Network Access Control

Executive Summary: Pre-admission or post-admission, agent-based or agentless, inline or out-of-band—choosing a network access control (NAC) solution involves many considerations. In this buyer's guide, learn what type of NAC solution can help you efficiently secure and manage remote users' access to your network.

In a world buzzing with rogue computing devices trying to gain access to enterprise networks—roaming willy-nilly from environment to environment—network security is paramount. As mobile devices proliferate and as increasing numbers of offsite and home-office users threaten to introduce vulnerabilities into your network, you need some form of network access control (NAC) in force. But before you jump into the market, you need to consider what type of NAC solution is best for your unique environment. Several vital considerations will factor into your decision.

An essential design differentiator among NAC solutions is whether security policies are enforced before or after the endpoint gains network access—that is, pre-admission or post-admission. As you can see in the accompanying table (Excel spreadsheet), all the featured solutions essentially offer both. A good NAC product offers a strong pre-admission check to ensure that the device is safe, and then follows up with periodic—even constant—post-admission monitoring to make sure the endpoint is consistently up-to-date according to your security policies.

Another key differentiator is whether the solution is agent-based or agentless. The clear benefit of an agent-based setup—in which you install purpose-driven software on each endpoint—is that it lets you perform a deep, robust assessment of the device. Agentless solutions, which use remote scanning and are admittedly easier to deploy, can't achieve the depth of functionality that an agent-based solution can achieve. Many vendors provide elements of both in the interest of thoroughness.

Is the product an inline or out-of-band solution? You've spent a lot of time designing your network. Do you want a solution that intrudes upon your infrastructure, or would you prefer a more neutral solution that offers network independence? An inline, appliance-based product is likely to be comparatively intrusive, whereas an out-of-band solution—with agents reporting to a central console—won't require you to redesign your network for the sake of NAC protection.

How the product assesses vulnerabilities is also important. A strong NAC solution will submit endpoints to a thorough test against a range of predefined security policies, Microsoft patches, and compliance checks, and it will also let you customize your own list of essential policies unique to your needs. Further, it will demand that all endpoints conform to your policies, regardless of where they are or how often they're connected to your resources.

What about remediation methodology? The market is seeing a strong trend toward increased auto-remediation, in which the product takes care of as much remediation behind the scenes as possible. Ideally, the user is unaware that the NAC solution is working hard, patching the system and enabling disabled firewalls without any user interaction. If a certain compliance problem requires user intervention, the goal is self-remediation—by way of a pop-up window or a link to a simple step-by-step process—without the need to call the Help desk.

Finally, is the solution operable with other solutions? Some vendors don't play nice, requiring you to use their network infrastructure or even use their other products to obtain all the functionality you need. Although all-in-one solutions can be convenient, you might prefer the freedom to use multiple products in your overall security approach.

NAC used to tackle just the basics—antivirus protection, firewall security, patch management—but it's extending its reach. Today, NAC is bringing compliance into the fold. Important considerations include the PCI Data Security Standard (PCI DSS) surrounding credit-card information, the Gramm Leach-Biley Act regarding appropriate encryption use to protect customer information, and even environmental standards involving power management (e.g., shutting down machines during off hours). So, we're seeing a broadening of the types of checks that NAC can do.

More fundamentally, the notion of standalone NAC is gradually fading, giving way to componentization inside larger security-product suites. Customers still need NAC, but increasingly, they want it as part of an overall solution.

In the end, you might choose to go with Microsoft's Network Access Protection (NAP) implementation in Windows Server 2008—an in-band solution that uses post-admission DHCP access control for NAC. But other options might make more sense for your business. The right NAC product for you might depend on the size of your environment and how much time and effort you want to devote to the product's configuration. Small businesses tend to go for the easy-to-implement, out-of-the-box solution that comes with lots of predefined policies. Larger companies prefer lots of knobs they can twist to customize functionality in the interest of fine-grained security and compliance control. All these factors will come into play in deciding how to secure your network.

View the NAC buyer's guide table (Excel spreadsheet).