about whether to grant network access and how much. They should then decide which model, client or clientless, best meets their needs.
This is true. In each case, the goal is to block access to users and devices that fail to meet NAC policies, and to do so as close to the network entry point as possible.
For a LAN connected device, that point can be the access switch or a NAC appliance connected to the switch. It can also be a firewall that protects LAN segments or at the endpoints themselves.
In a wireless network, the closest device to the end user is the access point, and it can act as an enforcement point. Similarly, a VPN concentrator can enforce NAC policies.
But interoperability may be an issue, says Phil Hochmuth, an analyst with Yankee Group.“If a company makes this claim it opens up the question of the actual communications interface with those pieces of the network,” he says.
The best thing to do is check that the NAC gear being deployed is compatible with the relevant wireless,VPN and other infrastructure before buying.
This is an overstatement. Depending on the regulation, NAC can contribute more or less data necessary to convince auditors that regulations were met, but no NAC product - or any single product of any kind - can meet regulatory security requirements.“There’s a lot of different regulations and some are more specific than others,” says Hochmuth.
For instance some come down to specific network firewall settings, something NAC wouldn’t be able to help with, he says.
But NAC products can help in other areas having to do with network access and who in an organization has accessed what resources. Key questions to ask are what
third-party reporting platforms is the NAC gear compatible with and does the vendor recommend its gear for specific regulatory needs.
“What are the check boxes that this thing is going to be able to discover and prove, and how does that produce something readable, examinable or verifiable by an auditor?” Hochmuth says.
This is true. The caveat is that the inspection of the endpoint may not be as rigorous as it might be.
“Most vendors have some solution around guest and contractor access,” says Roberts.“Typically it is a captive Web portal that gives them a download that’s going to do a security scan on their endpoint.” If they aren’t compliant, the NAC gear can give them access to a Web site where they can get whatever they need to become compliant.
Since these machines are not managed by the company, they may or may not accept downloadable NAC agents to do scans. If not, the NAC gear has to use less complete external monitoring to make its decision.
The best course for customers is to carefully limit and isolate as much as possible the access that guests and contractors are granted while still enabling them to do what they need to do.
This is an overstatement. NAC gear, and in some cases supplemental platforms, can discover and admit these devices, but because these devices don’t accept agents, they also cannot receive in-depth NAC screening.
“What does it really matter if I know all of the laptops and all of the desktops that I manage are in compliance if that’s not the full set of all the systems that are on our network?” Roberts says. Most vendors don’t have a great answer to that question right now.”
Sponsored by HP ProCurve Networking
ProCurve.com/Choice
Once devices are identified, NAC gear that limits behavior on networks can restrict what they do. So a device identified as an IP phone can be restricted to sending and receiving only traffic associated with VoIP and denied from performing file transfers, for example.
Customers should check whether NAC vendors provide for network discovery within their own platforms or look to independent vendors that can supply the same functionality.
This is true, but customers must make sure they are buying from a vendor that supplies the type they want.
“It’s like the difference between latching a door with a chain and having a deadbolt,” Hochmuth says.
In a business environment with many guests and contractors, stronger Layer 2 NAC such as that enforced by 802.1x switches is more desirable than Layer 3.
In a college environment where thousands of students need access to the network but don’t have access to essential university resources, Layer 3 may be appropriate. The concern there is more toward protecting the network itself, he says, and the costs of buying into a stronger NAC scheme might be prohibitive.
References:
Archives