NAC's Unanswered Questions

2:25 PM -- One of the jobs of a journalist is to get the other side of the story. When it comes to writing about Network Access Control (NAC) these days, however, that's no easy task. Most enterprises are at least planning on doing NAC, and most analysts say it's a good idea. Security vendors generally love NAC, and they all want to offer the best solution.

Everybody's a NAC fan.

So it was a breath of fresh air yesterday when I interviewed Ofir Arkin, CTO and co-founder of Insightix, who has just finished a white paper about NAC that will be published later this week. In the paper, Insightix asks some good, common-sense questions about NAC and the products that claim to support it.

One caveat: Insightix is one of the few vendors out there that offers an alternative to NAC, so there is clearly a marketing purpose behind the white paper. Arkin, who made a presentation about NAC vulnerabilities at last year's Black Hat conference in Las Vegas, definitely has an agenda. (See Researchers Break Down NAC Defenses.) But after looking at the paper, I think it raises some real questions that some IT people may not have considered -- and may want to include in their NAC RFPs.

The first question you should ask is how the vendor defines NAC. As Insightix observes, many vendors have twisted the definition to fit their own particular product lines, making it hard to get an apples-to-apples comparison of features and capabilities. If the vendor's definition doesn't match the requirements of your end-point security architecture, you may have the basis to eliminate it from consideration right there.

A second question to ask up front is whether the vendor's solution will require changes to your network or security architecture. Some vendors' NAC strategies depend on hardware that you may not have, or they may require a homogeneous network architecture that you can't implement. A viable NAC solution shouldn't require wholesale changes on your part.

A third question is how the vendor discovers the end points in your network. As Insightix notes, many vendors require an agent application to be installed on all NAC devices (which may present problems for guests). Others simply cannot detect all the end points -- Microsoft's Network Access Protection, for example, works only with Windows. Be sure your NAC solution can find everybody (and every device) who wants to connect securely to the network.

Another key question is how the system handles quarantining of users and devices that don't meet NAC policy. Some NAC solutions help the end user remediate the quarantined device so it can gain access -- others simply lock the users out.

A final question is how the NAC solution handles enforcement. This discussion can get pretty complex, but what you really want to know is whether the technology you're evaluating can enable the network access policies that you want to enact. If it can't, you'll have to decide whether you want to alter your policies to fit the technology -- or simply eliminate that one from consideration.

NAC does have a wide base of support across the industry, and that's great, as long as it truly does what your enterprise needs it to do. Before jumping on the bandwagon, ask some of these questions -- and as many more as you can think of. There's nothing worse than riding on a bandwagon that's going in the wrong direction.

— Tim Wilson, Site Editor, Dark Reading