TMCnet - World's Largest Communications and Technology Community



tmc logo
November 2007 | Volume 10/ Number 11
Inside Networking

Addressing Enterprise Network Access Control (NAC) Requirements

By Tony Rybczynski and John Oltsik

Business executives are extremely concerned (and rightly so) that their organization may be the next publicly disclosed data breach story in the Wall Street Journal. Ask 10 networking and security professionals to define Network Access Control (NAC) and you will likely get 10 unique responses. The truth is that NAC has become an essential piece of security enforcement and network infrastructure.

The technology glossary defines NAC as “a method of bolstering the security of a proprietary network by restricting the availability of network resources to endpoint devices that comply with a defined security policy.”

NAC can be construed as a common endpoint security policy management system for a range of network (wired, wireless, VPN) and device types. In most cases, security policies are centered on three areas:

1. Authentication. Users and/or endpoint devices must authenticate themselves before they are granted access to the network, even if they are roaming. The network can then make further policy decisions based upon user and device identity characteristics.

2. Endpoint health status. Before gaining network access, endpoint devices are checked for system vulnerabilities, security software configuration parameters (e.g. whether antivirus signatures are current), and malicious code signatures. Further network decisions are based upon the results of this examination.

3. Authorization. NAC can be configured to limit a device to specific network assets or tasks and also be tuned for specific types of networks. For example, an IP phone may be restricted to a particular network VLAN and IP telephony gateway.

The overall objective of NAC is simply to make better decisions about who gets access to the network (or network segment) and what they can do once they are admitted. The health check provides additional security protection by limiting or restricting access to endpoints deemed to be “unhealthy” based upon an organizations policy definition of endpoint health.

The Business of NAC

NAC can help large organizations in a number of ways:

1. Opening the network for business benefit. NAC can enable organizations to open their networks to outside constituencies driving new revenue opportunities, enhancing productivity, or lowering costs.

2. Improving corporate governance. NAC can enhance existing controls and provide detailed audit trails for compliance and corporate governance initiatives. This can lead to more consistent operations and lower costs across an organization.

3. Automation of IT processes. NAC can enable a number of self-service applications for endpoint security remediation and patch management. This has the potential to significantly reduce desktop administration costs.

4. Enhancement of data privacy and security. NAC can enable fine grained network authorization, keeping bad guys away from valuable network assets and private data.

When viewed in a holistic perspective, NAC can deliver maximum benefits when CIOs align technology plans with business needs and treat NAC as a strategic initiative rather than a tactical stopgap. Additionally, NAC can be used to enhance specific vertical industry business processes. A research facility dependent on network collaboration may want to restrict network access to all but the most updated endpoint configurations, while a University may grant network access to all students but throttle peer-to-peer application traffic to protect valuable bandwidth.

Getting The Knack for NAC

NAC business benefits seem relatively clear but the NAC technology journey is anything but straight forward. NAC is about enabling business and security policies, not scanning PCs.

CIOs should look at the big NAC picture and not remain trapped in a technical discussion about IP addresses, networking equipment, and security enforcement technologies. Piecing together multiple tactical point technologies will not amount to a strategic end-to-end NAC implementation that fits enterprise longer term needs. In fact, a tactical approach could ultimately lead to operational overheads, security vulnerabilities, and inflexibility.

It’s time to set NAC free to meet the strategic business, security, and operational needs of the business! Even elite IT enterprises won’t deploy full NAC capabilities overnight. Rather, they will ease NAC into the enterprise over time, by plugging existing vulnerabilities and then adding functionality through implementation phases. NAC should be integrated into existing desktop and security technologies, while eventually becoming part of the communications fabric itself. To support business and IT objectives, the chosen NAC technology should provide for flexible implementation and enforcement, and support centralized policy and configuration management. Most importantly it must provide consistency across any user account, device, or network. IT

Tony Rybczynski is Director of Strategic Enterprise Technologies in Nortel, and has over 35 years experience in the application of packet network technology. Jon Oltsik is a Senior Analyst at the Enterprise Strategy Group and the founder of its security practice.

» Internet Telephony Magazine Table of Contents

Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas