Controlling end-user network access is tied up with broader security concerns, including identity and authorization. Nonetheless, there are specific questions that IT managers should ask network access control vendors before moving ahead with an implementation of the technology, and most of these questions relate to endpoint configuration and remediation techniques.
After testing several NAC products, attending NAC conferences, and speaking with NAC vendors and implementers, eWEEK Labs has come up with a set of model questions that can serve as the basis of a NAC RFP.
First, though, IT managers must answer some important questions themselves: “Is there a problem?” and “What are the goals of the NAC project?”
The best place to look for answers to these questions is the company help desk. If external machines connecting to the corporate network—such as devices used by contractors or traveling salespeople—have caused significant application downtime because of viruses or other malware infections, then the answer to the first question is “yes.” If such queries come back with inconclusive answers, then a legitimate case for considering NAC technology must be based on a thorough risk assessment.
eWEEK Labs has found that NAC solutions can go a long way toward controlling problems that are caused by unmanaged machines in the hands of trusted users. NAC solutions increase in effectiveness when used to control unmanaged trusted users who conduct legitimate work for the organization. In fact, the more contractors and other temporary workers are used in an organization, the more likely it is that the organization can benefit from a NAC solution.
SYSTEM CAPABILITIES
- What are the component pieces of the NAC solution? (Check all that apply.)
- All-in-one appliance
- Software
- In-line enforcement hardware
- Out-of-band enforcement hardware
- Permanently installed client
- Temporary (dissolving) client
- Which of the following does the NAC solution use?
- Switch span port
- VLANs (virtual LANs)
- 802.1x supplicants
- DHCP (Dynamic Host Configuration Protocol) with route spoofing
NAC products are sometimes offered as part of a broader range of endpoint or network security tools. For example, Symantecs Symantec Network Access Control can use a single agent to also provide personal firewall and anti-virus protection.
- What endpoints can be controlled? Check all that apply.)
- Handhelds
- Laptops/desktops
- Devices connected via wireless
- Devices connected via wire
- Client operating system
Which of the following endpoint assessments does the NAC system check for?
- Programs that must be present to connect
- Programs that must not be installed to connect
- Client operating system
- Windows Registry settings
- Operating system patches
- Application patches
- Anti-virus program
- Anti-virus pattern file
Most NAC solutions are geared toward controlling Microsoft Windows-based endpoints. A few platforms, including Caymas Systems Caymas Access Gateway, also support Apple Computers Mac OS X-based endpoints.
What types of authentication integration are supported?
- Internal
- LDAP
- Active Directory
- eDirectory
- RADIUS
What quarantine measures are supported?
- Captive portal
- Move to VLAN
- Individual isolation
- Direct to internal anti-virus remediation portal
- Direct to external anti-virus remediation resource
- Direct to internal patch server
- Direct to external patch server
- Direct to internal software update site
- Direct to external software update site
- Admit after successful remediation
Post-admission-monitoring capabilities are:
- Periodic, based on time interval
- Periodic, based on endpoint behavior
- There are no post-admission-monitoring capabilities
Which access locations change assessment practices?
- LAN
- Wireless
- IPSec (IP Security) VPN
- SSL (Secure Sockets Layer) VPN
- None
NAC solution assumes that contractor/guest connections are:
- The rule: The connections that will be controlled by this solution are almost always contractors or guests, not managed users
- The exception: The NAC solution monitors all connections and operates most completely when endpoints are under full management control. Guest endpoints are assessed, but remediation may require outside resources
During installation and normal use, the end user will:
- Not be aware of the NAC solution
- Notice the NAC solution during installation but not with normal use
- Always see a tray icon or screen artifact
All products provide warnings when end-user systems fail assessment and are not admitted to the network.
POLICY CREATION AND SYSTEM MAINTENANCE
Given the number of managed seats and locations we have specified, initial policy creation will likely take:
- One to three days
- Three to 10 days
- More than two weeks
Given the number of managed seats and locations we have specified, initial policy creation will likely involve:
- One to three FTE (full-time equivalent) staffers
- Three to five FTE staffers
- More than five FTE staffers
Given the number of managed seats and locations we have specified, day-to-day operations during an unexceptional month will likely require:
- One FTE staffer
- Two to three FTE staffers
- More than three FTE staffers
REPORTING
Reports can be run:
- In real time
- On a schedule
- Based on system templates
- Completely ad hoc
- From data imported from an outside database support
SUPPORT
- What are the terms and availability of basic support?
- What premium support services are available, and how much do they cost?
- What online help and training tools are available?
COST-BENEFIT ANALYSIS
- What does the product cost, including base costs and costs for additional features and components?
- What are the various pricing options available?
- What cost advantages will be realized by choosing this solution?
REFERENCES
Please provide reference customers that have completed a similar deployment, with similar numbers of users and applications in the same industry.