NAC: Compliance Cure or Complication?

Before resting your hopes on a pricey network access control cure for your compliance headaches, it pays to know exactly what the technology offers.
Regulatory compliance is here to stay and not a moment too soon for security vendors. In a market saturated with useless technologies - and those nearing obsolescence - regulatory compliance has opened up new avenues of sales opportunities.

One of the hottest offerings that security vendors are toting is Network Admission Control (NAC). NAC refers to restricting access to the network based on identity or security posture. Most people will think of NAC as a result of the 802.1x Extensible Authentication Protocol. When a network device (switch, router, access point, etc.) is configured for 802.1x, it can force user or machine authentication prior to granting access to the network. In addition, guest access can be granted to a quarantined area for remediation of any problems that may have caused authentication failure.

Another method of NAC is posture assessment. Posture assessment is the evaluation of system security based on the applications and settings that a particular system is using. Your typical (non-free) Wi-Fi connection is a primitive form of NAC. The user must present some sort of credentials (or a credit card) before being granted access to the network.

What all this means is that NAC uses the network infrastructure to enforce security policy compliance on all devices seeking to access network computing resources, thereby limiting damage from emerging security threats. Customers using NAC can allow network access only to compliant and trusted endpoint devices (PCs, servers, and PDAs, for example) and can restrict the access of non-compliant devices. From a regulatory compliance standpoint, NAC solutions will result in straight checks down your compliance audit list.

Or so the security vendors would have you believe.

Some of the better sales pitches I’ve heard are rooted in truth. For instance, ten years ago, networks were built relatively flat because regulatory compliance wasn’t even a thought at the time. Fast forward to today and look at any compliance checklist and the first thing you see is that you will need separate islands for certain types of data. PCI and HIPAA come to mind as two perfect examples of such requirements. NAC is supposed to be a much cheaper way to achieve segregation of network assets along with additional assurances that only compliant systems that have been authenticated will be able to connect to protected systems.

There is an intense push from security vendors to get NAC into your environment. It should also come as no surprise that NAC offerings are typically at the top end of the price sheet. Folks like Nortel, Cisco, Juniper and others all seem to have the perfect NAC solution for you that must be implemented for you to meet your compliance needs. Obviously, your purchase is excellent for the health of their bottom line. But are organizations taking the blind faith plunge on this offering?

In my experience, the answer is no. Something fantastic has happened to IT security in that it has been stitched into the fabric of Washington D.C. politics. All the nuances of modern day politics are now part of the IT security thought process. For example, why spend tons of money on a compliance solution if you don’t believe the current majority rule will sign a bill into law? Is this a gamble? Yes. Is it reality? Yes.

Many organizations are playing kick the can with compliance solutions, taking a wait and see approach to implementation. This is not to say that plans are not being created, budgets mapped and project plans created. Rather, organizations are not going out and buying the solutions based on the sales pitches as many had done in the past.

An anonymous source working as a contractor for the federal government states, "NAC solutions have been rocky from the start. Some vendors haven’t been able to deliver their products to market when promised while others like Cisco want you to upgrade the IOS on every network device before their solution will work. Apparently they didn’t consider the amount of resources needed for regression testing critical assets before deployment can become a reality."

Others are still getting their business processes tuned for compliance first. This undertaking can take large organizations years to complete given current resources. Not many are willing to dump another technology asset into the mix without completing the core business analysis first.

Personally, I’ve been disappointed with some of the offerings on the street. I’ve noticed that some vendors are spinning everything they have as a regulatory compliance solution trying to entice a sale. One such solution that comes to mind is a vulnerability scanner that is supposed to identify all of your compliance gaps. A single question, "How does it scan behind firewalls?" seemed to remove the air from the sails of the pitch. The short answer is it can’t. The obvious answer is that the functionality is coming in the next release but will require you to place scanners on every segregated network. In other words, more money will solve all evils.

To be fair, there is no magic bullet for compliance. Here is where I can offer you some advice on how to handle the deluge of tasks that you now have to handle.

First and foremost, the best thing you can do is document your business processes. If you don’t understand how the business operates, there is no way you can secure it and furthermore, assure compliance.

Next, look for overlaps in compliance requirements. I call this feeding multiple birds from the same loaf of bread. Continue by evaluating what your current IT security components cover, i.e., a gap analysis.

Once you’ve done these things, then see if a NAC solution is suitable for your environment, and at this point you can also decide whether to play kick the can like many others have currently done. Just don’t end up in jail.

This article was first published on

Comment and Contribute


(Maximum characters: 1200). You have characters left.