SAN FRANCISCO -- Despite all of the buzz and the spotlight on Network Access Control (NAC) at this year's Burton Group Catalyst Conference, analysts warned network architects that NAC may not yet be ready for widespread deployment. And though Burton vice president and service director Phil Schacter noted that the network does have a responsibility to play a role in addressing security, it may still be too soon for NAC.
"Clearly, a standard is needed," Schacter said, pointing out that vendors across the board are creating NAC solutions, but there is no single thing tying them all together. Cisco Systems Inc. has Network Admission Control; Microsoft has Network Access Protection; Juniper has Unified Access Control; Nortel has Secure Network Access; Check Point has Total Access Protection; and the Trusted Computing Group has Trusted Network Connection. There are also dozens of startups offering NAC solutions.
Schacter's main advice was to "hold off on investing in NAC frameworks until industry standards emerge." And for those who may have already plunked down a large chunk of change for NAC, he warned: "Proceed with caution if you're about to commit to a vendor's [NAC] framework."
By a show of hands in the audience of more than 100, it appeared that about 30% of the crowd were already knee-deep in NAC. They had either already deployed or were planning a deployment.
And one attendee at Catalyst shared how his company is making NAC work in its favor.
Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Mike Roncadori, security engineer with Sun Microsystems, said Sun deployed a Cisco NAC solution several months ago. Sun's unique environment had no real Wintel infrastructure; numerous personal laptops in daily use; a large number of engineers, labs and operating systems; and system support levels that were not equal.
Roncadori said Sun looked to Cisco's NAC to authenticate clients to the network, ensure all clients are properly managed, and provide a stepping stone to eventually breaking the network into a group of role-based enclaves.
"We want everybody to announce themselves," he said. "We want everybody to tell us who they are when they come on the network."
Roncadori said Sun also wanted a better way to know exactly whom to call on with a problem.
Before the NAC deployment, which featured Cisco's Clean Access Manager, users would come on and off the network with little to no security check, Roncadori said.
"People just came on, did what they did, and left," he said. From there, any mess they left in their wake -- such as viruses, worms and other security holes -- were "cleaned up after the fact."
Sun looked at a bunch of NAC solutions and went through demos, delving deep into each, Roncadori said. Eventually, Cisco was chosen because it was ready to go out of the box, was architecturally compatible, and could provide future functionality as NAC evolves. Also, he said, Sun wanted to pilot NAC in one month and deploy in four. Cisco was the only vendor that could accommodate that aggressive timeline.
Sun piloted the Clean Access Manager in a Colorado office to verify Cisco's claims and ensure that it could do what they expected. Some minor issues arose requiring configuration tweaks on other parts of the network, Roncadori said, but those problems were quickly resolved.
Since Sun outsources its computer and network operations, it also took a little time for that third party to learn NAC. Roncadori suggests starting the NAC conversation early if a deployment is planned. He estimated that if Sun had not outsourced, it would have taken roughly five full-time IT staffers to implement and manage NAC.
Now, Sun's first major NAC deployment is in place, and the company is looking at worldwide deployment by July 2007.
For the future, Roncadori said that NAC will help Sun set up enclaves, which will allow role-based access to entities and subnetworks and scaled authentication based on classification. Sun is also looking into white listing and blacklisting, which will allow access based on expertise and behavior or deny access based on individual behavior, meaning that if one particular user is prone to introducing problems, his access will be denied until he receives future clearance.
The company put in a "dirty VLAN" for users who are not allowed onto the network for one reason or another. Overall, Roncadori said, the user experience is rather unintrusive. Users have to launch a browser and are sent to the NAC box for authentication before they are allowed in. If there are problems, they are either placed in the VLAN or told to update and clean their computers. The overall process is not time consuming, he said, unless a user's PC is infected or doesn't have proper security installations. For example, if a user doesn't have a personal firewall, the system tells him to get one.
"There can be an indeterminate amount of work if you've really let your system go and it's not up to snuff," he said.
As for the cost, Roncadori said it was justified. He said Sun was handling between 3,000 and 4,000 incidents per month related to PCs introducing something unwanted onto the network. With NAC, Sun foresees that number dropping dramatically. Using an incident-costing model, Roncadori estimated that each incident cost the company anywhere from $750 to $1,000. If a good chunk of incidents are stopped, he said, the NAC solution will pay for itself.
"It's easy to justify spending $2 million to $3 million when you have a $6 million problem," he concluded.
This article originally appeared on SearchNetworking.com.