Network access control (NAC) has been on the cusp of becoming the holy grail of network security for about a year now.
What's preventing NAC from going over the top is confusion, not only on the part of the vendors -- which call any and every security solution an NAC solution -- but also among users, who are baffled by a term that has several definitions and so many different vendors.
According to Infonetics Research, roughly 50% of large organizations have already deployed NAC, and that number will reach about 60% by 2008. Also, about half of small and midsized organizations plan to deploy NAC by 2008. But the vast majority of the companies that are not planning to deploy NAC by 2008 said they don't have enough information about the technology, meaning they "don't really know what it is or could do for them," the Infonetics study indicated.
With so much confusion and such a lack of information, it has become increasingly difficult for companies to craft a request for proposal (RFP) for an NAC solution, especially since there is no solid definition of what exactly NAC is.
Ofir Arkin, CTO of security vendor Insightix, hopes to clear up some of the confusion. He recently published a list of important questions to ask in an NAC RFP to ensure that the solution will fit an organization's need.
"Key pieces are missing from them," Arkin said of many NAC RFPs.
First, he said, companies need to ask a potential vendor how it defines NAC. "People don't really understand what NAC includes or presume that all solutions are the same."
From there, a company should determine the prerequisites for implementing the vendor's NAC solution. Prerequisites such as network upgrades or additional hardware that would need to be purchased should be spelled out so a company knows there will be added expense.
"Since the NAC space is a young space, there's a lack of experience," Arkin said. "There are hidden costs. Companies need to ask: 'What am I getting, and how much is it going to cost me?'"
Companies should know whether an NAC solution requires a change to the network architecture, whether it relies on special gear or equipment from a third-party vendor, whether it requires existing equipment to be upgraded or replaced, and whether it requires installation of new software agents.
Along the same lines, it is important to know how an NAC solution performs compliance checks. Which parameters can be checked, which software is required, which operating systems are supported, and whether custom compliance checks can be defined are all important questions.
Lastly, companies need to determine how the vendor quarantines devices that it doesn't allow onto the network and how the NAC solution provides enforcement. There are different quarantine methods out there. Companies should find out whether the solutions they are evaluating rely on specialized hardware or software and what happens once an element is quarantined. A company should find out whether quarantine and enforcement take place in Layer 2 or Layer 3.
"NAC is a continuous process," Arkin said. "If you know what you want, you can find a solution that suits your needs. Just make sure the right questions are being asked."