Burning NAC questions
- — 18 October, 2007 10:25
Part 2 of 2. In the second part of our look at important network-access control issues, we take a look at important questions surrounding Cisco, NAC implementation and NAC policies. Review part 1, 'Who Needs NAC Anyway?' here.
Shouldn't I just wait for Cisco?
There's really no need to wait because depending on what you want out of NAC, Cisco may already have it.
And if Cisco doesn't yet offer what you want, there is still no need to wait because you can get alternatives from other vendors.
Cisco has a NAC appliance that can check devices before they get network access for virus software that it is updated and turned on and whether patch levels meet policy.
That said, the device is criticized by some for what it cannot do. "Cisco remains behind many of the other vendors in this space because of the inability to perform assessment checks beyond initial connection," says Mandy Andress in her recent review of the appliance for Network World.
For example, the device does not perform periodic rechecks of devices once they have been admitted to the network to make sure they maintain their security posture.
The Cisco NAC Appliance does afford multiple enforcement methods, including placing the device inline with traffic where it can restrict traffic directly, having it work in tandem with 802.1X authentication or running it out of band where it controls an access switch. It can also enforce NAC for devices attaching via SSL or IPSec VPN through Cisco gear.
There are other appliances from other vendors that do more, and if Cisco's appliance comes up short, these others can fill the bill.
Cisco also has a scheme that builds NAC into its network architecture, a design that scales better for large rollouts. One of the problems all NAC customers face is that NAC appliances in general don't scale large enough to accommodate a major corporate-wide deployment without relying on many appliances, says Rob Whiteley, an analyst with Forrester Research. Cisco's network-based NAC requires certain switch specifications that may mean upgrades for some customers. As a result, some are holding off until they need to upgrade.
One problem customers see with Cisco NAC is that it has two separate designs that don't have interchangeable parts. Currently Cisco NAC Appliance and its network-based NAC Framework have separate clients to evaluate the security posture of network endpoints.
Also, the NAC Framework relies on Cisco's Access Control Server (ACS) to determine which access policy to apply while the NAC Appliance relies on its own management server to determine if endpoints are in compliance.
Cisco has a migration strategy called OneNAC to simplify the transition between appliance and network-based NAC with interchangeable clients and a single server. But that plan still has some details to be ironed out.
Regardless of its comparative merits, Cisco's NAC has a solid base of loyal customers, according to Current Analysis' latest annual NAC study. The report says that 67 percent of current Cisco NAC Appliance customers and 68 percent of Cisco NAC Framework customers would consider buying more Cisco NAC gear.
The flip side is that the numbers imply that about a third of these customers would not consider more Cisco NAC products, but the survey doesn't state their reasons.