Seeking Answers with Network Access Control
NAC is about managing how people and devices attach to the network and how IT controls the data you have permission to access
By: Ken Daniels
Jul. 21, 2013 12:45 PM
Corporate BYOD growth is prompting enterprises to take a closer look at their networks and their approach to security. As this initiative grows, along with the increased need for keeping the network and its data secure, more IT professionals are reconsidering NAC. In fact, a recent Ogren Group research report, "Network Access Control: A Strong Resurgence is Underway," estimates the network access control (NAC) market has grown to $392 million in 2012 and will sustain a strong 22 percent CAGR through 2017, taking the market to more than $1 billion per year.
Two or three years ago, NAC was in the top ten IT project list, but it was always one of the first projects to hit the chopping block if there were budget constraints. Now as the BYOD phenomenon accelerates, so does the need to keep the corporate network and its data secure. This trend is driving more IT professionals to seek the answer to this question, "Are we ready for NAC?"
Now that your management has the NAC bug, what do you do? Where do you start? Who is involved? There are a lot of questions that need to get asked and answered and in this article, I'll offer suggestions to set you on the right path.
Let's break it down:
What do you want to accomplish?
A BYOD program is the most common driver of NAC demand today. However, it is often confused with a Guest Access program. NAC can certainly help with both, but make sure that you know the difference. BYOD initiatives focus on allowing employees to access corporate data from personal devices such as tablets, smartphones and laptops. Many times, management will allow employees to bring their personal device into the office, but limit the use to Internet access only. This scenario is essentially Guest Access and is not a BYOD initiative. When planning for either scenario, you should verify if your employees are going to use their LDAP (Active Directory, eDirectory, etc.) credentials to gain access to data on the corporate network or if pre-determined credentials that may be configured on the NAC appliance will be used for access. Finally, if you want to allow employees to access corporate information, decide how much access to allow? NAC can help with all this.
Another consideration is do you want to limit what employees can access based on their role, location, time of day, etc. For example, there is no reason for someone in the finance department to access the data center, as there is no reason for them to be in the data center in the first place. Conversely, there is no reason for IT to access the payroll server (except for maintenance). With NAC, you can set policies and checks to help you manage access. These policies include, but aren't limited to, anti-virus verification including what brand of AV is supported, determining if the AV is the most current version, operating system checks (what OS is running, are all patches applied), are they running unauthorized applications or are they missing required applications? There are many more options to consider. When you are looking at implementing a NAC solution, make sure that you know what you are looking for.
Another advantage of using NAC is in regards to automating the on-boarding of "headless" devices. Headless devices include printers, IP cameras, and phones. A NAC solution such as CounterACT has the ability to identify and classify any device that could potentially connect to your network, both wired and wireless. Once a device has been identified, NAC will be able to provide the necessary access to the network.
How do I manage access?
When managing access to the network, there are generally two different methods: VLAN reassignment and Access Control Lists (ACLs). ForeScout has another alternative called Virtual Firewall. This feature allows you to control access of any device attempting to connect to the network.
VLAN reassignment is the most common method for controlling access. When a device connects and has the appropriate authentication, NAC can move the device to the pre-determined VLAN. This is accomplished by integrating with the network switches, routers and wireless controllers. This dynamic VLAN assignment is temporary, and when a device disconnects and another device connects, a new VLAN can be assigned to that port or within the SSID.
Dynamic ACLs are another method of enforcement. While not as widely utilized, they can be equally effective, and in some cases, a combination of VLANs and ACLs are used. For example, a user can connect to the network, be assigned to a VLAN, and based on their authentication have ACLs in place to limit their access.
Who is involved?
As you see, a lot of decisions and considerations need to be made when planning on NAC. The better prepared you are, the more time you take planning, the more successful the implementation will be. In a dynamic world, things change, and a NAC solution needs to be dynamic too. As new business and security policies emerge, it is critical to integrate them with your NAC plans.
1. The Ogren Group, "Network Access Control: A Strong Resurgence is Underway," March 6, 2013, Eric Ogren
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week