Network Access Control, NAC, is a simple idea. Authenticate every user connecting to the network, then enforce an access control policy based on who they are and other environmental information, such as end point security checks and wired versus wireless access method. After writing a big architectural overview of Network Access Control (NAC) for Network World (see http://www.networkworld.com/research/2006/040306-nac-overview.html ) and testing NAC solutions at Interop in Las Vegas last month (see http://www.networkworld.com/research/2006/050106-ilabs-nac.html ), I’ve been exposed to the good and bad parts of NAC.
I’m personally very enthusiastic about NAC. But I’d like to devote some time to the devil’s advocate view of NAC. Because it’s very true that the NAC idea has five major failings, and we might as well discuss them.
1. End Point Security checks only work when you need them the least. When you need them the most, they leave you high and dry. If your NAC strategy is based on checking end point security posture, that works great for managed laptops and desktops, but our testing has shown not so well for people coming into the organization—the folks you have the greatest security concerns about. If you’re doing NAC to check that strangers have virus scanners loaded, you’re doing it for the wrong reason.
2. Generals are always preparing to fight the last war—not the next one. NAC is the same way. A lot of the rhetoric proposing NAC is reactionary—worrying about last week’s threats. That’s useful, but have you noticed that we haven’t had a huge, network-wide virus meltdown in a couple of years? That’s because we’re actually getting better at preventing these kinds of things. Sure, it’ll happen again, but the frequency and severity is dropping. Which brings us to …
3. The ROI on NAC is a big unknown. NAC is a lot of work. A lot. Even if your network infrastructure is ready for whichever NAC approach you want, getting NAC into place is not going to be cheap or easy. Is it worth it? You should probably calculate that before going down that path. There are lots of other ways to spend your security dollar. Maybe some will have a better ROI.
4. Too much information is sometimes just too much. One of the benefits of NAC is that it gives you the opportunity to set a policy for every single user. The problem is that organizations who are paralyzed by the concept of policy definition or who don’t know what is going on with their networks are not suddenly going to be able to come up with per-user or per-group network access control rules. You can use NAC in its most primitive “on if you authenticate, off if you don’t” mode, but if that’s all you want—save yourself a lot of bother and try a simpler solution.
5. You can only control what you see. If your NAC solution lets people get to officially permitted servers—and then the servers become jumping-off points to cruise the network, your policy just got a planet-sized hole punched in it. NAC is fancy, complex, and expensive, but just a component in the bigger picture of defense in depth.
Don’t let these points keep you from looking at NAC. But when you do look at NAC, keep your eyes and your mind open.