For end users, Network Access Control (NAC) should be transparent, as if it’s not there. Depending on a company’s internal security policies, systems are checked quietly in the background for their level of compliance. NAC checks for current patch levels and functioning, up-to-date antivirus and personal firewall software. Only when something is wrong should users be made aware that their systems aren’t in compliance. If something is wrong, typically, users will be prompted to an intranet portal where the system is brought up to appropriate security levels.
For companies of all sizes, a NAC-enabled network not only runs more securely but also runs more productively, runs within regulatory compliance, and generates fewer help desk calls. While the benefits of NAC are straightforward, the ways that different NAC solutions get the job done — whether they are hardware-based, inline, out-of-band, or agent or agentless — is a little more complex.
Hardware and Software
Hardware-based NAC typically requires an appliance that operates either inline or out-of-band with network traffic. Some of these appliances displace your access switches, while others operate between the access layer and your network switches. Either way, there are a number of deployment, management and operational changes for you to consider. In addition, this approach can be expensive, especially for geographically dispersed or highly segmented networks. Not only does an appliance have to be installed at every location, but the further up the network, the less visibility these approaches provide into network traffic.
Agent and agentless-based NAC have been much maligned. No one wants yet another endpoint application to install, update and maintain. It’s not only an additional burden for the IT team, but also another catalyst for flurries of help desk calls. Agentless approaches, unfortunately, do not provide a consistent way to thoroughly evaluate the status of the endpoint.
Lastly, there’s dynamic NAC. With dynamic NAC, there are agents, but they’re only installed on a certain percentage of systems. Also known as “peer-to-peer NAC,” this approach doesn’t require any network changes or software to be installed on every system. These agents, some of which become “enforcers,” are installed on trusted systems and, much like a police force, only a small ratio of law enforcement to the general population is needed to make certain everyone is in compliance. In this way, it’s possible to attain the high levels of security associated with agents and all of the benefits of NAC — without the hassles of hardware-based NAC or deploying software on every networked device.
As you can see, there are several approaches to Network Access Control. Now we’ll cover some of the additional circumstances, or use cases, in which software-based NAC solutions will provide you enhanced value:
Securing Geographically Dispersed Networks
Whether you’re a geographically dispersed retailer, manufacturer or financial services firm, managing a NAC appliance at each location can get expensive quickly. Consider that each hardware-based NAC appliance would cost about US$20,000 at every location. Additionally, that appliance very well could require you to pay for the travel expenses and time of an expert for the initial deployment and configuration. Then there’s the burden of continuous maintenance and updating. In some instances, depending on the nature of your architecture, remote management may not be feasible without significant and risky changes to your network configuration.
Because it is software-based and enlists a certain percentage of systems into security enforcers, dynamic NAC actually helps you leverage the power of your distributed network to protect itself.
Network Security for Small and Mid-sized Business
Few small and even mid-sized businesses have the dedicated IT staff and expertise needed to configure complicated and out-of-band approaches like 802.1x network configurations and properly troubleshoot network problems when they arise.
Also, the IT staff in these businesses tends to be overworked, and firms are better served having them focus on business-growing IT initiatives. That’s exactly what software-based NAC does: It increases security while also reducing the management burden on security and networking teams.
Patching software vulnerabilities is central to managing IT risk. However, it can be difficult to ensure that all systems have been patched properly, even when using automated patch management applications. Software-based NAC solutions can help to simplify these challenges because endpoints can validate the patch compliance of other networked systems. That means that the NAC solution can reach and remedy those last few systems that always are difficult to reach. This is why many companies use agent-based NAC to supplement existing patch management solutions, and in some cases even completely replace and automate these operations.
If you’re a retailer, financial services firm, or supplier to a large publicly traded company, it’s impossible to avoid regulatory compliance. Either auditors are asking you to verify security configurations or your customers and business partners are doing so as part of their due diligence processes. Agent-based NAC can play a vital role in regulatory compliance and due diligence efforts by checking software and configuration compliance at the endpoint for all employees and guests.
NAC should be an integral part of a company’s network security implementation. There are considerable differences in the ways that NAC systems work. It’s important that you evaluate your options to find the most effective NAC solution for your network that also is the most cost efficient to operate.
Stacey Lum is CEO, CTO and co-founder of InfoExpress, a vendor of network access control solutions for enterprise networks.