11.3. What Are Your Best Practices?

You can plan a NAC rollout in many ways, but in each case, the best recommended practice involves careful planning, phased deployment, and leveraging experts in the field to ensure a smooth and successful project.

11.3.1. On location

You can phase in your NAC solution by location. Select a certain office, floor, or area where you can deploy NAC piece by piece, systematically rolling it out across your entire organization. This approach allows you to work with manageable segments of the user groups, network infrastructure, and endpoint machines. A location-based phase-in also allows for a kind of extended pilot — the user group simply grows over time.

Organizations that have attempted to roll out NAC to all their users all at the same time have often backtracked to roll out in smaller parts of their network before providing NAC to the whole user community. This allows the organizations to test and refine how they plan to roll out NAC with a smaller group of users before enforcing policies for everyone.

You can take a similar approach to this type of deployment by deploying NAC in public areas, such as lobbies and conference rooms, prior to deploying in the rest of the network. Figure 11-2 illustrates an approach that allows for gradual, controlled guest-user access in public areas, providing protection where the company is most vulnerable because of an absence of physical access controls (such as badge readers, security guards, and so on).

Figure 11.2. A location-based rollout plan.

11.3.2. Role playing

Most organizations have certain data that's more sensitive than other data on the network:

• A public company might have financial data that the Sarbanes-Oxley Act requires them to protect.

• A software company might need to securely protect its source code.

In these cases and countless others, some data has a role in the organization that requires better protection than other corporate data. As a result, treat protection of this data with a higher level of urgency. Figure 11-3 shows this process.

Figure 11.3. A role-based rollout plan.

In these cases, the preferred deployment might involve providing access controls that require authentication of only those people who access this sensitive data. Many NAC solutions offer a deployment model that allows you to place an enforcement point in front of certain key resources, requiring authentication and endpoint assessment only when the user wants access to the system.

For example, all employees in a corporate network have relatively open access to the LAN, which lacks access control enforcement, but to access the sensitive financial data, user authentication and endpoint assessment through NAC must occur. After the company has solidified the NAC deployment for this use case, they can expand the scope of their NAC deployment to include the rest of the network.

11.3.3. Wireless, rather than wired

Many organizations have targeted their wireless infrastructure as most sensitive, and therefore, that infrastructure most urgently needs the protection provided by NAC. A wired port can more tightly control who can access the network; its physical infrastructure separates authorized users from non-authorized users. Wireless connections don't have that distinction — a user can access a wireless connection within buildings, outside buildings, in parking lots, in common or public areas, and so on. So, you might want a NAC deployment that first spans your wireless infrastructure when you start to phase in NAC.

11.3.4. Function first

Many of the early adopters of NAC technologies have phased in their NAC deployment via functionality, rather than by location or user group. For instance, your organization might want to use NAC for both user authentication and endpoint assessment, but you decide to start by enabling one or the other first, and then working with the rest of the functionality after you gain experience and confidence.

First concentrating on user authentication and guest access can help you figure out who's on your network and whether they're members of your organization who need access to potentially sensitive corporate data.

After you successfully roll out user authentication, you might then add granular access control within your internal groups. For example, in addition to authenticating employees, you might layer in access control lists (ACLs) or other types of network controls that segment traffic and access by user groups — allowing users in the Engineering group to access engineering data only, while at the same time allowing users in the Finance group to access finance data only. Both groups might have access to the intranet and other common corporate resources that guests can't access.

When user authentication has been fully deployed, you might decide which machines can access which resources, and you might also add endpoint integrity to the policy and control engine for your NAC solution. Machine-based access control is the next logical step in the deployment progression. For example, at this point, you might decide that users on mobile devices or their own un-patched machines can gain only very limited access to corporate data, whereas the same users on an appropriately patched corporate-owned machine get full access.