Easing Into NAC

So many vendors were shouting about network admission control at this month's Interop in Vegas they nearly drowned out the slot machines. But two intriguing NAC architectures emerged: peer-based enforcement and SSL VPNs on the LAN. Both let enterprises ease into a NAC solution without taking on the full cost or complexity of solutions requiring significant network upgrades or hardware purchases.

InfoExpress' Dynamic NAC (DNAC) is a peer-to-peer admission-control system. A small number of PCs or servers (Enforcers) on a subnet intercept endpoints as they connect to the network. Using ARP redirects, in which one machine effectively forces traffic to a different Layer-2 destination, Enforcers shunt the newcomers to a policy server to undergo compliance checks. Noncompliant machines can be quarantined or sent to remediation sites.

DNAC doesn't require a costly upgrade to switching infrastructure or the purchase of NAC switches or appliances. On the downside, Enforcers may be overwhelmed if they have to deal with a large number of noncompliant endpoints. Enforcers themselves may fall out of compliance and lose Enforcer status, which can result in an unmonitored subnet.

Array Networks, Aventail, Caymas Systems and other vendors suggest inverting an SSL VPN and running it inside the LAN. They play up the similarities between SSL VPNs and NAC because SSL VPNs already assess the health of the endpoint and enable policy-based access to applications.

The key drawback: scalability. Because the SSL VPN is a proxy, it may have a hard time scaling to support a large number of users and/or a high transaction volume. This solution also may require a significant effort to "Webify" the applications to be protected.Neither option is perfect, but if you're sounding out a NAC architecture, both are worth hearing.