The way network access control is on everybody's lips these days, you might think you have to do something about it right now -- but you don't.
There's good reason for all the talk about NAC, which promises a combination of user ID, machine ID, machine configuration and access method determining whether a device should gain network access, and if so, how many resources it can access. If the device fails, it is brought automatically into compliance.
NAC technology also keeps track of key configuration metrics, if they change, the device submits to another admission scan. So if NAC detects that the personal firewall on a machine is suddenly turned off, the machine has to be rescanned and kept off the network until the firewall is turned back on. NAC can even turn it back on.
According to a study by Infonetics, NAC vendor revenue will skyrocket from US$323 million (AUD$414 million) in 2005 to US$3.9 billion in 2008.
NAC's potential makes it worth talking about. Another thing that makes it worth talking about is that so far, some of the best things about NAC are just that -- talk. Most notable is Microsoft's version of NAC called Network Access Protection, supported by Vista but waiting for an update to Systems Management Server. Cisco is working on its NAC client that won't require adding extra appliances to the network.
Even though it's not fully cooked yet, NAC can deliver benefits and must be tracked by IT executives looking to improve network security and to prove that it works. The practical applications must be targeted at specific needs, however.
For instance, Continental Airlines uses gear from ConSentry to check whether computers logging into its network adhere to corporate configuration policies. What is more important, the devices look for evidence of machines executing malicious code and block just the malicious traffic, says CISO Andre Gold.
Aircraft parts maker EADS Astrium in Houston uses Lockdown Networks' NAC appliances to scan machines before they access the network and limit what they do when they are on the network. This keeps classified data protected and generates reports that prove the company meets its confidentiality obligations, says George Owoc, Astrium's director of business administration.
One danger of listening to the roar of NAC marketing is that important limits to the technology can be overlooked, says Joel Snyder, a member of the Network World Lab Alliance. For instance, a scan of a computer before it is allowed on the network can reveal whether its antivirus software is up-to-date and turned on. "[That scan] says nothing about whether you're infected with a virus," he says. Such scans are useful, but there is a limit to that usefulness.
The best way to approach NAC is to use it if it helps solve a specific problem. "Decide what is your greatest pain," says Steve Hanna, a distinguished engineer at Juniper and a leader in two NAC standards bodies. "Start with particular users working with high-value assets."
For those who believe NAC should be embedded in network switches, now is the time to start upgrading to 802.1X, the port-authentication standard likely to be the dominant NAC-enforcement mechanism, says Rob Whiteley, an analyst with Forrester Research.