A lot of companies lately are seeing that their employees attach personal and company laptops to corporate networks, and bring Trojans and viruses into the network. A defence mechanism for this risk is seen in Network Access Control (NAC) solutions. However, as all new solutions, this one can problems of its own.
The fundamental idea behind NAC is to allow the network to make access control decisions based on gathered intelligence about end-systems (laptops, computers).
To do this effectively, any NAC system needs to do the following
- Establish controls to allow/deny access at the network level.
- Gather information about the end-systems.
This means that the NAC system will need to integrate with network elements and have partial or full control over them (to enable/disable access), access to inventory software, and possibly even install a client agent on every end system.
When in operation, the NAC system should identify every end-system connecting to the network, authenticate it against a preset policy, verify it's compliance to antivirus levels, patch level and possibly group policy applied and take protective measures. The measures can range from simple denial of access, via message for manual update of systems to become compliant, to automatic updating of all required elements to make the system compliant.
Primary targets for NAC are financial institutions and large corporations with distributed offices. There are definite benefits fromAn intelligent access control also system has it's drawbacks. I did an interview about the percieved risks of NAC implementation with a CEO, a Network Admin, a System Admin and a user of a company. Here are the problems that they identify :
The CEO's view
- A NAC is costly to implement - the costs are not only for the NAC system, we need to upgrade a lot of network equipment to be interoperable with the NAC
- A NAC will require a large effort to achieve full compliance on all end-systems. This will reflect in additional operating expenditures for the personnel effort.
The NetAdmin's view
- A NAC will include another element of potential failure to the network - possible poor maintenance or misconfiguration of the NAC system can cause huge problems
The SysAdmin's view
- A NAC will cause complexity in integration with other services (antivirus, active directory, patch management) and will become a critical point of failure - if the NAC fails, what will happen?
A user's view
- A NAC can cause immediate productivity problems if the NAC fails or misinterprets my end-system's compliance. Due to security policies in place, the remediation of such an event takes at least an hour.
- I would be very interested to see what will happen if the CEO's laptop is deemed non-compliant
Network Access Control is a good technology but the organization has to be extremely careful when to implement it. It is not a silver bullet, and risks and drawbacks need to be investigated and analyzed before embarking on the road of NAC implementation
Talckback and comments are most welcome