important: agent or agentless?
Forescouts CounterAct and Vernier Networks EdgeWall are agentless NAC solutions. The Host Property Scanner that is bundled with CounterAct 5.1 allows the appliance to check for components such as anti-virus and software patches along with operating system version information. Other products, including Senforce Technologies Endpoint Security Suite, use agents to perform endpoint integrity checks.
With agentless technologies, there are no installation or maintenance costs on the endpoint systems—costs that agent-based solutions will incur.
The advantage of many agent-based tools is that they often can maintain client health even when disconnected from the network, preventing problems such as the installation of malware.
During the course of the year, network infrastructure providers are expected to come out with their own NAC solutions. For example, Cisco Systems Network Admission Control and Juniper Networks Unified Access Control will be based on the vendors respective infrastructure devices and will check endpoint configuration to further enforce internal network security.
Tools that detect anomalous network behavior, such as Arbor Networks Peakflow X and newcomer Snipe Network Securitys NetGuard, also perform NAC functions on the internal network and will continue to play an important role in internal network security.
One thing is clear already in the nascent NAC arena: It will take a combination of approaches to ensure that endpoint devices are correctly configured and free of the malware that could harm internal network resources.