Implementing Network Access Control

(08/04/2009)

When done right, Network Access Control (NAC) offers a myriad of benefits. These include on-the-fly authentication of appropriate users and ensuring that all end-point devices get access only after they’re proven to be compliant to internal security policies.

However, many NAC solutions are designed in such a way that they require significant, and often convoluted, changes to existing network infrastructure. Whether it’s network appliances that need to be installed at each location, or client-side agents that must reside on each end-point, many NAC solutions require not only significant up-front investment and system and network changes — but also continuous feeding and caring. All of this overhead reduces the cost benefits that should be realized from a NAC solution.

As you are considering a NAC solution, you should select one that limits the number of hardware, configuration, and network changes. By minimizing the alterations to your organization, you’ll save on your deployment costs, and quickly benefit from the ongoing cost savings associated with reducing end-point maintenance, having auditing and compliance reporting, and generating fewer costly help desk calls.

NAC solutions that require changes typically have some hidden costs during implementation. First, in-line hardware solutions usually need to be installed at every location. This is obviously expensive for organizations with many distributed sites.

Out of band NAC solutions can be centralized, but require even more configuration changes. Administrators have to coordinate all NAC management processes, provide updates to the equipment, reconfigure networks, add new servers, install appliances, configure new virtual LANs (VLANs), and reconfigure routers and switches — just to get the NAC deployment moving.

It’s obvious why agent-based NAC is so expensive: Not only must software agents be installed on every endpoint, but network changes for NAC must be maintained. And, just as is the case for in band solutions this is yet another unwanted cost and burden on the IT team. Each time something goes awry with the agent, a flurry of help desk calls ensues. In addition, having to install and manage another application on each endpoint, especially unmanaged and mobile endpoints doesn’t provide any savings if ongoing network changes and reconfigurations are required.

Dynamic NAC leverages existing network infrastructure to attain the benefits of NAC without most of the overhead. There aren’t any network changes required. This, alone, provides considerable implementation savings.

Dynamic NAC leverages existing PCs as policy enforcers, so dedicated appliances and PCs are not required, as is the case with hardware and software-based NAC solutions. And while appliances may be required for remote access VPNs, they’re certainly not required at each location or network segment. Not having to install appliances at each site provides significant savings for any enterprise with multiple locations.

While there are agents, they don’t need to be installed on all endpoints, such as embedded devices or operating systems that aren’t supported. This approach doesn’t require client software to be installed on every system. Agents are installed on trusted systems. And, much like a police force, only a small ratio of law enforcement to the general population is needed to make certain that everyone is in compliance. And, whenever necessary, additional systems can be “deputized” so that the system scales with network growth.

InfoExpress is exhibiting at Infosecurity Europe 2009, on 28th – 30th April in its new venue Earl’s Court, London.

Related topics:  Authentication and identity management   Knowledgebase   Network Security   Security management and policies 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources