Getting the NAC of Security

Oh for the good old days when security meant sturdy locks, adequate fencing, window grills and a bad-tempered German Shepard. But computers are a different story and require all manner of virus and malware protections – along with firewalls, intrusion prevention systems (IPS) and encryption.

Well, for good measure, here’s yet another one – Network Access Control (NAC) or Network Admission Control. The whole idea is to ensure that any device (also known as an endpoint – a laptop, desktop, BlackBerry, handheld etc.) accessing a company’s network from anywhere is protected from threats and doesn’t end up infecting the network.

“NAC allows companies to control who gets onto their network,” said Andreas M. Antonopoulos, senior vice president and founding partner at Nemertes Research Inc. “As such it can supplement a perimeter security strategy which has become eroded by roaming users, wireless access and fragmented networks. It can also protect against the possibility of an infected system getting on to the network and spreading nastiness.”

While many vendors use NAC as a generic term, it is a framework originated by Cisco Systems Inc., as part of its self-defending networks vision. This framework includes specific features for network switches and routers, as well as on a broad range of other Cisco products. NAC is not a standard, but it incorporates various existing standards within it.

In addition, specific aspects of NAC are gradually standardizing such as the point of interaction where a client machine reports on its health to a network enforcement device. Other aspects surrounding policy storage and enforcement, however, are far away from achieving any kind of standardization consensus.

Muddying the waters further, NAC’s definition has evolved beyond the Cisco framework into a more generic term meaning “controlling access to the network and optionally checking the health of the endpoint”. Using that definition, many more vendors than Cisco offer NAC solutions. Microsoft has a competing framework called Network Access Protection (NAP). Other groups also are proposing standards for NAC that don’t center on Cisco.

“It’s alphabet soup out there and the standardization efforts have been moving slowly for more than four years,” said Antonopoulos. “There is some interoperability between some aspects of these frameworks such as NAC and NAP, but no universal standard.” 
Who Needs It?
NAC clearly isn’t one of those features that every small business requires. All but the most sophisticated home offices can give it a wide berth. Similarly, those companies that don’t already have much going on in terms of anti-virus, anti-spyware and firewall protection won’t solve all their problems with NAC. And those companies that are not yet up to developing their own internal Local Area Networks (LAN) composed of at least one switch and a router or two, probably don’t have the infrastructure to justify NAC – nor the direct need.

“Businesses smaller than 100 seats will probably find it too expensive to implement, mostly due to operational complexity and lack of IT staff, rather than capital cost,” said Antonopoulos. “As the technology matures it is likely that more and more small businesses will use it.”

Michelle McLean, senior director of product marketing at ConSentry Networks, agrees that smaller companies probably don’t need it. After all, the smaller the company, the easier it is to control who accesses the network. Such organizations tend to recognize insiders from outsiders much more easily, and manual forms of control are possible.

“Smaller organizations are not likely to merit a separate overlay deployment for NAC until they’re above several hundred people in a single location,” said McLean. “However, one option for smaller organizations is to look for infrastructure products that have NAC included, like secure switches, so that they can bring NAC into the network during a switch upgrade cycle.” 

Cisco, however, takes a contrary view and claims it has the user base to back it up. 

“Any organization that relies on their internal network for basic operational functions — generating sales, tracking records, storing files or enabling business processes — can and should be concerned about NAC,” said Irene Sandler, product marketing manager at Cisco. “We now have several hundred customers with fewer than 100 employees.”

Product Choices
There are plenty of products out there for organizations that need NAC. ConSentry LANShield Controller, for example, is a self-contained, standalone NAC appliance that drops transparently into existing networks. For SMBs, the CS1000 model is most cost-effective and works for up to 800 people. The LANShield platform supports authentication and a health check, full network visibility of all users and applications, identity-based control to limit what people can do after they’re on the LAN, and threat control with anomaly detection and containment. The LANShield Controller starts at $17,995. Alternatively, any SMB upgrading a wiring closet switch might try the LANShield Switch. It provides all the same features as the LANShield Controller but delivered as a 48-port gigabit Ethernet switch. It lists for $12,995.
Symantec Corp offers Symantec Endpoint Protection, which combines anti-virus, anti-spyware and “NAC-ready” endpoint software in one integrated package, currently available for download currently as part of a beta testing program. Note, however, that this product needs Symantec Network Access Control to centrally control the endpoints and implement NAC policies at the endpoint. Symantec plans to release a starter edition of its NAC product in the near future. In the meantime, pricing for Symantec’s current NAC product works out at around $40 per employee.

