Interop: The Problem with NAC

LAS VEGAS — Network Access Control (NAC) technology may well be the
next great evolution for enterprise networks, providing security and policy

But as NAC gains steam — shifting from its early-adopter phase to what
many industry insiders see as increasingly must-have technology — both
enterprises and vendors need to understand the risks they’re taking.

At stake is nothing less than billions of dollars in networking
equipment, not to mention the overall security of the enterprise, according
to Joel Snyder, the widely regarded NAC expert who ran the NAC Day program
today here at the Interop conference.

“Are you ready to add another ‘priority one’ service to your network?”
asked Snyder, a senior partner at Opus One, before a capacity crowd of
several hundred NAC Day attendees. “What happens if the policy decision
point goes down?”

The questions highlight the decision ahead of network admins considering
NAC — and they risks they face by relying on the technology. Since NAC is
by definition an access control technology, if its services are not
operational, then access to the entire network can be threatened.

Consequently, if an enterprise deploys a NAC solution, it’s critical
that it ensures that it has the proper redundancy and resiliency demanded
by its particular network requirements, Snyder said.

It’s also unclear how much support there is for NAC for remote users,
another element buyers should weigh.

“How will you do NAC in remote access and wireless situations?” Snyder
asked. “What works inside the LAN should bring you value everywhere. ‘But’
the reality is that some NAC products are only designed to work in one

Snyder added that when deploying NAC, the network needs to properly take
all access methods into account.

In many ways, NAC is a disruptive technology, in that it fundamentally
changes the network access paradigm. In the pre-NAC era, a user simply
plugged their Ethernet cable into a jack to access the network.

With NAC, that’s not the case, as any user who plugs in is subjected to
an audit to ensure policy compliance before they can proceed.

“When you add NAC to a network, it’s no longer a switching
infrastructure — it’s a policy infrastructure,” Snyder said. “You plug
something in and only maybe will it work.”

But with that paradigm change, network professionals must cope with
another potential hurdle in deploying NAC: the issue of false positives,
which could undermine the technology’s perceived usefulness within the

But to Snyder, it’s important that the organization as a whole buys into
the concept of NAC, seeing such difficulties as a necessary trade-off for
network security.

“The goal of NAC is to get people on the network and not to keep devices
off the network,” he said. “Make sure that your NAC vendor shows you a
management interface, so when things go wrong, you understand what’s going
wrong, so you can keep people happy.”

Of course, these problems all mean enterprises have a great deal on
which to reflect when considering whether to implement NAC.

“What value does NAC bring to the organization?” Snyder asked, citing
vendors’ traditional high-level answers, including compliance and

But he added that it’s difficult to provide actual metrics for
calculating the return on investment (ROI) of any security technology.

“I can’t answer the question for you, but when you go figure out your
deployment, you need to answer why your organization should spend time and
money on NAC and what is the ROI going to be.”

Article courtesy of

Latest Articles

Follow Us On Social Media

Explore More