So, how do you decide the best NAC solution approach for you, your network, and your organization? How do you select a solution to best meet your access control needs, without forcing yourself to redesign or redefine your network?
No one offers a single, be-all-and-end-all NAC product. First, you and your organization must decide what area or areas of your network you need to secure, as well as what issue is the most dangerous to your organization, network, and resources. A NAC solution can address these kinds of needs:
Giving guest users secure, appropriate access to your network, while protecting your key resources and IP
Differentiating access for different user types, such as employees, contractors, partners, and guests
Protecting sensitive data and intellectual property from unauthorized access
Minimizing the fear of an insider threat
Addressing regulatory compliance and preparing for compliance audits
|
Regardless of the issue or issues that your organization prioritizes — what parts of the network your organization wants to control access to, from whom, and for whatever reason — you need to research and answer all these questions before you decide on the NAC solution type, vendor, and product that you want to review or purchase.
|
Whatever your NAC needs, you can find a NAC solution, deployment type, and environment that can well address your security and access control needs. Just know about any limitations that your NAC solution has and take those limitations into consideration before purchasing the solution.
Absolutely, positively ensure that you find the following attributes and capabilities in any NAC solution that your organization reviews or selects.
NAC solutions usually combine two types of checks — user identity and endpoint integrity. A NAC solution, though, should be able to combine user identity, device integrity, and location information with policy to deliver dynamic, comprehensive NAC.
A NAC solution should define policies based on user and/or device identity, as well as the user's role, which a NAC solution should predefine for the user. Also, a NAC solution should be able to create policies on the fly, dynamically, so that if endpoint device integrity, user or device identity, or other factors change, the solution can assign a new policy and take the appropriate actions to ensure network and resource security and integrity. You need the ability to know who's on your network — as well as where they're going and what they're doing — particularly if you have to worry about regulatory compliance and audits. Tracking users and devices by IP address just isn't enough any longer.
The NAC solution that you choose should be able to deliver a rich set of predefined endpoint integrity checks, as well as the ability to create custom endpoint checks right out of the box. It should also be capable of making dynamic network status changes if the endpoint device's security state, network information, or user information changes — even if the changes occur in the middle of a network session. Your NAC solution must enforce dynamic policy in real time across a distributed network. And any NAC solution that you select needs to effectively address the quarantine and remediation of an offending user, and his or her device, prior to granting network access. You also want a NAC solution that includes automatic or automated remediation, in addition to self-remediation capabilities.
If your organization must comply with industry or government regulations, then you really need to ask whether, and how, the NAC solution can accomplish this compliance. The best NAC solution simplifies adherence to regulatory compliance requirements, as well as providing the required security for and necessary data to prove compliance with industry and/or governmental regulatory requirements. A NAC solution also needs to address application access control, which enables an organization to apply user and/or device level policies for access to sensitive or protected applications, limiting access to critical data to only authorized users and devices. A NAC solution that addresses application access control can also provide a quick, effective way to virtually segment your network. Finally, any NAC solution today must have the ability to provide visibility into and monitoring of users and devices attempting to access a network and its applications. The ability to match user identity and role information with network and application usage enables the NAC solution to better track and audit network and application access. Plus, a NAC solution can leverage and use a user's role when determining access control policy.
Consider whether the NAC solution leverages your investments in existing access and security devices. Your NAC solution needs to work with your existing firewalls, Ethernet switches and access points, and AAA infrastructure. Your network access control solution shouldn't require costly, time-consuming upgrades or a rip-and-replace scenario. Any NAC solution should integrate quickly and seamlessly with your existing AAA infrastructure to validate user identity. Your NAC solution should also deliver interoperability with existing network and security infrastructure components, effectively extending NAC capabilities to include intrusion prevention systems (IPSs), security information, and event management (SIEM) solutions, and other vital network infrastructure components to deliver investment protection and comprehensive NAC.
When you look at NAC solutions, consider what you need to deploy the solution. Most organizations are best suited to a phased deployment approach to NAC. Flexibility in your NAC solution is vital because a network is fluid, not static; your NAC solution should be able to change with and adapt to your network while that network grows and changes. The NAC solution should be able to add an additional enforcement method without requiring you to rip and replace the network that you've already deployed. One of the best ways to ensure this level of interoperability is to seek solutions that are based on open specifications and standards.
Consider the ease of administration and management of a NAC solution when you select a solution for your organization. You can determine a NAC solution's ease of administration by considering whether you can use existing network management capabilities to manage that NAC solution. Can solutions or access control devices share or reuse security and access control policies? Does the NAC solution have a centralized management console that can aid in administering and provisioning various solution and/or infrastructure components? Also take into account how easily the NAC solution can create or edit policies, or deploy endpoint integrity checks, and whether the solution can predefine host checks or policies.
The value that you can get from a NAC solution combines factors of deployment flexibility, ease of use, the time that you have to spend administering and managing the solution, the actual acquisition cost, and the time that you need to spend redesigning your network (if required). What security or access control components or policies can you leverage, reuse, or repurpose on your network to help enforce NAC? If a solution requires that you upgrade your switching infrastructure, you must also factor in the time you have to spend inventorying the devices on your network, determining what types of switches you already have deployed, and what version of code they're running; getting hardware and/or software upgrades, as required; and testing the network. You may find a phased approach to deployment easier to justify to your organization or management because it can save valuable time and expense. Be aware that you can easily deploy some NAC solutions in a phased manner, but you can't so easily deploy others in this way.