“Applying the policies can be done from the same central console that manages Symantec Endpoint Protection and does not require deploying any additional agents,” said Patrick Wheeler, senior product manager at Symantec. “There are no complex network-level components, no networking changes, and no additional agents or policy servers – just the customer’s existing Symantec Endpoint Protection deployment.”

Like ConSentry, Cisco sells an appliance – the Cisco NAC Appliance, which involves a server and a manager. The solution is sold by the server, rather than by the number of endpoints, since a network never really knows how many total endpoints are out there. In turn, Cisco bases the server license pricing by the number of online, concurrent users expected at any given time. You need only one Manager for any size deployment. The lowest number of online, concurrent user licenses is currently 100, and the cost is around $18,000.

Other vendors in the NAC sector include Vernier Networks and Foundry Networks Inc.

First-Hand Experience
Omneon Video Networks of Sunnyvale, Calif. is a 250-employee company that uses ConSentry Networks’ LANShield Controller to control guest access.

“We’re constantly getting requests for people to have access from conference rooms to the Internet,” said Steve Berg, director of IT for Omneon, a provider of flexible media servers and active storage systems that optimize workflow productivity and on-air reliability for digital media. “The concept of having a single device to manage guest access was very appealing.”

Partners, for example, are often on site testing their software with Omneon’s hardware. Likewise, vendors and customers often visit headquarters. Any of them plugging into the network, however, presents a data security risk and could potentially expose the network to malware. But it isn’t exactly good business to deny them access. Using ConSentry, the company can control access, have traffic visibility, isolate the machine that introduced a specific threat, set policy and keep the network clean.

An even smaller deployment took place at DriveSavers Data Recovery in Novato, Calif. The company’s 80 employees help rescue data from hard drives that have been through various types of disasters. In order to achieve better control of local and remote endpoints and to protect critical applications from attack, the company installed a Cisco NAC Appliance.

Implementation Tips
Antonopoulos believes that NAC is something of a hassle to implement due to the number of elements involved. His advice is to look for the solution that best fits the existing infrastructure and future plans. And if the preferred solution is too expensive, wait until better standards emerge, the market matures and the cost drops.

To reduce the implementation burden, McLean suggests that SMBs look for an architecture that leverages existing user logins (e.g. Windows) and existing identity stores (e.g. Active Directory) and does not need any network or client changes to operate. In other words, the device can drop into the existing LAN architecture just fine and doesn’t need new software downloaded onto each client station.

She also thinks that organizations should look for a gradual way to implement NAC. A quick NAC appliance, for example, deployed as an overlay with no network changes, is an easy way to start.

“Self-contained NAC solutions, with no client or switch dependency, will prove the simplest to deploy and the fastest to deliver value,” said McLean. “The Windows OS, in Vista, adds NAC support, so ensure that the NAC solutions you evaluate will work with Vista so you’re ready to use it when you upgrade to that OS. For non-Windows organizations, also make sure the NAC solution supports Mac and Linux platforms.”

Wheeler’s best tip is that NAC should be combined with ongoing endpoint security systems for easiest and best results.

“The general consensus is that NAC policy is going to merge into endpoint policy, which is its logical place,” says Wheeler. “So look for a NAC solution that dovetails with your endpoint protection solution.”

Drew Robb is a Los Angeles-based freelancer specializing in technology and engineering. Originally from Scotland, he graduated with a degree in geology from Glasgow’s Strathclyde University. In recent years he has authored hundreds of articles as well as the book, Server Disk Management by CRC Press.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.