If one browses any well-known list of security controls, whether they're a regulatory mandate or guidance for best practice, some of the same types of controls seem to pop up every time. One of these deals with assurance that the assets attaching to a network (virtually or physically) are indeed authorized. This is simply one of those areas where admins understand the implications, but the impact to the infrastructure prevents them from implementing sufficient controls to help mitigate the threats. If an employee, contractor, third party or any entity for that matter, plugs a machine into any network drop in an organization's environment, are they automatically entitled to start communicating to all of its other network devices? Chances are that in many instances the answer is "yes."
This presents a wide range of challenges and potential risks. While many pros are aware of this, few attempt to truly tackle the situation. This may be due to budget constraints, lack of subject matter expertise, or even resistance to changing the way assets are managed.
This is where NAC (network access control) solutions come into play. NAC solutions are designed so that they are aware of every device on the network so as to help make decisions about which devices are allowed to communicate with everything else. This is accomplished in different ways, but the ultimate end goal is to determine the basic requirements needed for all of one's endpoints to connect, and then implementing a way to determine if the hosts meet those requirements, before they're granted network access.
In the simplest terms, let's pretend that for a specific network, all of the Windows hosts must have the latest version of anti-virus, all the latest Windows patches, and the Windows firewall is up and running. A NAC solution would understand these requirements, and then be able to interrogate any network-connected host to determine its level of compliance with those items. Assets that pass inspection are allowed full network access, but those that fail the inspection are denied network access or are moved to quarantine VLAN [all new ports are placed in separate VLAN] where they must have updates applied first, before they can perform any significant network communications.
These solutions provide assurances on several levels, and can help significantly reduce the spread of malware, prevent unauthorized persons from connecting to the network, and increase the security posture of networked assets. However, many implementations take careful planning and change the way assets or network authentication is handled entirely.
In this particular review, we focused on NAC solutions. These solutions are typically deployed as hardware appliances because of the need for real-time analysis - either in-line on the network or out of band. Some solutions, however, are available as software installations. NAC devices must often have insight into all of the hosts on the network. Therefore, the type of deployment and how they read this information is critical. Some use agents, some are deemed "agentless." In some environments, NAC can be easily integrated. In other environments, it may be more difficult.
Overall, all of the products under review performed well. It is the degree of how they interact with the network and their ability to check for anti-virus, operating systems patches and other important elements which really differentiate the vendors.
How we tested
As always, the areas we assessed were a combination of features, administration, support offerings, documentation, ease of use, cost and the total value for the money. Many of the features and checks the solutions perform are similar. So the decisions may come down to the support costs, reputation of the vendor and how the solution fits into the business environment. As well, retaining staff members that are knowledgeable in the NAC domain is important for implementing and maintaining this type of security solution.