Taking the pain out of selecting a NAC vendor
Download: NAC: Network vs. appliance
Because of a rising call for better command of network risks, and because many organizations have begun to earmark dollars for future NAC products to address those needs, analysts say that the market has been awash in products that claim NAC functionality.
“Everybody and their brother is a NAC vendor,” says Zeus Kerravala, Yankee Group analyst, explaining that at one point even the SSL VPN vendors called themselves NAC. Though they've since stopped, the point remains.
“It has certainly become overused as a term. I think everybody understands the full vision of NAC, but how you get there varies greatly by vendor, and the cost varies greatly. So I think a lot of the work will be around how you build it now and how you get there,” says Kerravala.
Therein lies the problem of NAC.
Though awareness of the need to control network access has gone up, particularly as a result of a Cisco Systems campaign around the topic, people are still unclear about all of the different ways to actually accomplish this. According to industry experts, the vendor patter around NAC has created too much confusion among potential buyers. In fact, some experts believe that the first step toward deciding on a NAC solution may be to decide on the real definition of NAC. After all, even what the acronym stands for is unclear.
“Probably the first thing is to define what it is you mean by NAC,” says Shane Buckley, COO of Nevis Networks, Mountain View, Calif. “That is actually one of the most confusing starting points because you have large vendors who refer to it as network admission control, you have network access protection from Microsoft [their endpoint integrity capability was released as part of Vista], and you have a lot of vendors referring to NAC as network access control.”
Rather than deciding what is or is not NAC, Kerravala suggests first deciding what you need and then surveying the whole field with those specific criteria.
“They have to understand what problem they are going to solve. Because if they are just looking generically for NAC they'll never understand what exactly it is they are trying to solve,” he says. “If you need to buy a vehicle, you can't just go up to a car dealer and say, ‘I want to buy a vehicle.' If you are going to haul gravel, you probably want a pickup. If you want to go fast, you buy a sports car. A lot of it depends on what they are trying to solve.”
Sounds simple enough, but as potential buyers wade through the pool of products, they soon face an overwhelming list of mutually exclusive decisions on features and approaches. The list is lengthy and depends on who you are talking to, but primarily there are four major decisions to make when talking to vendors and analysts: what mechanism is used for enforcement, where is the NAC solution placed on the network, when does the solution check for threats, and how are those checks made.
The what: network or endpoint
First on the list of NAC approaches is deciding between a network infrastructure-based approach and an endpoint-based approach.
With an endpoint approach, the product focuses on protecting the client through posture checks and malware containment prior to network sign-on. Most rely on an agent at the endpoint to accomplish this.
Products that utilize this approach include ENDFORCE Enterprise (purchased by Sophos in January), Symantec Sygate Enterprise Protection and McAfee ePolicy Orchestrator. If posture checks are all that an organization is looking for, then this may be a good and affordable option. But analysts warn that the network control and enforcement capabilities granted by these products can be limited.
With the network-based approach, the product sits on or just off the network to extend controls and security beyond the endpoint. This can be particularly crucial for organizations that can't install agents on all of the endpoints connecting to the network, or otherwise don't have full control over all connecting endpoints, such as guest computers.
The where: at the switch, out-of-band or inline
If the approach is going to be network infrastructure-based, more decisions will need to be made. There are three ways an infrastructure-based NAC product can be placed at the network level — embedded at the switch and within the overall infrastructure, such as with products from Cisco Systems, Nortel and Juniper Networks. They can be placed inline, or in-band — though not embedded in the existing architecture — so traffic is routed directly through them. Or they can be placed as an out-of-band appliance.
Cisco, in particular, has been leading the way with its overarching approach. Late last year it announced a partnership with Microsoft to include the Redmond, Wash.-based giant's network access protection and integration with the Cisco Clean Access line. But cost and complication often gets in the way of sales, Kerravala says.
“Some companies don't want to do that,” he adds. “Some companies are looking to just control who logs on and off of the network. What the market has been looking for is a way to get started with NAC without breaking the bank. And that has been a big deterrent against Cisco's NAC. I've probably had more questions about Cisco's NAC than any other vendor, but you don't see a lot of deployment because of its requirement to upgrade the infrastructure.”
Because of the exceedingly high cost of an approach within the switching fabric, the battle at this moment is between out-of-band and inline.
“One of the fundamentals of networking is that if you are not inline, you can't get control,” Buckley says. “Because if you're not inline, you can't stop or block the flow of traffic to and from an endpoint.”
Chris Liebert, a senior analyst in Yankee Group's enabling technologies enterprise group, who has an expertise in network security, says that the best place to gain control is over the network, but that inline products are often still too expensive for many organizations.
