Network access control (NAC) tools come in a variety of shapes and sizes. That means that they have different subsets of uses within the greater context of their primary objectives. For example, some NACs are software-only, while some are appliances. Some of the appliances are designed to deliver access control for different-sized enterprises. Many of these are capable of being connected together, feeding a sort of master NAC with data from outlying organizations within the enterprise.
When buying NAC tools, the most important factor affecting your selection is the existing security architecture and infrastructure. While NAC usually can stand alone in a security infrastructure, it works best when tightly coupled to other services within the enterprise. For example, NAC coupled with policy management allows fine-grained tuning of access from the enterprise to the application.
Easy to administer
NAC should be easy to administer. It should have an easily accessible and easy-to-use policy manager, as well as the ability to gather its information from a primary list of authorized users, such as from Active Directory. However, NAC works best when the implementation of the database (Active Directory in this case) is clean. That means organization within groups, for example. Most NACs can take that information and allow individualized controls on a group basis. In addition, many NACs allow even finer-grained control - down to the level of the individual user. An important function for many organizations is the management of non-employees. This can include guests, contractors, consultants, vendors, etc. These users often need access to the internet or, in the case of contract employees, to specific resources inside the enterprise. Although most NACs usually do not control access at the application level, taken with policy management, they can often restrict access down to that level.
What is most important in this case is the control of non-employees without heavy intervention by the administrator. Some NACs - those that have a special provision for non-employees - allow people other than the administrator to assign visitors to a particular group. This considerably simplifies the generation of credentials.
Another thing to look for in a NAC is how well it ensures that the computer connecting to the enterprise is safe to connect. Options in this regard include virus pre-scanning (i.e., scanning before the computer is allowed to connect to the enterprise), and configuration confirmation of the computer attempting to connect.
Finally, as in most enterprise-focused products, scalability is an important issue. In this case, we generally see the ability of the NAC to be distributed. Some NACs, anticipating distribution, have several models that are intended to manage different-sized networks within the enterprise. This not only affects scalability, it improves value for the price of the product, since smaller groups or organizations within the enterprise are not forced to use a product designed (and priced) for a much larger network. This, of course, has the additional benefit of providing NAC for smaller enterprises, such as small businesses that need a high level of access control.
How we tested
Testing the NAC products this month was quite straightforward. We set up a network with the usual enterprise accoutrements, such as Active Directory, email, DNS, etc. We then installed - or, in the case of the appliances, configured - the NAC under test to attach to our Active Directory. We then went through a suite of operations that exercised the capabilities of the NAC in the context described above.
We were especially interested in how easy the NAC product was to deploy in an enterprise, how simple policy configuration proved to be, and the granularity we could achieve in access control. The usual ease-of-use tests involved the logical layout of the user interface and, for appliances, the ease with which we could accomplish initial configuration to attach to the network.