Network Access Control solutions can be deployed using several architectural approaches, each with distinct advantages and trade-offs. Understanding these architectures is essential for choosing the right NAC solution.
Pre-Admission vs. Post-Admission NAC
Pre-admission NAC checks device compliance before granting network access. Non-compliant devices are quarantined or denied access until they meet policy requirements. This provides the strongest protection but requires all admission points to be NAC-enabled.
Post-admission NAC grants initial network access but continuously monitors devices and revokes or restricts access if policy violations are detected. This is easier to deploy but provides less protection against initially compliant devices that become compromised.
Inline vs. Out-of-Band Enforcement
Inline NAC places enforcement hardware in the data path. All traffic passes through the NAC system, which can drop or redirect packets based on policy. This provides the most granular control but adds hardware cost and a potential point of failure.
Out-of-band NAC monitors traffic but enforces through control-plane mechanisms like VLAN assignment and ACL configuration on existing network switches. This approach leverages existing infrastructure and is generally more scalable.
Vendor Frameworks
Major vendors have developed their own NAC frameworks: Cisco’s Network Admission Control (NAC), Microsoft’s Network Access Protection (NAP), and the Trusted Computing Group’s TNC (Trusted Network Connect) open standard. Ensure your chosen solution supports the frameworks used by your network equipment vendors.