3:45 PM -- Are you fighting a losing battle? How about the one where you have co-control access by contractors, consultants, and personally managed devices that must plug into your corporate network? Network access control (NAC) was supposed to help us win that battle, but most of us are still struggling.
The fact is that NAC solutions are not right for everyone -- no matter what the vendors tell you. If you manage all of the machines on your network, have solid patch
management, software change control, and managed antivirus, you don't need NAC.
If enterprises designed their networks properly, putting the necessary controls in place to begin with, the NAC market space would be much smaller. Instead, NAC has become a Band-Aid for enterprises attempting to right the wrongs of poor network and information asset protection. Have you seen all of the NAC solutions out there and tried to understand their buzzwords? Let's take a brief look at some of the ways NAC is supposed to make your network more secure.
There are several different types of NAC solutions available, but most fall into either the "pre-admission" or "post-admission" category, based on when host checks are run. Host checks can be accomplished by running code on the host -- either as agents that stay resident and run checks throughout the life of the host connection or as "dissolving agents" that live only during the initials checks or only while the host is connected.
If you've ever forced a user population to install software for any reason, you probably already know that your software will be the first thing blamed whenever a problem arises.
Aside from code running on the machine, NAC vulnerability scans can be run from the network -- but host firewalls typically make those scans ineffective. A few NAC products profile network behavior and can quarantine hosts before they can do further damage. But that's really more a feature of network behavioral anomaly detection (NBAD) than of NAC.
There is a smaller, lesser known aspect of NAC referred to as identity-based access control (IBAC). Vendors such as Applied Identity, ConSentry, and Trusted Network Technologies produce solutions that don't focus on the badness of the endpoint, but on who the user is and what they are allowed to access.
Some of these solutions get extremely granular, restricting access down to the network server share. If the guest on the network shouldn't be accessing the financial server, these solutions typically won't even let him see it at the network level.
If you're in a small company -- or if your company embraces open source technology -- there are solutions that may fit better than NAC. For example, a couple of developers at Harvard offer PacketFence, an open source NAC project.
There's also NuFW, an open source IBAC solution based on Linux, netfilter, and iptables. It's surprisingly robust, with software clients for Windows, Linux, FreeBSD, and Mac OS X. These clients pass the identity of the user to the firewall so it can dynamically control what the user can access.
When all is said and done, it really comes down to having a proper risk assessment -- knowing what threats there might be to your IT resources and information assets. Is it practical to redesign and segment your network properly so that unmanaged machines entering your network are given the absolute least privilege access necessary? Or do you need to set up a proxy for their Internet traffic and an IBAC solution to keep them from touching things they shouldn't?
These are questions that can only be answered by each enterprise individually. Despite what vendors may say, NAC may not be the answer in every case.
John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading