he Many Myths of Endpoint Security
Boeing Grappling With Data Theft
Restoring Online Privacy
Security Flaw Could Ground Wi-Fi Users|
What are you doing that would constitute a violation? Whiteley asked. Some solutions take shortcuts, say, requiring IT to whitelist certain devices that cant be scanned, such as faxes and printers. The premise is that those devices pose little risk to the network.
This approach is not sufficient, Whiteley argued. The whitelists usually rely on IP and MAC addresses, which can be spoofed. Better is a policy-based system that restricts a machines behavior as stringently as a users. A behavior-based policy says that since a device is a printer, it shouldnt be making a thousand connections per second. A printer wouldnt do that.
The post-admission piece of the puzzle was pioneered in the WLAN space, with vendors like Newbury Networks and Bluesocket attempting to overcome the geographical spill of wireless signals (which penetrate through walls and out of the office, after all) by focusing on identity and role. The trouble with the wireless approach is repeating it on the wired LAN.
Where, then, should organizations turn for useful NAC solutions? Unfortunately, the answer isnt all that helpful: it depends.
If you are a strictly Cisco shop, it makes sense to use their solutions, especially since theyve been working with Microsoft on interoperability. If endpoint enforcement is your primary concern, Symantec and Elemental fit the bill.
If youre looking to segment the access process from network traffic, then the out-of-band solutions from ForeScout, Lockdown, and Juniper will work. Do you want a software only solution? If so, go with Endforce, StillSecure, or ExaProtect. If youd prefer to focus on inline access control and policy enforcement, investigate the offerings from ConSentry, Vernier, or Nevis.
Further down the road, the promise of NAC is that it will give IT more fine-grained control of networking. NAC will eventually deliver a more intelligent usage of network resources, OConnell said.
Eventually, the more sophisticated solutions will evolve from protecting against data leakage by, for instance, not letting developers access software code when in a public conference room to, perhaps, enabling differentiated quality of service based on identity and role.
Next page: What to look for in a NAC solution