Few would argue that network access control doesn’t improve security. NAC quickly vets users from those systems who shouldn’t be granted access, and it makes sure that crucial policies such as firewall settings, anti-virus and patch levels are up-to-date. When done right, NAC creates a network with traffic flows clean of malware infections and many other risks associated with security breaches.
The catch? Yes, there’s always a catch: Many NAC solutions have proven to be expensive to deploy and manage. In this article, we’ll tell you what you need to know to determine the best NAC option for your type of environment. But, before we get into that, we need to quickly recap the four primary types of NAC solutions:
1. Hardware-based NAC. Whether in-line or out-of-band, these options typically require that an appliance be installed at almost every location where NAC will be enabled. Some of these appliances displace the access switch, while others operate between the access layer and network switches.
2. Agent-based software NAC. Next up is the agent-based approach. Here, agents are installed on each NAC-enabled device. These agents scan and monitor the device, typically sending the results back to a centralized server. Systems found to be out of compliance are not granted access, and are often sent for some type of remedial action.
3. Agentless software NAC. Agentless NAC, which consists of a dissolvable agent, is another common approach. With this setup, the idea is for a temporary agent-usually some type of ActiveX control-to scan endpoints periodically for vulnerability and/or policy assessments. The scan results are sent to a policy server, and remedial action, if necessary, is taken on noncompliant systems. When the process is complete, the temporary agent dissolves.
4. Dynamic NAC. That brings us to dynamic NAC, which uses agents but only on a percentage of systems. Also known as peer-to-peer NAC, this approach doesn’t require network changes or software to be installed on every system. The agents, some of which become enforcers, are installed on trusted systems. Then, similar to a police force, you need only a small ratio of law enforcement to the general population to make certain everyone is in compliance.
Whether you select hardware, software, agentless or dynamic NAC, you need to consider the goals of your NAC deployment such as the level of security versus manageability, as well as other facets that depend on the size of your business and network.
NAC and Geographically Dispersed Networks
NAC and geographically dispersed networks
With a large network, there are many deployment, management and operational considerations. For example, hardware-based, in-line NAC solutions that sit upstream from switches create a potential single point of failure. They can be disruptive if they cannot keep pace with today’s high-speed 10G network backbones.
Furthermore, in-line NAC solutions may not be ideal for geographically dispersed or highly segmented networks. Not only does there need to be an appliance at every location but the further up the network, the less visibility into network traffic these approaches provide.
There’s little sense believing you’re more secure with NAC when you can’t see or stop an intruder’s traffic on a large subnet. The out-of-band alternatives, such as the options that use 802.1x, too often require many network and server configuration changes. They require additional quarantine networks and configuration of ports on each switch, as well as access rules to be configured for routers and switches. This not only increases administrative costs, it also increases the risk of error. Clearly, hardware-based NAC isn’t cheap or a panacea.
But hardware-based NAC can provide high levels of security and, because they focus on network traffic, can find exploits traveling across the wire.
With software-based approaches in geographically dispersed networks, manageability challenges remain but are now moved to the endpoints-which will require software agents to be installed on each. While the agentless NAC approach may alleviate some of this management burden, agentless NAC doesn’t provide a consistent way to thoroughly evaluate the status of the endpoint-which means there’s a significant security versus manageability trade-off.
Because dynamic NAC enlists only a certain percentage of systems as security enforcers, dynamic NAC actually could help you leverage the power of the distributed network to protect itself.
Securing Small and Midsize Businesses
Securing small and midsize businesses
Few SMBs (small and midsize businesses) have the dedicated IT staff and expertise needed to configure complicated and out-of-band approaches such as 802.1x network configurations, and properly troubleshoot network problems when they arise. Also, given resource constraints, these organizations often prefer to focus IT teams on business-growing IT initiatives.
That’s exactly what software-based NAC does: It increases security while also reducing the management burden on security and networking teams. In fact, for SMBs, much can be said in defense of agents. For one, a higher level of scrutiny can be achieved on endpoints, which aids security. And the reality is, agents can be the least disruptive solution available, especially when it comes to network traffic because agents run quietly in the background, only sending periodic updates to the policy server. So, if you’re an SMB with limited IT resources, the trick is to find the most manageable, cost-effective, software-based NAC or dynamic NAC solution available.
Level of security desired
No matter what size your business or network, you need to balance cost and manageability with the level of security you desire. It’s common, because of internal culture, risk tolerance or whether or not one operates in a regulated industry, for organizations to lean toward a high level of security or ease of manageability.
For instance, hardware-based 802.1x (out-of-band) solutions may be the best option if security is the only consideration. While agentless NAC sidesteps the need to install and maintain agents, there’s a compromise: The agentless approach doesn’t provide a persistent way to evaluate the status of the endpoint thoroughly. Also, because identity is ascertained by examining network traffic, users possibly can fool the system.
Dynamic NAC systems, with only a percentage of systems requiring agents (which continuously look for noncompliance), may provide the right balance between manageability and security.
Costs of NAC
Costs of NAC
Whether you’re a geographically dispersed retailer, manufacturer or financial services firm, managing a NAC appliance at each location can get expensive quickly. Consider that each hardware-based NAC appliance would cost about $20,000. Additionally, that appliance very well could require paying the travel expenses and time of an expert for the initial deployment and configuration. Then there’s the burden of continuous maintenance and updating.
And, in some instances, depending on the nature of your architecture, remote management may not be feasible without significant and risky changes to your network configuration. If you want to keep costs down (including ongoing maintenance and management costs), a software-based NAC solution may be a viable option.
Depending on your needs, implementing NAC as part of a comprehensive IT security solution may be the best option. Many large infrastructure vendors have partnered with security vendors to offer their services with best-of-breed security technology.
As you can see, there are many things to consider before you make your move to NAC-and we hope this article helps you to simplify your choice. No matter what type of solution you choose, you eventually will need to pull the trigger and deploy. That’s when you’ll need a deployment strategy. It’s best to deploy in stages. That is, approach your NAC with incremental installs that solve a specific need or secure a certain location or network segment. As you get more familiar with the NAC solution, move the deployment throughout the business. In the beginning, you’ll want to plan a reasonable amount of time to monitor how well it’s going, and to give administrators the time they need to understand its impact on systems and your network.
Also, before you turn on any policy enforcement capabilities, make sure you have a good remediation strategy in place. Will you block people with noncompliant systems outright? How well are you integrated with patch management software? You’ll also want to know, and have established, where you are going to store your remediation files and directions for any systems that are not in compliance.
Despite the fact that NAC currently is facing a level of resistance in the marketplace as a result of some less-than-spectacular deployments, it’s more crucial than ever that NAC be examined. Not only have there been recent advances in NAC solutions, but many of the problems with failed solutions have been the result of not thinking NAC through, choosing the wrong solution, rushing too fast into the deployment or attempting to do too much too fast. Now you know how to do it better.