Deploying NAC: Challenges and alternatives

What are some of the challenges in deploying NAC? What are the alternatives for LAN security?

You're not alone in asking these questions - we see customers all the time who know they need to control guests and contractors on their LAN but don't know where to start. Most find they can keep the initial NAC roll-out simple, deliver on their primary goals, and then follow a simple plan for expanding the scope of their deployment's functionality. Mercy Medical Center, for example, is following exactly this course - starting with providing guests Internet-only access and letting employees go anywhere on the LAN.

In your NAC deployment, you're likely to encounter three main challenges - the impact it has on your network, the difficulty of establishing policies, and the scope of your initial deployment. The good news is you can do a lot to reduce these challenges and gain a lot from your NAC deployment.

To understand NAC's impact on your network, you need to look at the degree to which it mandates changes, if any, to your endpoints, switches, VLANs or ACLs, and identity stores. The more you can reduce this impact, while still gaining significant control over what users can do on the LAN, the greater the return on investment from a "time to deploy" perspective.

For example, some NAC devices require cooperation from switches to enforce policy, so typically the switches need at least a software update. These solutions often provide only rudimentary post-admission control, relying on dropping users into a VLAN to limit their reach on the LAN. So you'll need to change your VLANs to support role-based segmentation and update your ACLs to enforce the appropriate blocking between user groups.

The second major challenge concerns establishing the appropriate policies, which is not ultimately IT's responsibility. Instead, IT needs to work with the lines of business to translate their desired policies, such as IBM contractors should get access only to IBM blade servers, into constructs that the NAC equipment can use and enforce.

To ease this challenge, IT should look for NAC architectures that make it easy to deploy and test the policies, by putting devices in "monitor only" mode, for example, and watching how many policy violations occur. If the number of violations is really large, it's more likely that the policy is wrong than that lots of people are behaving wrongly.

The third major challenge is scope - both scope of the overall deployment and scope of granularity in policies. A pervasive deployment, with extensive user controls in place, can quickly seem daunting.

To mitigate this difficulty, start with your most severe pain point and grow the deployment over time. Perhaps you start with network locations hosting guests and contractors first, and you create simple policies encompassing those user groups. Guests can go to the Internet only, the team customizing the SAP deployment can access only the SAP servers, and your employees can go everywhere. The key, of course, is to select a solution that can grow with you over time, as the location and granularity of your deployment grows.

Whether you'll need alternatives to NAC depends on the problem you're trying to solve. To broaden security capabilities, look for a solution that defines NAC as more than just admission control. You need to ask yourself, "Do I care about controlling users once they authenticate to my network?" If your answer is yes, you'll also want post-admission capabilities - such as controlling what applications a user can run or which servers a user can reach. With a more full-fledged view of security, you'll have lots of choices for the granularity of your NAC implementation.

Also keep in mind that NAC is highly complementary with other initiatives. Enterprises adopting Identity and Access Management (IAM) are concerned about role-based access control. The closer you can link such a project to a NAC architecture, the stronger both deployments will be, since the NAC solution can provide the network-level controls defined in the IAM project.

NAC, when extended to include full identity-based control over all users on the LAN, can help you protect your critical resources, and you can take many steps to limit its challenges and extract the greatest value.

Barsi is president and CEO, ConSentry Networks.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Barsi

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?