In the enterprise, the security challenges of BYOD and MDM implementations have led to a resurgence of interest in network access control (NAC) appliances. But what makes the new generation of NAC appliances different from its predecessors?
The new NAC: Network visibility and control
Before BYOD, NAC's role in network security was primarily restrictive. NAC appliances existed to allow authenticated, fully managed devices onto the network and to kick off all others. That was "the old NAC," said Scott Gordon, CMO of NAC solutions vendor ForeScout, recently singled out by Frost & Sullivan as sole market contender and provider of one of the top three best-selling NAC solutions, along with Cisco and Juniper. Gordon added that "NAC has evolved to a new level to provide network visibility and contextual control."
When implemented well, NAC appliances can provide greater network visibility than other solutions. A typical IT department, Gordon told me, might have about 80 percent visibility into its network. That other 20 percent "is a pretty significant control gap" that only grows when you consider BYOD devices that enter the network unmanaged, he pointed out. In addition, at any point in time, a percentage of endpoints under management may appear to be in compliance with endpoint security policies while in reality being in violation of compliance—perhaps the endpoint defense is experiencing problems or is installed but inactive. These factors can lead to large gaps in security.
That's where the new NAC comes in. NAC, Gordon said, allows "complete operational intelligence." It can identify any host that connects to a network, do a security assessment on the host based on preexisting policies, and identify any problems, allowing for greater control of the network overall.
Integration with other security solutions and mobile device management
NAC doesn't work in a vacuum, of course. "Integration is a key point," Gordon told me. A modern NAC solution can interface with an enterprise's endpoint protection products—such as the Dell Data Protection Suite that will soon come baked-in to all Dell commercial PCs—as well as a network's identity infrastructure and perimeter security, among others. This integration allows for intelligent, automated endpoint remediation and mitigation.
"The majority of data breaches occur with systems that have not maintained their security and endpoint defenses," Gordon said. NAC can identify those systems. It can also work with vulnerability assessment systems to ensure that new systems get scanned as soon as they enter the network, and can send intelligence to security information event management solutions for analysis and auditing. In that way, NAC has evolved into a command and control center that coordinates with the rest of an enterprise's security portfolio to maintain defenses at optimal levels.
The new NAC also enables more secure BYOD in a more direct way. "We've taken the lead in integrating with leading mobile device management (MDM) systems," Gordon said. A next-generation NAC can automate device enrollment into an enterprise's MDM system and ensure that the installation is correct and active. It can also trigger MDMs to perform profile checks whenever devices attempt to access network resources, such as files, so that devices out of compliance with security policy can be isolated or removed.
"NAC becomes the network security overlay that delivers visibility to help IT maintain security and confidentiality," Gordon said.
Frost & Sullivan recognized ForeScout and its NAC appliance, CounterACT, as market leaders. ForeScout expanded its 2012 NAC market share by over 10 percent and expects continued growth. Gordon gave me some reasons why.
"Our solution is agentless. Also, we offer broader and more in-depth visibility into the network, with no impact to the user or operating environment. Our solution is fully integrated and works with what the customer has. And we have the broadest and most flexible level of controls, so you can apply the appropriate level of control for the risk, leading to less user impact when you implement with us."
NAC looks to be an important network security component for years to come. Frost & Sullivan predict the market to reach more than $670 million by 2017, driven both by increasing security concerns and the growth of the BYOD trend. Network visibility is vital to network control, after all. Enterprises willing to invest in a NAC appliance will likely reap the benefits of knowing exactly who's on their network at any time, what's happening on that network, and which problems need immediate attention.
"NAC allows IT to be more responsive. Threats are more dynamic than they have ever been, and this is a way for interactions between systems to occur at a rapid, automated pace, based on policy," Gordon said. He concluded, "There's no longer a big delay between when a problem is discovered and when it is remediated. I want to preempt threats and be more efficient in responding to them. That's where next-generation NAC delivers."
Jude Chao is Executive Editor of Enterprise Networking Planet. Follow her on Twitter @judechao.