Demystifying NAC

Despite the security benefits promised by network access control, NAC has yet to be fully embraced

Despite the security benefits promised by network access control, NAC has yet to be fully embraced. Perhaps it's the perceived cost, the complexities that troubled early adopters or the plethora of NAC choices available today.

That's not to say there isn't enormous interest. After all, a NAC security framework promises to help companies comply with regulations and internal policies, and safeguard resources from evolving threats.

But which approach is best?

Hardware-based options typically require an appliance that operates either in-line or out-of-band. Some of these appliances displace the access switch; others operate between the access layer and network switches. With either approach, there are many deployment, management and operational considerations.

For example, hardware-based in-line NAC solutions that sit upstream from switches create a potential single point of failure and can be disruptive if they cannot maintain pace with today's high-speed, 10G network backbones.

Furthermore, in-line NAC solutions may not be ideal for geographically dispersed or highly segmented networks. Not only does there need to be an appliance at every location, but the further up the network the less visibility into network traffic these approaches provide. There's little sense believing you're more secure with NAC when you can't see or stop an intruder's traffic on a large subnet.

The out-of-band alternative, such as the options that use 802.1x, too often require many network and server configuration changes. They require additional quarantine networks, configuration of ports on each switch as well as access rules to be configured for routers and switches. This not only increases administrative costs, it also increases the risk of error. Clearly, hardware-based NAC isn't cheap or a panacea.

Next up is the much maligned agent-based approach. No one wants yet another endpoint application to install, update and maintain. It's not only an additional burden for the IT team but also another catalyst for flurries of help desk calls.

Yet, much can be said in defense of agents. For one, a higher level of scrutiny can be achieved on endpoints, which aids security. And the reality is that agents can be the least disruptive solution available, especially when it comes to network traffic, because agents run quietly in the background, only sending periodic updates to the policy server.

But let's face it, organizations are not looking for another application to install, no matter how high the security payback may be.

Then there is agentless NAC. A common approach here is to periodically scan endpoints for vulnerability and/or policy assessment, which can place undue traffic stress on busy networks. The scan results are sent to a policy server, and remedial action, if necessary, is taken on noncompliant systems.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stacey Lum

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?