In trying to protect our host-based computing platforms and network resources from threats that are brought in by employees, vendors, contractors and guests, we have created policies that control access to our resources. How do we validate that all of our endpoints comply with our network access policies? We deploy anti-virus and firewalls. But, are they up to date and properly configured? Further, we ban certain applications and peer-to-peer programs from use in our environment, but do we know for sure that our IDS/IPS solutions are catching anyone that tries to use them anyway? Finally, we have to provide guest access to our network resources, but how do we ensure that guest machines are compliant with the same policies that our employees must adhere to?
Controlling access to network resources at the endpoint has become a powerful tool in any security architecture. Network access control (NAC) products do exactly what the name says: They control access to the network. They can be used to validate the existence of certain security measures and validate that they are properly configured and up to date. These products also can validate the existence of up-to-date OS patches. In addition, these tools can be used to manage the complexity associated with managing permissions and authorizations for various groups of users. Most will integrate with a common directory structure. Some will provide local authentication capabilities, while others can match something on the endpoint - such as an agent or MAC address - to the authentication before allowing access to the protected network resources.
When choosing a NAC solution, you will have to choose inline versus out-of-band. Inline products act more like internal firewalls and have all the traffic passing through them. Out-of-band solutions rely on agents on the endpoints that communicate with a centralized management console. Also, out-of-band NAC solutions can use those agents to validate policy compliance and can either front-end directory/authentication systems to block that access if not compliant or, in other cases, configure network switches to enforce that policy by controlling port access or through VLAN assignment.
The types of agents these solutions use is important for your environment. Some may use a small Java-based agent in the browser; others will deploy persistent or dissoluble agents. Some may be agent-less. These choices will all be important for supporting a variety of end-user access requirements, such as contractor access or guest access. Some products focus on pre-admission compliance scans, some have post-admission monitoring capabilities, while others provide the pre-authorization and integrate with other security defenses to monitor and deliver post-admission monitoring.
For this Group Test, our review methodology was based on vendor-provided web demos. We focused on the same key criteria that we have always reviewed: end-user experience relating to implementation of the technology, set up, as well as use and ongoing management and support. We reviewed the features and functionality of the technologies as they relate to the core requirements of NAC. We looked for key product differentiators and add-on technologies that go beyond the NAC basics. We focused on the ability of these products to deploy and scale within a large enterprise and looked for enterprise features, such as scalability, central management, reporting and alerting capabilities and disaster recovery options.
Choosing the right NAC solution will come down to the needs of the enterprise. You may require an easily deployed technology that fits into the existing network infrastructure. You may want strong, agent-based control of the endpoints. We found some technologies that delivered the best of inline and agent-based approaches. All the products we reviewed delivered on one or more parts of the NAC value proposition. Most solutions provided a mature, easy-to-use management system for configuring and managing the endpoint access.