Network Access Control Appliance Buying Guide
In this network hardware buying guide, we pose questions that every organization should ask when selecting a NAC Appliance.
According to Infonetics Research, Network Access Control (NAC) Appliance sales rebounded 17 percent in 2010 and continue to climb this year. At a time when cash-strapped businesses are demanding more from existing network investments, why should these appliances be experiencing growth?
The answer lies in today’s tidal wave of Wi-Fi-enabled smartphones, tablets, e-readers, peripherals and consumer electronics. Bring-your-own devices (BYODs) are connecting to corporate networks at unprecedented rates. NAC Appliances – once focused on keeping malware out – are well-positioned to govern network use by these unfamiliar and often unmanageable endpoints.
In this buyer's guide, we summarize capabilities offered by contemporary NAC Appliances. Although needs associated with various use cases differ, we pose questions that every organization should ask when selecting a NAC Appliance to efficiently identify and embrace not just well-behaved laptops, but diverse BYODs.
Not your grandpa’s NAC
NAC has evolved since the early years of Cisco Network Admission Control, Microsoft Network Access Protection and Juniper-lead TCG Trusted Network Connect. Back then, administrators were losing sleep over worms like Sasser and Blaster. NAC architectures promised to harness technologies like 802.1X and SSL VPN to enforce access decisions based upon user identity and endpoint health.
But early adopters found themselves on a long, bumpy road. Proprietary architectures didn’t fit mixed networks and took years to converge. 802.1X support was spotty and too hard to configure. Health and posture scans worked well on managed PCs but were shallow or non-existent elsewhere. While these barriers have diminished, Gartner reports that only 15 percent of 2010 NAC deployments focused on endpoint security checking.
Instead, 75 percent of adopters used NAC to enable safe guest network access by visitors, contractors, partners and other unmanaged endpoints. Tackling this narrow use case proved easier, technically and politically. “Clientless” or dissolvable agents could scan more diverse devices, without ownership or on-going control. And guest policies were often lighter-weight – typically, a “friend or foe” check to direct endpoints onto the Internet or corporate network while enforcing a basic mandate like “run any anti-virus.”
BYOD changes everything
While the NAC market was evolving, along came Apple iOS and Android. Handset procurement shifted, offloading ownership and cost onto workers. Wi-Fi also found its way into inexpensive consumer electronics, further accelerating endpoint diversity. These trends combined to trigger today’s BYOD tidal wave. As a result, it is no longer feasible to manage risk based purely on device ownership or governance. Fortunately, NAC Appliances require neither.
Instead, NAC Appliances have leveraged and complemented their existing guest access capabilities to deliver BYOD visibility and control. For example, some organizations simply need to assess BYOD threat. A NAC Appliance may do so by dropping into a network, using a captive portal to permit guest Internet and fingerprint BYODs.
In organizations ready for more, a NAC Appliance can apply policies with non-disruptive actions – for example, permitting but reporting on BYOD connections. Finally, NAC Appliances can serve as proactive enablers – for example, watching domain logons and redirecting employee BYODs onto a VLAN to register for better-than-guest access.
Understanding NAC use cases
Of course, NAC Appliances offer far more than BYOD control; they create an extensible foundation for identity and posture-based network access policy enforcement. For this reason, new adopters should start by building a case for NAC investment, rooted in business goals. Potential use cases for NAC include:
· Auditing managed endpoint compliance with security policies
· Remediating non-compliant or malware infected endpoints
· Enabling non-spoof-able access by trusted endpoints such as printers and cameras
· Providing tools to create and manage guest access accounts
· Reporting on network access activities for regulatory compliance
Document and prioritize use cases where NAC could or should help your business. Because deployments often span organizational boundaries, get network, security and IT stakeholders involved.
Next, drill into top priority use cases, identifying affected users/groups, device types, and endpoint security clients/servers. Draft sample policies, starting simple and phasing in deeper checks and active enforcement.