Home » Data Protection » Network Security

NAC: Now? Or Never?

New tech gadgets and a highly mobile workforce have raised the security stakes for corporate networks. Network Access Control to the rescue? Perhaps, but experts debate the value and users face a confusing morass of options.

June 09, 2008 — The traveling business reps for a Midwest insurance company are supposed to generate revenue for the firm—but IT staff recently discovered that many of them were bringing home value and viruses to the company.

"They saw through their antivirus [management software] that they were having problems, but they didn't know where [the viruses] were coming from," explains Rich Langston, senior manager of product management at Symantec, speaking about a customer's experience. The firm tracked the viruses and found that out-of-date antivirus software on the travelers' laptops caused the security hole. The IT staff didn't catch the problem because these road warriors rarely spent time at the home office updating or patching their security software.

It's a valuable lesson for companies on the go.

Today's highly mobile workforce, along with a plethora of new tech gadgets and access to the Internet from anywhere, has raised the security stakes for corporate networks. Laptops, PDAs and cell phones were just the beginning. The number of network threats has increased exponentially, with VoIP phone capabilities, Web access from hotels, dorm rooms, airports and coffee shops, and even internal sabotage.

Network Access Control (NAC), a set of technologies that aim to ensure that only authorized users with fully patched and virus-protected hardware can access corporate resources, is more important than ever—not just for outside guests gaining accesses to internal networks, but for employees who have no business in the company's more data-sensitive systems.

A full NAC cycle solution includes pre-admission inspection and post-admission monitoring, a policy decision and enforcement point, and a method of quarantine and remediation for noncompliant machines. When a user requests access, the machine is checked and, if found to be compliant, it is allowed to access the network. Post-admission monitoring will ensure that the user stays compliant by entering the assessment/decision/enforcement process again periodically. If the user is found to be noncompliant, NAC solutions should offer a means of quarantine and remediation to bring the user into compliance. The user should then be allowed to access the network, once again under post-admission monitoring.

NAC Roadblocks

Adoption of NAC solutions has been slow. Though the problem is clear, some experts argue that NAC is not the solution. (For a recent go-round of detailed online NAC debate, see Richard Stiennon's NetworkWorld post Don't Even Bother Investing in NAC.) Only 27 percent of European and North American companies with 1,000 employees or more have already adopted NAC as of November 2007, and 15 percent will pilot or adopt in the next 12 months, according to Forrester Research in Cambridge, Mass.