NAC: A User's Guide: Page 3

Posted December 21, 2006

Jeff Vance

Jeff Vance

(Page 3 of 3)

What to look for in a NAC solution

Related Articles
he Many Myths of Endpoint Security

Boeing Grappling With Data Theft

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

1. Stop and identify the business drivers first.

“When you peel back the layers, the first driver is usually about unmanaged or guest users, such as consultants, contractors, partners, and even customers,” said Forrester’s Whiteley. “If this is your only concern, you can get away with a turnkey box that provides a ‘hotel experience.’ However, if you try to send every single wired user through that box, it will be costly. You’d be better off with something that integrates with your existing networking architecture.”

2. Make sure the solution identifies both users and devices.

“It’s critical to know who and what you’re talking to. I’m not going to give a guest the same access as an employee, and I’m going to run more checks on a laptop that has left the office than a stationary PC,” said Cisco’s O’Connell.

3. Does the solution enable comprehensive health checks?

“NAC promises to deliver an enterprise-wide architecture for compliance, saying that, perhaps, you need a Windows patch or an anti-spyware program running. It’s an ongoing access control system that checks a user’s compliance with policy,” Whiteley said.

4. Are there posture assessment and enforcement mechanisms?

“I know who I’m talking to. Now what do I give them? Based on policy, a human resources person shouldn’t have access to an engineering domain,” said O’Connell.

5. Decide what your organization will do about quarantine and remediation.

“This is where the real value is, but it’s the hardest part to do. Once you violate a policy, can I fix you so you are compliant, or are you on your own?” Whiteley asked.

6. Determine the appropriate architecture, be it software, hardware, or one based on current vendor relationships.

“Architecture affects function. What the best one? It depends on your goal. If you want to monitor users, it implies that you can see traffic, meaning the device must be inline. You may have agents on endpoints, but you need something centralized in the network,” said McLean of ConSentry.

7. Look ahead to centralized policy management.

“The problem is that there is no central policy standard. The vendors aren’t playing well together, so there are many separate islands of policy, ranging from Cisco to Microsoft to those of patch or anti-virus vendors,” Whiteley said.

Page 3 of 3

Previous Page
1 2 3

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.