This article can also be found in the Premium Editorial Download "Network Evolution: Network security in a world of mobile workers."
Download it now to read this article plus other related content.
Network Access Control (NAC) technology seemed all but dead a year ago. After dominating network security headlines for years, the technology eventually fizzled when users found that its features just didn’t go deep enough. But enterprise IT consumerization—specifically the need to better control access for personal devices on the corporate network—is resurrecting the need for better NAC solutions.
Though it is difficult to quantify what percentage of organizations today allow users to access the network using personal devices, a recent survey by mobile service provider iPass, shows 91% of workers conduct business from their own smart phones.
To enable these users, companies are finding themselves seeking ways to protect an environment that is more virtual and therefore more porous. Since NAC technology has always promised to merge authentication, end point security and access policy enforcement, it could be just the solution for these new protection needs.
A broad spectrum of vendors is now promising new NAC features meant to handle a bring your own device (BYOD) policy, and the changes have already boosted NAC sales. Infonetics Research reports that revenues of NAC appliances actually increased 8% in Q2 2011 versus Q1 2012 after years of lackluster sales.
A spectrum of vendors with NAC technology features
NAC technology solution vendors today fit into one of three general categories: Network security generalists, overall network equipment vendors, and an emerging class of vendors specializing only in NAC.
Though there are many differences among the individual vendors, providers in each category also tend to share some common traits. Network security vendors, such as McAfee, Symantec and Still Secure, concentrate on expanding elements already in their wheelhouse, such as intrusion prevention or virtual private network (VPN) technology. In some cases, they’ll incorporate NAC functionality into these broader solution sets, as is the case with Symantec’s integration of NAC into its endpoint security product.
Switching vendors such as Cisco and Enterasys, have traditionally provided NAC to existing customers as an extension of their network equipment offerings. While these solutions have often provided very granular access controls to customers using their equipment, network equipment vendor-backed NAC solutions hit a big stumbling block in how to enforce NAC policies across both a wired and wireless network. Now that’s an issue these vendors are addressing head on.
Finally, a group of NAC specialists have arrived on the scene with solutions that aim to support a broad mix of platforms in a highly standardized way. These solutions have been more aggressive than their counterparts in addressing the unmanaged device element that a BYOD policy model brings. These up and coming companies include ForeScout and Bradford Networks.
The problem with “OLD” NAC technology
The original class of NAC products that emerged nearly a decade ago aimed to protect the network from malware and other threats that were introduced when laptops plugged onto the network. The technology focused largely on end point security, with an emphasis on updating device configuration to meet corporate security policies. With only limited interoperability between NAC products and networking gear, however, this approach was difficult to make work and manage.
Network access control technology grows up
Over time, what has changed in NAC solutions is a greater focus on safeguarding the network from unmanaged devices, by using a combination of policy management, profiling and access control. NAC solutions today increasingly apply an approach in which they create a guest network where non-corporate devices are segregated from the main network. Once devices are on this limited access network, the NAC solution can assess them based on their configuration and whether they comply with corporate security policies.
NAC features to consider for BYOD
- Identity awareness: Many NAC solutions seek to gather information on the user and device, then use it to direct routers and switches on how much access to grant based on enterprise policy. In some cases, the NAC technology can consider location of user, date, time, authentication type and device to make those decisions. It can also gather Active Directory, LDAP and SQL information.
- Guest networking: NAC solutions can be used to enforce multiple levels of guest networking. This makes it so that users can be shuttled into cordoned-off areas of the network that have varying levels of access to enterprise resources.
- Threat management: Some NAC technologies act almost as unified threat management devices using a variation of features. Such features include port disable, VLAN control, VPN disconnect and access control list (ACL) to block or quarantine network devices until remediation takes place.
- Integration with Intrusion prevention systems (IPS): Some NAC solutions integrate with IPS technology so that NAC can authenticate and grant access based on the same corporate compliance and security mandates used by the latter system.
- Support for multiple mobile OS platforms: NAC solutions were once built for laptops running Windows. However, that can’t be the case anymore considering iPads, iPhones and multiple Android-based devices that are being brought onto the network must be managed.
About the Author
Amy Larsen DeCarlo is a principal analyst at Current Analysis, where her research focuses on assessing managed and cloud-based data center and security services.
This was first published in April 2012