Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Guest access or federated NAC management?

Mimicking activity in the physical world, Cisco Guest Server lets employees sponsor guests onto your network rather than lumping all guests into one account or another. This is the first step toward placing access control decisions with the business user, where it ultimately belongs.
When I walk into a building or office to visit someone, I often have to sign in and be escorted by an employee. Generally speaking, any employee can sponsor a visitor with out having to get sign-off from a committee. Sign the log, get a paste on name badge, and wait for an escort. Letting guests into your offices poses a significant security risk if your organization is being targeted. Talk to someone like Ira Winkler or Steve Stasikounis, both masters of getting places they shouldn???t, just getting in the door is often the most difficult step in penetrating a company, but nearly all companies allow that to happen. The benefit is that employees can schedule meetings when they need without undue overhead. Why should guest network access be any different?

The idea behind the NAC Guest Server is that user can sponsor guests onto the network be creating a temporary account the guest uses to log-in. The guest activity can then be tracked. Of course, who gets to sponsor access and what kinds of access can be granted are all defined by a defined policy, so you can control who does what. I have a longer view.

I have always maintained that relying on IT to assign NAC policies is less business friendly than letting business managers perform that function because who knows better what access is needed? An IT or security admin that is divorced from the business process or a line manager trying to get projects done and generate revenue? While defining roles and assigning access control is a useful exercise, there are often exceptions where some employees need access outside the pre-defined roles.

There is a continuum of policies ranging from loose to strict. Loose access control policies where access is relatively open once a host and user is authenticated and approved onto the network handle exceptions easily. Stricter access control policies not so much. If your company is driving toward more strict access control policies, the exception monster will rear its ugly head. that means business managers will have to go to IT, ask for and justify the exception at the expense of getting things done.

Business managers should make access control decisions because they know better who needs access to network resources. Before you think I am suggesting line managers should be turned loose on a NAC console, I am not. In fact, all of the NAC products I have seen are designed to be used by an IT or security administrator. A business manager would just get lost in the buttons and knobs.

  • 1