Network access control is a huge topic of discussion in IT and a focus of activity among vendors. Over time, the acronym has become almost generic through overuse and the definition varies. When I asked IT executives how they define it, the core of consensus is that NAC revolves around three things:
* Admission control, which is the ability to selectively let hosts attach to the network and stay attached -- a key to NAC, according to all who answered this question.
* Health checks, which is the ability to see that connecting systems are up to date on patching, antivirus and the like, made part of the definition of NAC by a majority of respondents.
* Access control, which is the ability to say which hosts can see or do what while attached. A minority of those surveyed cite this as ideal in a NAC system. A CISO at a financial-services company explains this feature as "the ability to validate end-systems prior to gaining access and then controlling where they are allowed to go once they are on, much like user management should be."
Few of the respondents actively practice NAC now. Being able to connect to the VPN is the extent of NAC for most external hosts, for example, and there is no access control on LAN ports. Only about 14 percent of respondents apply endpoint checks for application and operating system patching; the presence of firewalls, antivirus or antispyware; USB-attached devices; and password strength. However, nearly 60 percent wish they could be applying checks at least for firewalls, antivirus and antispyware tools, and about 40 percent desire password and operating system checks. Less than a third want application checks.
Cost and complexity explain most of the gap between the level of checking desired and implemented; NAC can require added network infrastructure and sometimes upgrades to existing network equipment, for example, to support the 802.1x standard for authenticating network access at the switch-port level. Although few are spending anything on NAC yet, everyone feels future spending on NAC is likely (most feel certain) to go up.
Applying admission, health and access controls on endpoints sounds enticing. But until it can be done without network overhauls and with more broadly interoperable protocols, adoption is likely to be slow and spotty.