While network access control generated great interest at this fall’s Interop, show-goers were told they need to carefully evaluate their need for NAC before jumping in — and then to do so only carefully.
Hype about NAC is generating broad interest, but unless the technology can be tied to practical business needs, it won’t warrant the investment, according to vendors on a NAC panel moderated by Joel Snyder, senior partner at Opus One and a member of the Network World Test Alliance.
Businesses should take a simple first step that some are failing to take now: identifying why they want it in the first place, Snyder and vendors said. “People don’t even know what they want. It’s really scary,” said Thomas Howard, security solutions engineer for Cisco.
People working in business functions at corporations need to define just how much access groups of employees need so IT staff can write policies that allow that degree of access, said Denzil Wessels, technical marketing manager for Juniper Networks. “Get people in the right groups. You need business maturity to do this.”
David Greenstein, chief architect for StillSecure, agreed that such policies should be created at the outset of designing a NAC infrastructure. “You need to say what your policy is, and this usually waits until the end,” he said. Often customers wind up identifying their greatest risk and protecting against that without creating a broader hierarchy of threats, he said.
That is not necessarily a bad idea, said Steve Hanna, distinguished engineer working with the Trusted Computing Group (TCG) consortium developing multivendor NAC standards. “Decide what is your greatest pain. Start with particular users working with high-value assets,” he said.
Businesses also need to get in place support for 802.1x port-based authentication, which major NAC architectures use to enforce access policies, said Paul Mayfield, group program manager for Windows enterprise at Microsoft.
Hanna urged extremely slow rollouts of NAC. He recommended that businesses turn NAC on in monitoring mode first to get a handle on how many laptops and desktops don’t comply with assigned security postures. Many businesses are shocked to learn how many non-compliant workstations they have, and if the NAC is turned on suddenly, the users of these devices swamp help desks with calls, he warned. “You might find nobody is compliant and wind up with a massive problem Monday morning when everybody tries to access their e-mail,” he said.
Mayfield agreed. “It’s shocking what compliance is there versus what you thought was there,” he said.
NAC can provide unexpected benefits such as discovering how many users are logging on and off the network, Mayfield said. StillSecure’s Greenstein, whose company’s NAC gear includes auto discovery of every device on a network, said some customers find entire Windows domains they can’t identify.
Cisco’s Howard said NAC can help develop better inventories of what kinds of devices are on the network. For example, a business might have a count for how many Windows machines and Mac machines are on the network. “Sometimes these numbers are off by the thousands,” he said.
The vendors hedged when Snyder asked when NAC would be ready. Hanna said that as TCG develops standards and vendors adopt them, NAC will emerge. “It will be a gradual process over time,” he said.
While some forms of Cisco’s NAC are available now, they do not address all user situations, Howard said. “You’re always going to have so many corner cases. You’ll never have a magic [endpoint-checking] agent that tells you everything,” he said.
How soon NAC is ready depends on cooperation among vendors because most customers have heterogeneous networks that they are unprepared to rip out in favour of one vendor’s proprietary NAC gear, Mayfield said. Customers need to be able to draw NAC elements from many vendors, he said, and these vendors need to be prodded to work together. “It needs customer pressure to get it worked out. It’s a matter of connecting the pieces,” he said.