In today's world of data theft, worm and virus threats, and the need to comply with federal mandates, incorporating network access control (NAC) technology into your network infrastructure isn't an option but rather a critical necessity.
However, NAC isn't easy to define. It encompasses a broad range of meanings and methodologies. This article aims to clarify the basic points of NAC to help answer the question of what NAC setup is correct for your particular environment.
NAC is a policy enforcer and, as such, is closely tied to a company's business processes. Many wireless hot spots at restaurants, for example, employ basic NAC systems that require users to accept the conditions of an acceptable use policy before they are allowed to access the network.
This simple form of NAC works in this case, because the restaurant is providing only one simple network service -- that is, Internet access -- as a value-added benefit of visiting the establishment. However, setup like that certainly wouldn't be acceptable for other environments, such as a hospital network.
In order to answer the question of what type of NAC approach is right for your network, two prerequisites must be satisfied. The first, rather obvious one is an understanding of the NAC offerings that are available, what they do, how they do it, and how they integrate into the network. The second requirement is the presence of a clear, enforceable corporate security and access policy. NAC systems don't create policies; they enforce them. Without such policies, general corporate access decisions become the sole responsibility of the IT department (and that's never a good practice).
Digging into NAC
Achieving network access generally involves passing one of three types of tests. The first, as in the previous example of a wireless hot spot, can be satisfied by simply requiring users to agree to an acceptable use policy before allowing them to connect to the network. User identity and machine status have no bearing on whether access is granted or not; there is but one door, and it's either open or closed.
The second type of test validates user identity, and the third validates machine posture. These two tests are rarely used to either completely deny access or allow total access, with nothing in between. When a test that validates a user's identity is used, different levels of user access may be granted based on type of user, with the extremes being complete access for administrators and use of a limited set of applications (for example, only http and https) for guest users.
Machine posture refers to the state of the computer as it relates to an established security policy. If the policy mandates that a Windows machine have up-to-date operating system patches, connectivity is restricted until the patch requirement has been met. By ensuring that the machine meets the requirements of the security policy, damage from worms and viruses can be drastically reduced.
The limited connectivity that users are granted before full network connectivity is allowed is referred to as a "quarantine state." A quarantine state doesn't mean that all access is blocked. Rather, the security policy may allow, for example, a quarantined machine to have sufficient access to download updated antivirus software definition files. When planning a NAC deployment, it's necessary to understand the basic quarantine methods, their limitations and how they relate to your network infrastructure.