NAC Facts: Hype Versus Reality
Setting the record straight on when you need NAC, what it can do, and the business benefits for any size company.
John Edwards on June 28, 2007
Seemingly overnight, network access control (NAC) technology has arrived to help enterprises secure their network endpoints. Yet, as with any emerging technology, a great deal of confusion and unbridled optimism is accompanying NAC's growing popularity.
NAC hype is potentially dangerous, since it can force enterprises and their network managers into making poor decisions, causing them miss out on a powerful new security tool. To help set the record straight on NAC technology and its various benefits and drawbacks, here are real world answers to several common NAC misconceptions:
Hype: My network doesn't need an NAC; firewall and anti-virus technology already provide enough protection.Reality:
With the arrival of wireless access points, VPNs, extranets, distributed network connectivity and plug-in mobile devices, it's becoming increasingly difficult for traditional security technologies to protect a network's borders. Firewalls and anti-virus products are also inadequate to prevent attacks that originate from within an organization. NAC, on the other hand, clamps down on threats at every network endpoint.Hype: NAC replaces firewalls and many other network security technologies.Reality:
No. Just as firewalls and anti-virus solutions can't handle the job alone, NAC works with other network security tools to enhance network protection.Hype: NAC is well on its way to becoming a mature, uniform technology.Reality:
Although recent interoperability agreements between major NAC vendors and a standards group is beginning to remove adoption concerns, NAC is an evolving strategy with a variety of possible implementation paths. Generally speaking, NAC works by viewing all endpoints, even known/trusted ones, with skepticism. The technology bases network access decisions on criteria such as individual user identity, the security state of the user's endpoint and policies that define who should be allowed to use which resources and under what conditions. Various vendors accomplish these tasks, and others, in different ways, which can lead to interoperability problems.Hype: So this means that compatibility is a big NAC problem.Reality:
Product compatibility can be a headache in any network. On the other hand, NAC vendors are stepping up their efforts to ensure interoperability. Cisco, for example, has so far certified nearly 40 vendor products for its NAC framework.
Hype: NAC is an enterprise network technology and, as such, must be deployed over all network endpoints.Reality:
NAC is indeed designed for enterprise networks, yet it can still be deployed incrementally. In fact, Juniper Network research reveals that 57 percent of enterprises want to deploy NAC on a limited scale, targeting specific network segments in a pilot project.Hype: NAC requires client software to be installed on users' computers.Reality:
Some NAC products use a client-installed program to create authentication and integrity checks, but other solutions can handle these tasks without using a client, relying instead on the enforcement device to inspect endpoints. The clientless approach is useful for organizations that need to host guest notebooks on their networks.Hype: NACs are useless for organizations using PDAs, IP phones, IP printers and other non-computer devices.Reality:
Not true, although you'll need to use a clientless NAC product to support these technologies.Hype: NAC appliances slow down networks because they have to filter traffic.
NAC appliances don't filter traffic, they monitor traffic. This can be accomplished with traffic flowing through the product in real time or by mirroring ports and watching the flow without any live traffic actually passing through the NAC. In either case, as long as the technology has been properly deployed, the impact on throughput should be virtually non-existent.
Hype: NAC is only for big businesses.
NAC is for any enterprise that wants to secure its network endpoints. The technology is available and affordable to a wide range of organizations, including SMBs, government agencies, schools, hospitals and just about any other entity with a network.
Top 10 Reasons You Need a NAC
5 Steps to NAC Deployment
NAC Comparison Guide