Network access control technology has come a long way from its days of being derided as an expensive and difficult...
tool that only succeeds in locking users out of the network. As the number of devices and the diversity of the users hitting networks across all industries grows, NAC security is becoming a must-have technology for any corporate environment.
Early generations of network-access control (NAC) products often overstated their abilities and underperformed, lowering customer confidence in the technology, said Lawrence Orans, research vice president for Stamford, Conn.-based Gartner Inc.
But NAC is making a comeback, said Brian Helman, director of its networking services for Salem State University in Massachusetts, and who presented a "Bring your own Everything" session at Interop 2014 in Las Vegas.
An IT professional from a university asked Helman if NAC was really worth the "cost or the frustration," noting that many of his end users -- the students -- had figured out ways to bypass his NAC system.
"NAC is kind of in the middle of resurgence, and it's worth it," Helman said. "We are talking about 16- to 21-year-old [students] doing things they shouldn't always be doing. I want to know who those people are."
Helman said his organization has been revisiting its NAC strategy, and is in the middle of switching NAC vendors.
Next-generation NAC technology walks the walk, offers BYOD access control
The question of whether the technology is worth deploying is unfortunately a common reaction for many organizations, said Scott Gordon, chief marketing officer for ForeScout Technologies. "A lot of folks have had a very tough time implementing NAC -- it involved an agent on each device and would often just lock out systems," he said. "Many organizations got burned by failed NAC implementations in the past."
"The old NAC is prehistoric -- it has a fraction of the capabilities that many solutions have now, so I'd imagine many [organizations] have been faced with users evading their NAC technology," said Steve Piper, CEO and co-founder of CyberEdge Group LLC., an Annapolis, Md.-based research and marketing consulting firm.
Although NAC proved to be expensive and complex in its early days, some vendors survived the blowback and matured their products, Gartner's Orans said.
Many NAC vendors are helping enterprises by evolving the scope of NAC functionality. Many next-gen NAC tools -- like Aruba Clearpass and ForeScout CounterACT -- are agentless, a great feature for bring your own device (BYOD) environments where IT struggles to deploy agents on employee-owned devices.
"There are still many managed devices on the network, but there are also many more mobile and personal devices that are largely unmanaged, so it's impossible to put agents on these devices," CyberEdge's Piper said.
In fact, BYOD and the increasing amount of transient devices on corporate networks complicated the enforcement of a traditional NAC policy, creating a need for a more modern approach to NAC..
The network access control policy of the Fashion Institute of Technology in New York City denies users from connecting their smartphones and tablets to the school's network; users must default to their cellular carriers. The school uses Aruba ClearPass to control access for student laptops. "[NAC] is critical to us in this case, because we obviously don't want to saturate our network with viruses and infected personal laptops that some students have," said Gregg Chottiner, vice president of IT and chief information officer for the Fashion Institute of Technology.
More on network access control policy and security
Deploying network access control tools
NAC policy: Handling smartphone access control
Integrating NAC tools and policies
ClearPass allows Chottiner and his team to get very granular control over network access by user or application. "If we wanted to, we could disable things like Facebook in a particular lab or classroom," he said.
Chottiner and his team manage the wireless network very closely because the organization's location is in the middle of the city. "If you're not a facility member or a student, you can't access the network," he said. "Even if a student tries to bring in a rogue access point from home, our controllers recognize it and shut down that port."
But organizations can run into problems with NAC if network SSIDs are being broadcasted, Chottiner said. "Some [organizations] don't manage access, but we have gone the other way and have chosen to lock it down. We've had faculty ask why they can't have the same access to wireless that they can get at a Starbucks. I don't want someone downloading things they shouldn't on our network," he said.
Next-gen NAC security integrates better into infrastructure
While NAC technology was historically deployed only within large enterprises, it has become necessary within small- to medium-sized environments, too. And it's becoming much easier for smaller IT teams to integrate next-generation NAC technology, and harder for users to circumvent these security measures.
Many modern agentless NAC strategies -- like ForeScout's -- can also adapt to an enterprise's infrastructure or even hosted security services more easily when compared to legacy NAC technology, which needed to touch every part of the infrastructure with agents to have enough visibility, ForeScout's Gordon said. "That level of interoperability negates the need to re-architect your infrastructure to satisfy a NAC deployment," he said.