NAC: Is your firewall enough?

Network access control (NAC) isn't for everybody, but it can be a valuable tool for controlling the circumstances under which individuals gain network access. (Compare Network Access Control products.)

That can be valuable for heavily regulated businesses. NAC can perform a comprehensive check of endpoints before they are allowed to get on to corporate networks, and that kind of check can help placate regulators that demand enforcement of policies about how legitimate endpoints must be configured.

Most NAC platforms not only perform this function, but they keep records of performing it, something demanded by various regulations such as payment card industry (PCI) standards and the Health Insurance Portability and Accountability Act (HIPAA).

Screening guest users is a particular problem that NAC can address well, according to Gartner."Most Gartner clients that are planning to deploy NAC report that their first priority is to implement a guest network," says Gartner analyst Lawrence Orans in a report."In 2007, many security managers who viewed NAC as a strategic security process were able to use the near-term benefits of guest networking to justify getting started in NAC."

If businesses have a diverse set of full-time employees, contractors and guests that use their networks regularly, NAC can help assure that the devices they use to connect meet configuration policies. For machines that flunk, NAC can either fix them, quarantine them or grant them access to a network segment with only limited resources and where they can do limited damage.

Similarly, businesses that need to segment their networks based on department or job function can use the authorization controls in NAC to do so on a fairly detailed level.

"We see a perfect storm if companies have multiple compliance requirements (the Sarbanes-Oxley Act, PCI, HIPAA), a diverse workforce (employees, contractors, remote workers, partners, suppliers) and global operations (the need to segment the environment by region, business unit and others)," says Rob Whitely, an analyst with Forrester Research.

NAC will ultimately become an element of layered security architectures that rely less on perimeter firewalls as the main bastion and more on layers of security that seek to mitigate threats, Whiteley says."This is part of a larger trend around de-perimeterization. NAC is not necessary, but will become a critical component for these new security architectures," he says.

Most networks can get by without NAC. The technology reduces the risk that compromised machines gain network access and that they can do damage if they manage to get admitted anyway. But it doesn't guarantee security. NAC came about in response to threats that traditional Layer 3 firewalls couldn't handle, and there are threats that NAC can't handle, but it can make important contributions.

"Ask yourself: Is your firewall enough?" Whiteley says."If so, NAC is most likely unnecessary. It provides the additional host integrity checking, but this provides little value above and beyond more granular authentication and authorization — which are really just attempts to make up for shortcomings of today's firewalls."