NAC and geographically dispersed networks
With a large network, there are many deployment, management and operational considerations. For example, hardware-based, in-line NAC solutions that sit upstream from switches create a potential single point of failure. They can be disruptive if they cannot keep pace with today's high-speed 10G network backbones.
Furthermore, in-line NAC solutions may not be ideal for geographically dispersed or highly segmented networks. Not only does there need to be an appliance at every location but the further up the network, the less visibility into network traffic these approaches provide.
There's little sense believing you're more secure with NAC when you can't see or stop an intruder's traffic on a large subnet. The out-of-band alternatives, such as the options that use 802.1x, too often require many network and server configuration changes. They require additional quarantine networks and configuration of ports on each switch, as well as access rules to be configured for routers and switches. This not only increases administrative costs, it also increases the risk of error. Clearly, hardware-based NAC isn't cheap or a panacea.
But hardware-based NAC can provide high levels of security and, because they focus on network traffic, can find exploits traveling across the wire.
With software-based approaches in geographically dispersed networks, manageability challenges remain but are now moved to the endpoints-which will require software agents to be installed on each. While the agentless NAC approach may alleviate some of this management burden, agentless NAC doesn't provide a consistent way to thoroughly evaluate the status of the endpoint-which means there's a significant security versus manageability trade-off.
Because dynamic NAC enlists only a certain percentage of systems as security enforcers, dynamic NAC actually could help you leverage the power of the distributed network to protect itself.