Seeking Answers With Network Access Control

Network Access Control

Corporate BYOD growth is prompting enterprises to take a closer look at their networks and their approach to security. As this initiative grows, along with the increased need for keeping the network and its data secure, more IT professionals are reconsidering NAC.

In fact, a recent Ogren Group research report, “Network Access Control: A Strong Resurgence is Underway,” estimates the network access control (NAC) market has grown to $392 million in 2012 and will sustain a strong 22 percent CAGR through 2017, taking the market to more than $1 billion per year.

Two or three years ago, NAC was in the top ten IT project list, but it was always one of the first projects to hit the chopping block if there were budget constraints. Now as the BYOD phenomenon accelerates, so does the need to keep the corporate network and its data secure. This trend is driving more IT professionals to seek the answer to this question, “Are we ready for NAC?”

So, now that your management has the NAC bug, what do you do? Where do you start? Who is involved? There are a lot of questions that need to get asked and answered and in this article, I’ll offer suggestions to set you on the right path. Let’s break it down:

What do you want to accomplish?

As the name states, network access control is about managing how people and devices attach to the network and how IT controls the data you have permission to access. The first step is a plan that defines what it is you want to do.

A BYOD program is the most common driver of NAC demand today. However, it is often confused with a Guest Access program. NAC can certainly help with both, but make sure that you know the difference. BYOD initiatives focus on allowing employees to access corporate data from personal devices such as tablets, smartphones and laptops. Many times, management will allow employees to bring their personal device into the office, but limit the use to Internet access only.

This scenario is essentially Guest Access and is not a BYOD initiative. When planning for either scenario, you should verify if your employees are going to use their LDAP (Active Directory, eDirectory, etc.) credentials to gain access to data on the corporate network or if pre-determined credentials that may be configured on the NAC appliance will be used for access. Finally, if you want to allow employees to access corporate information, decide how much access to allow? NAC can help with all this.

Another consideration is do you want to limit what employees can access based on their role, location, time of day, etc. For example, there is no reason for someone in the finance department to access the data centre, as there is no reason for them to be in the data centre in the first place! Conversely, there is no reason for IT to access the payroll server (except for maintenance). With NAC, you can set policies and checks to help you manage access.

These policies include, but aren’t limited to; anti-virus verification including, what brand of AV is supported, determining if the AV is the most current version, operating system checks (what OS is running, are all patches applied), are they running unauthorised applications or are they missing required applications? There are many more options to consider. When you are looking at implementing a NAC solution, make sure that you know what you are looking for.

Another advantageous use of NAC is in regards to automating the on-boarding of “headless” devices. Headless devices include printers, IP cameras, phones and more. A NAC solution has the ability to identify and classify any device that could potentially connect to your network, both wired and wireless. Once a device has been identified, NAC will be able to provide the necessary access to the network.

How do I manage access?

Now that you have a clear picture of what you want to accomplish, determine the best approach to achieve those varied tasks. Some tasks manage the access itself while others interrogate the endpoints to make sure that they meet the policies that you have put in place.

When managing access to the network, there are generally two different methods; VLAN reassignment and Access Control Lists (ACLs). ForeScout has another alternative called Virtual Firewall. This feature allows you to control access of any device attempting to connect to the network.

VLAN reassignment is the most common method for controlling access. When a device connects and has the appropriate authentication, NAC can move the device to the pre-determined VLAN. This is accomplished by integrating with the network switches, routers and wireless controllers. This dynamic VLAN assignment is temporary, and when a device disconnects and another device connects, a new VLAN can be assigned to that port or within the SSID.

Dynamic ACLs are another method of enforcement. While not as widely utilised, they can be equally effective, and in some cases, a combination of VLANs and ACLs are used. For example, a user can connect to the network, be assigned to a VLAN, and based on their authentication have ACLs in place to limit their access.

Who is involved?

When it comes to NAC and implementing a solution, it is important to involve other teams, in addition to the networking and security teams, since NAC directly impacts the network. The Network team needs to be brought in because NAC requires integration with the network equipment. This includes SNMP read/write as well as privileges to make changes to the switch configuration.

Another team to consult is security as there are generally specific requirements or policies that need to be in place to maintain corporate security. Additionally, NAC involves the interrogation of the endpoints, so the desktop support team should be included. Whether utilising an agent or using an agentless method, the endpoint will have changes made to it and the desktop team needs to be informed.

As you see, a lot of decisions and considerations need to be made when planning on NAC. The better prepared you are, the more time you take planning, the more successful the implementation will be. In a dynamic world, things change, and a NAC solution needs to be dynamic too. As new business and security policies emerge, it is critical to integrate them with your NAC plans.

Ken Daniels

For the last 20 years, Ken Daniels, Channel Systems Engineer, ForeScout Technologies, has been a sales/systems engineer primarily focused on networking. His career has included working in IT for 3Com and Motorola, as well as several start-up companies where his efforts helped lead to successful acquisitions. A background in wireless networking has given him a unique perspective in Network Access Control (NAC) especially given the BYOD phenomenon that is currently driving NAC market growth. Ken has helped many large national and international organisations develop networking solutions. He has extensive experience working with the channel to train technical teams to design, sell, and implement network and security solutions.