How NAC Can Protect Your Network from Unwanted Endpoint Devices

Updated: August 20, 2012

Issue

 

The sheer variety and number of devices that are capable of tapping into wired and wireless corporate networks has left technology administrators looking for ways to cope.

The IT department may have a grip on internally issued IT gear, but unmanaged equipment abounds. Employees on the road or at home may use anything from laptops to iPhones to access the company's network, applications and data. Guests and on-site contractors can also introduce potentially troublesome devices.

How can a business secure its network with all of these devices potentially infiltrating it? One strategy that might work for your company is NAC (Network Access Control).

 

Analysis

 

Over the past few years, NAC has emerged as one response to the security threat stemming from untamed network devices. NAC products assess the health of such endpoint computing units as they attempt to enter a network. The technology evaluates whether a device is configured in accordance with an organization's security policy — updated anti-virus software, for example — and also checks for malware infection.

IT managers are interested in NAC for fairly predictable reasons. Seventy-one percent of the respondents to a recent survey conducted by market researcher TheInfoPro rated protection against rogue devices as a very important or extremely important justification for pursuing NAC. In addition, 71 percent of the Fortune 1000 respondents cited the need to manage guest access as a very important or extremely important NAC factor.

Less clear is how to best to go about a NAC deployment. That uncertainty has contributed to a retrenchment in usage, according to TheInfoPro. The company's survey, published in October 2007, found that 26 percent of polled organizations currently use NAC. In comparison, a survey conducted more recently showed that 35 percent of the respondents had NAC in use. TheInfoPro also reported an increasing number of organizations delaying implementation.

"Market confusion over the capabilities and differences between provider offerings has driven an increasing number of organizations to push implementation into their long-term plans," TheInfoPro's report stated.

The relative newness of the market may also be inhibiting widespread adoption.

"It's still an emerging technology," noted Brian Krause, security specialist at solutions provider CDW. That said, Krause believes that NAC provides "a great way to lock down the network" and that 2008 will see plenty of implementations.

Those customer implementations, however, are likely to be mixed, rather than adhering to a single NAC framework or standard.

"There will be a combination of approaches," noted Scott Crawford, research director for security and risk management at Enterprise Management Associates.

Brian Grayek, vice president of threat research for CA, said organizations may decide to implement both the network-based Cisco Systems approach and the operating system-oriented Microsoft approach. "Both have their uses," he said.

As for standards, the IEEE's 802.1x NAC specification is widely supported (the three NAC frameworks are among the backers), but market watchers doubt that the technology will serve as the sole underpinning for every deployment — at least in the near term.

One reason for this is because of the network-upgrade task associated with 802.1x implementations. Switches must be 802.1x-capable to make this approach work. Krause noted that 802.1x calls for an infrastructure upgrade or a newly deployed network. In contrast, installing several NAC enforcement points through a network "is a lot easier, and it doesn't matter quite as much if the switches are not new," stated Krause.

As a consequence, Krause said that he sees organizations opting for hybrid deployments. For example, a company might pursue an 802.1x deployment for wireless access points but also use gateway-like NAC installations to protect individual departments.

Dominic Wilde, vice president of marketing at NAC vendor Nevis Networks, said that he believes that large enterprises that prefer infrastructure-based approaches will tackle 802.1x deployments. But for the vast majority of organizations, 802.1x is "just not practical," he added.

In addition to making infrastructure demands, 802.1x contains gray areas, Wilde noted. When a standard is open to interpretation, different vendors will do "slightly different things" that raise the issue of multivendor interoperability. Nevis Networks supports 802.1, but also backs alternative authentication methods such as MAC (Media Access Control) authentication, transparent or single-sign-on authentication, and captive-portal authentication. This month, Nevis Networks introduced its latest LAN security product, LANenforcer 4.0.

Kevin Haley, group product manager at Symantec Corp .'s Security Response noted that most customers are looking at a "rollout" approach to NAC. An organization may first elect to start with VPNs (virtual private networks), deploying NAC behind the remote access and checking machines coming into the networks, he said. Next, they may opt to focus on wireless connections and continue on to cover desktops on the network, he added. Symantec offers its Symantec Network Access Control software-based NAC product.

As NAC approaches continue to shake out, Cisco Systems maintains a market advantage, according to TheInfoPro. The company's recent survey placed Cisco Systems at the top of the list of NAC suppliers that Fortune 1000 companies use or plan to use. Cisco Systems was followed by Symantec, Microsoft and Juniper Networks Inc.

Crawford said that such NAC technologies operate within the broader context of endpoint management. He cited application virtualization (Citrix Systems, F5 Networks, Microsoft's RDP, Sun Microsystems Inc. and VMware Inc., for example), application streaming (Citrix Systems, Microsoft/Softricity, Symantec/Altiris) and endpoint encryption as falling under that category.

"We are beginning to see that folded into a comprehensive endpoint policy management," Crawford said.

 

Next Steps

 

If you think NAC might be the solution your company needs, you need to assess the solutions available to you. NAC offerings include frameworks that make the technology a function of the IT infrastructure. Cisco Systems' Network Admission Control framework, Microsoft's Network Access Protection and The Trusted Computing Group's Trusted Network Connect fall into that category. In addition, a number of vendors offer NAC appliances or software products. Cisco Systems operates in this group as well with its NAC appliance.