The Essential Guide to NAC

Updated: April 30, 2009

Over the past couple of decades, businesses and network administrators were preoccupied with simply getting employees and business partners onto their networks. But with business networks now commonplace, the focus has gradually shifted from gathering new users to blocking unauthorized ones.

NAC (Network Access Control) has now become a key tool for keeping potential snoops and attackers off business networks, as well as for managing the more complex web of permissions and authorizations needed for different groups of users to access parts but not all of a network. The technology helps a business enforce its security policies on any person — or any device — seeking network access. NAC also helps businesses comply with external regulations and internal policies, as well as safeguarding network resources from evolving threats .

NAC Benefits

NAC benefits can be broadly grouped into three categories:

  • Security Compliance : An NAC makes certain that all network endpoints conform to the business's security policy. The NAC accommodates the policy's risk level and protects infrastructure resources while ensuring employee productivity . It also locks down both managed and unmanaged assets while enabling secure guest access.
  • User Authentication : NACs enforce access policies on the basis of authenticated user identities, not merely IP addresses that can be easily spoofed.
  • Mitigating Risks from Unauthorized Access and Malware : NACs are designed to control and mitigate large-scale infrastructure disruptions. The technology is particularly valuable for its ability to bar devices without anti-malware protection, updated patches and other current security defenses from accessing the network. This attribute makes NACs a first line of defense in zero-day malware attacks.

Types of NACs

NAC technologies are offered by many different vendors and come in a wide range of types. Here are some of the major approaches used by NAC vendors:

  • Agent-based NACs : This type of NAC relies on software that sits on endpoint devices . The agent communicates with, and authenticates to, a network-connected NAC server or appliance. The approach is simple, but is relatively inflexible and requires special software to be installed and applied on end-user devices.
  • Agentless NACs : With the agentless NAC option, there's no need to install special agents on individual desktop and laptop computers and other end-user devices. Instead, an agent is stored in a temporary directory. Avoiding agents makes deployment easier and simplifies NAC operations.
  • Inline NACs : An inline NAC has all client traffic passing through it. The NAC functions like a firewall for access-layer networks, enforcing security policies. Although convenient, this approach can create throughput bottlenecks in larger networks. Such a configuration can also raise costs over time, since more inline devices must be added as traffic grows.
  • Out-of-Band NACs : An alternative to an inline NAC is to use an out-of-band approach. Out-of-band NACs use the existing infrastructure's enforcement capabilities. With this technique, agents are typically distributed as clients that relay data to a central console, which can then control switches to enforce policy. The approach is more complex, but exerts a minimal impact on network performance.

NAC Vendors

NACs are produced by many different companies, including these market leaders:

  • Cisco Systems Inc.
  • ConSentry Networks
  • InfoExpress
  • Identity Engines Inc.
  • Vernier Networks Inc.

Final Point

NAC technology is evolving rapidly, and each vendor has its own interpretation of the exact roles the technology needs to fulfill. The market's ambiguity makes it difficult for NAC buyers to directly compare various products on a point-by-point basis. On the other hand, the wide range of available features and design philosophies makes it relatively easy for a business to find a NAC solution that closely matches its own needs.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more