Home » Data Protection » Network Security

NAC: Now? Or Never?

New tech gadgets and a highly mobile workforce have raised the security stakes for corporate networks. Network Access Control to the rescue? Perhaps, but experts debate the value and users face a confusing morass of options.

By Stacy Collett

Page 4

What Type of Product Fits Your Company?

Objections and obstacles noted, users also face the choice among various approaches to NAC. These choices can generally be grouped into architecture-based options, software-only solutions, and appliances. Research analyst Chris Rodriguez at Frost & Sullivan offers advice for evaluating these NAC choices according to the buyer's company size and type of business.

Organizations that require the highest levels of security should investigate architecture options, Rodriguez says. "It provides comprehensive end-to-end security," he says. It also allows flexibility in deployment. It can be rolled out in pieces according to budget, time, testing requirements and geographic constraints. The solution also scales easily. "They scale in direct relationship to the size of the network" because it's part of the network infrastructure, he adds.

Market share-leading vendors in the infrastructure space include Juniper Networks, HP and Cisco.

Appliances have a good pricing advantage over infrastructure solutions, especially for smaller organizations. A single point device makes it easy to implement and maintain, Rodriguez says. But there are limits to how many users the device can support. The number varies from 2,000 to 4,000 users per box. "That makes scalability something that you should consider," he says. Also, in-line devices represent single point of failure. "So definitely use redundant boxes, but that increases the cost." An out-of-band device eliminates that problem.

Players in the NAC appliance market include Mirage Networks, ForeScout, TippingPoint, and Nevis.

Endpoint agents or software are appropriate for all company types. Leading vendors include Symantec, McAfee, and London-based Sophos.

"You really need two products," Whiteley says. Deploy a software agent on all company machines, and deploy an appliance to handle pre- and post-admission activities to patrol all guest machines, he adds. Most importantly, the two products need to communicate with each other—which isn't hard to do.

Major vendors have pledged to work with standards groups like Microsoft's Network Access Protection and the Trusted Network Connect specification set up by Trusted Network Connect organization for interoperability. (In May 2007, Microsoft and TNC agreed to make their frameworks interoperable.)

Deploying NAC security points on both ends of the network spectrum will improve the chances of having a safe network.

"If you're investing in patch configuration management or other security tools, they're only as good as they are widely deployed and correctly configured," Langston adds. "Users have suspicions about whether that's why their laptops are slow, and they may disable these products from time to time. With NAC you can ensure that these things don't happen and that you're covered." ##