Johannesburg, 03 Oct 2008
As companies become increasingly dependent on network-based information, the number of Network Access Control (NAC) solutions in the market has grown, says MD of Channel Data, Mike Hamilton.
This trend, which is a result of increased automation in business processes, the increased elasticity of corporate boundaries, and an increase in off-site contractors and work-from-home employees, has emphasised the need for access control and fuelled competition between NAC providers.
“NAC solutions monitor users' activities and collect data within corporate-defined compliance rules, implement the appropriate access policy for each user/session, and propagate that policy to enforcement points throughout the network. The problem facing users is there are basic differences between NAC systems on the market. For example, some simply use scanning and network inventory techniques to determine access criteria, shunning agent software. Others are more comprehensive,” he says.
Hamilton maintains that an effective NAC solution must contain an NAC software agent, a policy management server and clearly identified enforcement points.
“The NAC software agent, effectively a downloadable software client, is central to the solution because it serves as an 802.1X supplicant and includes the ability to gather host posture information. This means it has the ability to collect user credentials and assesses the network's endpoint security state via 'host checker' functionality that should be integrated into the agent.”
Hamilton adds that a policy management server is central to NAC policy enforcement as well as the interface to existing enterprise infrastructures. It should be able to push the agent software to endpoint devices, gather user authentication data and determine the endpoint security state.
“At the network edge, for example, Ethernet switches could be configurable to act as enforcement points. Within the network core and data centre, all firewalls and intrusion, detection and prevention appliances could act as enforcement points and permit or deny access to a server or WAN router,” explains Hamilton.
One of the biggest hurdles facing users today is that not all network switches support the range of enforcement actions, he says. “The ability to support a rich set of enforcement actions across its switch platforms should be a design goal of the NAC vendor, with all switch ports acting as enforcement points, controlling traffic based on the dynamic policies created and propagated by NAC.”
Share