Network access control (NAC) has become an inescapable network security buzzword.
With 50-plus vendors claiming to have some form of NAC solution, the landscape is cloudy and confusing. If the vendors are right, the time to deploy NAC is now. And, in many ways, those vendors aren't too far off.
"There's a lot of overhype," said Gartner Inc. vice president and distinguished analyst John Pescatore. "All of the vendors have something they call NAC. But you don't have to wait to start implementing these technologies."
According to Pescatore, companies must first take a look at exactly what problems, or pain points, they're looking to NAC to solve. Those problems could dictate which type of NAC deployment is a good starting point.
Define your NAC goals
"Everybody's really high on NAC," said Andrew Braunberg, senior analyst with Current Analysis. But he added that determining NAC readiness and need boils down to a few seemingly simple questions an enterprise must first ask itself. "The things to keep in mind are: Where would you start? What's the pain point I'm trying to address? Can an NAC solution hit that mark? What would be the overall extent of your NAC solution when you're done?"
By and large, Pescatore and Braunberg agreed, enterprises are looking to NAC for guest network access. And while safe and secure guest access is a valid reason for NAC consideration, it doesn't require an all-new infrastructure to accommodate the likes of Cisco's NAC framework or Microsoft's NAP.
"I think people should start addressing the pain they're feeling now, but there's still a lot of market education to be done," Braunberg said.
Senior Burton Group analyst Eric Maiwald agreed. When asked whether enterprises should start considering NAC now, he said, "I don't know that there is one answer to that one."
Maiwald said companies have to evaluate what's driving them to NAC. For the most part, organizations are considering NAC because it's the latest and greatest technology, because of compliance issues, because they want to control malware, or because they want to control guest, or non-employee, access.
"Controlling who can be on your network is something that should've been done a long time ago," Maiwald said. "Is NAC really something new, or is it the next generation of vulnerability management? Is it the next generation of intrusion prevention?"
Since NAC can be deployed at different points in the network -- inline, out-of-band and as a software agent -- companies need to look into where their enforcement points should be.
"The enforcement point is one of the keys here," Maiwald said. "Where do they want to do the enforcement? If I put it inline, what do I do if the device fails?"
Enterprises should also weigh which type of NAC is the least intrusive in their environment. Is it an inline solution like those from ConSentry, Vernier and Nevis; out-of-band like Lockdown and Forescout; or software agents like Elemental and InfoExpress?
"It does seem that the inline and out-of-band devices are getting a lot of the attention," Maiwald said.
The five functions of NAC
Braunberg said a complete NAC solution should fill five holes. It should run a pre-admission check, a host posture check and a post-admission check. It should also be ID aware and aware of ID-based network resources.
Overall, Braunberg said, there isn't one vendor that hits all five segments with a best-of-breed solution. But for the most part, the technology is mature enough to get adequate coverage in each of the designated areas. Right now, he said, Juniper's second phase of its Unified Access Control product has the broadest approach.
Still, for an enterprise to get its initial NAC deployments in gear, Braunberg added, it's not necessary for all five NAC segments to be hit.
"I don't think you need to go out and address all of these areas to get value out of NAC today," he said.
Gartner's Pescatore said there are three broad types of NAC technologies, all of which hit different levels of monitoring. First, there are infrastructure upgrades from the likes of Cisco and Microsoft. Those are the most complete NAC solutions, he said, but many companies won't come out of the NAC gate with such a pervasive deployment because of the hefty price tag and complete infrastructure upgrade that's necessary.
"The vast majority of enterprises are not ready for that," he said. "We tell clients, 'Look, if you have upgraded your Cisco network, it's something you should look at.'"
NAC is also available in the form of software agents, such as antivirus, personal firewalls and configuration management tools, Pescatore said. Several small vendors also make NAC boxes. Those boxes won't hit every existing NAC pain point, but they do open the door for a more expansive deployment down the road.
"Sit down and figure out what's your real motivation for network access control," Pescatore suggested.
Some companies want to determine whether a device is dangerous, or not vulnerable, before it's allowed onto the network. Others have to allow non-employees and non-employee PCs onto the network.
"If that's your whole motivation," Pescatore said, "you don't really need to go through the expense of everything involved in a full upgrade."
Other companies are motivated by a combination of security concerns. For example, a company may want to allow non-employee PCs onto the network but may also be looking for tools that can monitor the network for potential security threats.
"You can start small, do guest networking and then move on," Pescatore said. "If the network group is next year upgrading the routers and switches, it's OK to look at [Cisco NAC and Microsoft NAP]."
Some companies still question the maturity of NAC technologies in the booming and hype-filled market, but Pescatore pointed out that several companies are now using various flavors of NAC without any major hang-ups. As for full NAC frameworks, he recommends taking baby steps.
"Lots of companies are using it for guest access, and it works great," he said. "The real issue is that the big bang approach rarely works unless you're experiencing a big bang."
Still, no matter where the starting point is, Pescatore added, any level of NAC deployment "is not a throw-away investment."