In this network hardware buying guide, we pose questions that every organization should ask when selecting a NAC Appliance.
According to Infonetics Research, Network Access Control (NAC) Appliance sales rebounded 17 percent in 2010 and continue to climb this year. At a time when cash-strapped businesses are demanding more from existing network investments, why should these appliances be experiencing growth?
The answer lies in today’s tidal wave of Wi-Fi-enabled smartphones, tablets, e-readers, peripherals and consumer electronics. Bring-your-own devices (BYODs) are connecting to corporate networks at unprecedented rates. NAC Appliances – once focused on keeping malware out – are well-positioned to govern network use by these unfamiliar and often unmanageable endpoints.
In this buyer's guide, we summarize capabilities offered by contemporary NAC Appliances. Although needs associated with various use cases differ, we pose questions that every organization should ask when selecting a NAC Appliance to efficiently identify and embrace not just well-behaved laptops, but diverse BYODs.
Not your grandpa’s NAC
NAC has evolved since the early years of Cisco Network Admission Control, Microsoft Network Access Protection and Juniper-lead TCG Trusted Network Connect. Back then, administrators were losing sleep over worms like Sasser and Blaster. NAC architectures promised to harness technologies like 802.1X and SSL VPN to enforce access decisions based upon user identity and endpoint health.
But early adopters found themselves on a long, bumpy road. Proprietary architectures didn’t fit mixed networks and took years to converge. 802.1X support was spotty and too hard to configure. Health and posture scans worked well on managed PCs but were shallow or non-existent elsewhere. While these barriers have diminished, Gartner reports that only 15 percent of 2010 NAC deployments focused on endpoint security checking.
Instead, 75 percent of adopters used NAC to enable safe guest network access by visitors, contractors, partners and other unmanaged endpoints. Tackling this narrow use case proved easier, technically and politically. “Clientless” or dissolvable agents could scan more diverse devices, without ownership or on-going control. And guest policies were often lighter-weight – typically, a “friend or foe” check to direct endpoints onto the Internet or corporate network while enforcing a basic mandate like “run any anti-virus.”
BYOD changes everything
While the NAC market was evolving, along came Apple iOS and Android. Handset procurement shifted, offloading ownership and cost onto workers. Wi-Fi also found its way into inexpensive consumer electronics, further accelerating endpoint diversity. These trends combined to trigger today’s BYOD tidal wave. As a result, it is no longer feasible to manage risk based purely on device ownership or governance. Fortunately, NAC Appliances require neither.
Instead, NAC Appliances have leveraged and complemented their existing guest access capabilities to deliver BYOD visibility and control. For example, some organizations simply need to assess BYOD threat. A NAC Appliance may do so by dropping into a network, using a captive portal to permit guest Internet and fingerprint BYODs.
In organizations ready for more, a NAC Appliance can apply policies with non-disruptive actions – for example, permitting but reporting on BYOD connections. Finally, NAC Appliances can serve as proactive enablers – for example, watching domain logons and redirecting employee BYODs onto a VLAN to register for better-than-guest access.
Understanding NAC use cases
Of course, NAC Appliances offer far more than BYOD control; they create an extensible foundation for identity and posture-based network access policy enforcement. For this reason, new adopters should start by building a case for NAC investment, rooted in business goals. Potential use cases for NAC include:
· Auditing managed endpoint compliance with security policies
· Remediating non-compliant or malware infected endpoints
· Enabling non-spoof-able access by trusted endpoints such as printers and cameras
· Providing tools to create and manage guest access accounts
· Reporting on network access activities for regulatory compliance
Document and prioritize use cases where NAC could or should help your business. Because deployments often span organizational boundaries, get network, security and IT stakeholders involved.
Next, drill into top priority use cases, identifying affected users/groups, device types, and endpoint security clients/servers. Draft sample policies, starting simple and phasing in deeper checks and active enforcement.
Given use cases, it’s time to map your own requirements onto available NAC Appliance capabilities and features.
· Network Integration: Unlike network-embedded or software-only NAC products, NAC Appliances are self-contained hardware or VM solutions. Most sit out-of-band, using packet injection or CLI commands or 802.1X to enforce access decisions. Consider how the appliance fits into your network, making sure it will play nicely with existing network elements to be used for enforcement (e.g., edge switches, WLAN access points or controllers, routers, firewalls). As a rule, NAC Appliances should adapt to your network and should not require network upgrades.
· Form Factor and Scalability: NAC Appliances are often sold as hardware, sized for a given number of endpoints. Recently, virtual appliances have grown popular, letting companies choose their own platforms. Either way, when multiple appliances are required for capacity or geographic distribution, look for centralized appliance and policy management. Out-of-band appliances avoid most bottleneck concerns, but beware of dependencies that can impact network availability.
· User Authentication and Endpoint Identification: NAC Appliances often authenticate registered users/groups and recognize known endpoints by integrating with ActiveDirectory or another existing database. However, NAC Appliances have grown more adept at handling changing populations. Look for Guest Management capabilities which admins or sponsors can use to create temporary user accounts. Look for Endpoint Profiling capabilities which can auto-discover and classify devices, based on OS, MAC and fingerprinted properties that confirm device type.
· Endpoint Assessment: NAC Appliances support “friend or foe” checks like block all Androids or allow iPhones running iOS4+ or laptops with certificates. Consider how well each NAC Appliance supports your desired posture and health assessments. For example, can it check that your firewall and anti-malware are correctly installed and running? Can it check for patches, processes, blacklisted applications or signs of infection? Some appliances rely on probes or login scripts or traffic sniffing for assessment, while others use dissolvable or installed agents. Identify supported OS’s and scan limitations; ask how endpoints that cannot be assessed are handled.
· Policy Enforcement: NAC Appliances combine authentication and assessment results with defined policies to make network access decisions. Depending on the appliance and use case, results may be coarse or granular, intrusive or transparent. For example, managed endpoints that authenticate with 802.1X may be transparently moved to the right VLAN, while BYOD users may be required to log into a portal before ACLs let them send traffic on ports 80 and 443. Consider supported methods and ability to enforce both short-term and long-term access policies.
· Remediation Methods: For partiallycompliant or noncompliant endpoints, NAC Appliances support various actions, ranging from permit/deny to audit only. Between these extremes may lie alternatives like informing users, placing endpoints on probation, rate-limiting or prioritizing traffic, quarantining endpoints, redirecting endpoints to a remediation page or server, or attempting auto-remediation. Desired approaches can vary by organization and device/user/ownership – look for flexibility and consider external system integration needs.
· Cost and Licensing: This is an important characteristic for any product. Factors like purchase price, maintenance fees, installation effort, policy creation and tuning, and routine maintenance all impact total cost of ownership. For NAC Appliances, pay attention to a la carte licensing. Some vendors throw in everything – even capabilities you don’t plan to use – while others package and price specific capabilities – for example, endpoint assessment or guest management.
NAC Appliances products
These are just some of the many features and capabilities found in contemporary NAC Appliances. Vendors in this market include Avenda, Bradford, Cisco, Enterasys, Extreme, ForeScout, Fortinet, HP, Juniper, McAfee, Nevis, StillSecure, TippingPoint and Trend Micro. To more fully illustrate this category, EnterpriseNetworkingPlanet will profile several product lines, including Avenda Systems eTIPS, ForeScout CounterACT, and Bradford Networks Network Sentry. Stay tuned…
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.