Alan Shimel, chief strategy officer of StillSecure, agrees. “In my opinion, inline eventually runs into scalability problems because you have to put a box inline all over the place, so it gets expensive and unwieldy,” says Shimel, who adds that his Superior, Colo.-based network security software products company avoids the ‘religious war' of inline and out-of-band by offering deployment options either way with its NAC solution.
The when: pre-connect and post-connect
Next up in the decision-making process is determining when the NAC solution will be making checks for policy compliance, malware and overall security posture. The vast majority of NAC solutions focus on posture checks prior to connection. They'll act as a gatekeeper to keep non-compliant devices off of the network. Some vendors, such as Lockdown Networks, stop at that point and assume that other security solutions will take over once the device is on the network. Others continue to conduct checks and control access even after connection.
“Ideally you want to have the full-cycle NAC with both pre-connect and postconnect,” says Lawrence Orans, a research director at Gartner.
Companies that integrate pre-connect and post-connect functionality within their products claim that is the only effective way to mitigate all network risk.
But others, such as Lockdown, argue that users can accomplish security after the connection using protections that are already in place.
“We think there is a better way to do post-connect NAC, which is that most companies already have investments in IDS or IPS or network behavior analysis,” says Dan Clark, VP of marketing at Lockdown Networks. “So what we do is pre-connect. We keep you from getting on the network until your device is deemed compliant. post-connect we keep checking to make sure your device is compliant, but we also can take in alerts and notifications from any of these existing systems. And we can kick you off the network at the point of connection, instead of at some arbitrary point downstream like with an inline appliance.”
Analysts say this is a viable option, particularly for organizations which don't have the financial wherewithal to deploy an inline solution that does both pre- and postconnect. But they warn of the limitations.
“The IPS can integrate with NAC, then the NAC gets the message from the IPS to take endpoint off the main network and put it into a quarantine network,” Orans says. “There is a lot of good to that, and you're seeing a lot of partnerships between NAC and IPS vendors. Some of the pre-connect solutions do integrate with Active Directory or RADIUS [remote authentication dial in user service], but if they are out-of-band they are going to be reliant on something else in the network to do enforcement.”
The how: identity-based or not
The final debate on functionality has to do with how much the NAC product uses identity within its enforcement framework. Unlike the three previous categories, this is less of a binary decision. Different vendors are utilizing ID policy control and role-based access control to determine where a user goes on the network dependant on that user's role in the organization.
“The identity thing is important in certain verticals,” Orans says. “It's belt and suspenders security where you want to have double protection.”
Solutions such as those from Caymas Systems [recently bought by Citrix] and ConSentry Networks integrate role-based access into their solutions. At the far end of the spectrum is a solution from Trusted Network Technologies, says Orans.
“Trusted Network Technologies is at the intersection of what we are calling NAC and identity access management,” Orans says.
State of the market
In spite of confusion about NAC, the market is gaining momentum. According to industry experts, choosing the right solution comes down to understanding what the organization needs and asking the right questions. Michelle McLean, senior director, product marketing at ConSentry, says that many organizations are already starting to do this.
“There are a lot of budgeted NAC projects and the requests for information are getting smarter,” says McLean. “They are asking much better questions and they are asking many more
Network vs. appliance
Over the last few years, network access control (NAC) has matured into what may be the next wave in network security. NAC ensures that workstations meet a minimum set of requirements before they are granted access to the internal network. Requirements could range from ensuring that a user system has up-to-date anti-virus signatures, the latest service packs, a personal firewall installed, etc. There are currently two methods to deploying a NAC solution.
A strong player in the network-based NAC approach is Cisco Systems. Cisco introduced NAC as a method to enforce security policy on systems that need to access a particular network by ensuring that all systems are verified.
The key benefit in a network-based NAC implementation is the ability to apply role-based access control methods to user systems before they are granted access to the network. Network-based NAC is a good solution for any organization that requires their NAC solution to be fully integrated into their network.
The second method, which has become quite popular, is appliance-based NAC.
Firewall and SSL VPN vendors — such as Check Point Software Technologies,
Caymas Systems [recently purchased by Citrix] and Juniper Networks — have
incorporated NAC features into their products over the last few years.
The key difference is that appliance-based NAC is an inline device implemented between trusted and untrusted networks. Although the set-up of network-based NAC requires more planning and time, appliance-based NAC can become costly depending on the amount of network segments you choose to protect. However, appliance-based NAC is almost a turnkey solution that can most times be rapidly deployed without upgrading other components of the network.
- Peter Giannoulis is an information security consultant at Access 2 Networks.
From the - September 2007 Issue of SCMagazine »