NAC: A User's Guide: Page 2

Posted December 21, 2006

Jeff Vance

Jeff Vance

(Page 2 of 3)

When Printers Act Like Mail Servers

Related Articles
he Many Myths of Endpoint Security

Boeing Grappling With Data Theft

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

“What are you doing that would constitute a violation?” Whiteley asked. Some solutions take shortcuts, say, requiring IT to whitelist certain devices that can’t be scanned, such as faxes and printers. The premise is that those devices pose little risk to the network.

“This approach is not sufficient,” Whiteley argued. “The whitelists usually rely on IP and MAC addresses, which can be spoofed.” Better is a policy-based system that restricts a machine’s behavior as stringently as a user’s. “A behavior-based policy says that since a device is a printer, it shouldn’t be making a thousand connections per second. A printer wouldn’t do that.”

The post-admission piece of the puzzle was pioneered in the WLAN space, with vendors like Newbury Networks and Bluesocket attempting to overcome the geographical spill of wireless signals (which penetrate through walls and out of the office, after all) by focusing on identity and role. The trouble with the wireless approach is repeating it on the wired LAN.

Where, then, should organizations turn for useful NAC solutions? Unfortunately, the answer isn’t all that helpful: it depends.

If you are a strictly Cisco shop, it makes sense to use their solutions, especially since they’ve been working with Microsoft on interoperability. If endpoint enforcement is your primary concern, Symantec and Elemental fit the bill.

If you’re looking to segment the access process from network traffic, then the out-of-band solutions from ForeScout, Lockdown, and Juniper will work. Do you want a software only solution? If so, go with Endforce, StillSecure, or ExaProtect. If you’d prefer to focus on inline access control and policy enforcement, investigate the offerings from ConSentry, Vernier, or Nevis.

Further down the road, the promise of NAC is that it will give IT more fine-grained control of networking. “NAC will eventually deliver a more intelligent usage of network resources,” O’Connell said.

Eventually, the more sophisticated solutions will evolve from protecting against data leakage by, for instance, not letting developers access software code when in a public conference room to, perhaps, enabling differentiated quality of service based on identity and role.

Next page: What to look for in a NAC solution

Page 2 of 3

Previous Page
1 2 3
Next Page

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.