What is NAC?
Blogger: Eric Maiwald
Admission or access? Products, product category, or what? Why is there so much buzz about NAC? Should I be looking for a NAC under the Christmas tree this year? Is it something that should be part of my New Year’s resolutions – “I will NAC this year!” Or maybe “I will buy a NAC!” Or perhaps “I will install a NAC!” You get the idea…
The acronym has three components:
Network – There is a debate as to how much of this type of mechanism belongs in the network. It might be that these mechanisms belong on the end points.
- Access or Admission – You can take your choice here. Admission implies a mechanism to limit end points as they come on to the network while Access implies a mechanism to limit how the end points can use the network and connect to resources.
- Control – Control is the word most overlooked. Webster defines control as “verb: to check, test, or verify by evidence or experiment, to exercise restraining or directing influence over.” As a noun it is defined as “power or authority to guide or manage."
So we are talking about exercising influence or management over who can access to resources either by limiting connections to the network or by limiting the traffic as it is directed to the resources. So NAC is really another control that an enterprise can use to enforce a policy and better manage their resources.
Don’t we do that already? Just look at the IT environment. We have authentication mechanisms, vulnerability scanners, patch management systems, firewalls, intrusion detection and prevention devices, content filters, VPNs, and the list goes on. Aren’t these mechanisms implementing a policy regarding access to resources? It sure seems like they are.
Maybe I just don’t understand the secret sauce that is found in the “NAC products.” Alright, let’s take a look at them:
Some NAC products sit on the network (either in-line or out of band) and watch the traffic. They make decisions on what traffic should pass and what traffic should be blocked. The NAC product might block traffic or it might communicate with a switch that kicks the offending end point off the network. Doesn’t this sound like a firewall, IDS, or IPS? I have a policy about what traffic is allowed on my network and I am going to control it by placing some device within the network.
Some NAC products watch for an end point to come on to the network. They check the policy on the end point (patch level, virus signature level, configuration, etc.) before making a decision to allow the end point to connect or not. This sounds like a great way to perform vulnerability management (assuming that you have a good remediation mechanism! I would hate to have to explain to my CEO why he couldn’t check his email for a few days.). I have a policy that says that an end point can’t connect to my network unless it conforms to some configuration standard and I am going to control it by verifying the configuration of the end point before I activate the switch port or provide the network address or allow it through my VPN.
I think enforcing policies like these makes a lot of sense. We already know that better management of the end points helps to limit compromises of sensitive information and outbreaks of malicious software. When it comes down to it, better management helps us control lots of bad things. Maybe NAC is really all about better management.
What do you think? Have you seen similar views in other places? Post your comments, views, or links in the comment section.
Burton Group will be examining the whole NAC issue in greater depth in 2008.
Comments