Defending an expansive definition of NAC

There is a good bit of controversy about what constitutes a complete NAC solution. Broadening our definition and expectations will enable networking pros to tightly integrate NAC into the IT infrastructure and leverage it as a true access control system.

There is a good bit of controversy these days about what constitutes a "complete" network access control (NAC) solution. The original vision of NAC (e.g., host-posture checking, quarantine and remediation) has been expanding considerably. Network architecture and network operations managers are no doubt beginning to wonder if the term has become so misused as to lose any real meaning.

To be sure the inevitable "bandwagon" effect does have vendors rolling out NAC products that would clearly have been labeled something else a year ago. In spite of these concerns, I would still like to make the case for a broader definition of NAC than was originally envisioned.

A complete NAC solution should include the following capabilities: host- posture checking; quarantine and remediation; identity-aware and policy-based authentication and resource access control; and post-admission threat protection, quarantine and remediation.

SPECIAL REPORT

NAC – More than endpoint security
Network access control is a hot topic and a challenging one. Learn the ins and outs in our special report:  
>>NAC: Should you implement now?
>>NAC and endpoint security frameworks: Which way to go? >>NAC appliances: Shortcut to access control
>>NAC underneath the covers: Endpoint health assessments >>Defending an expansive definition of NAC
What we gain with this expanded definition is the ability to much more tightly integrate NAC into the IT infrastructure and therefore to leverage NAC as a truly ubiquitous access control system. This would enable two separate, but equally important, enhancements to today's networks, providing network-layer identity management; and a threat prevention control plane.

The benefit of user identity awareness within NAC solutions is really a no-brainer. It's interesting that NAC solutions are so commonly positioned as security solutions because they are only tangentially about security. As originally envisioned, NAC did not provide any additional security functionality, but rather it ensured that organizations were fully leveraging their existing security investments (e.g., check that the antivirus software is installed, turned on, and updated).

It would be at least as obvious to position NAC as a systems management, audit and compliance solution. But to fully exploit NAC's potential as an audit and compliance management tool, the solution needs to be able to tie network traffic to particular users and to specific policy. The fact that existing solutions typically do this with an application-centric approach is perhaps more by accident than design. This week's announcement that Oracle (the paragon of the application-centric approach to identity management) was partnering with Identity Engines Inc. (an identity-aware NAC player) is an early data point in what is sure to become a trend that will deliver identity awareness to NAC solutions more quickly and more completely.

To become an active security system, NAC solutions need to support post-admission threat prevention. Many NAC solutions today do support periodic rechecking of host configurations post-admission. If a device is found to have slipped out of policy compliance, then it can be placed into quarantine and remediated. A much more powerful capability, however, would be to leverage NAC enforcement points to block network traffic or to quarantine specific devices based on threat detection from existing network or host-based security products. As NAC functionality is baked into the network infrastructure, security vendors can go back to doing what they do best, which is detecting emerging threats, and hopefully networks can be simplified by eliminating dedicated inline security devices.

We are a long way from seeing comprehensive NAC solutions with this breadth of functionality deployed, but certainly the first step is agreeing on the utility of moving in this direction. Market demand is coalescing around these broader solutions so expect to see vendors partnering for, and acquiring, the technology they need to deliver them.

About the author: As a Senior Analyst in the Information Security module at Current Analysis, Andrew Braunberg's main responsibility is tracking the identity management and security management market segments. Prior to joining Current Analysis, Andrew was a journalist covering information technology in the defense and telecommunications sectors. Andrew holds an M.A. from George Washington University in Science, Technology and Public Policy and a B.S. in Engineering Physics from Rensselaer Polytechnic Institute.

Dig deeper on Network Access Control

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close