QUESTION

Our IT people keep talking about NAC. What is the threat and should I spend money on it?

Asked by:   Jon Grounds, De Montfort University


  Martin Ingram, Vice President of Product Management, AppSense

Network Admission Control or NAC is a technology that lets you control whether a machine gets onto your network. It let?s you enforce what security must be in place and working on the machine before it connects; sending it to a quarantine area if it does not meet your policies. There are some situation when this can be useful and others where there is little benefit.

Ultimately NAC protects your internal network from a machine with a configuration that is in some way corrupt. I can think of several possible ways this could happen, the most likely of which are: A user altering the configuration (turning off AV, perhaps) or malicious code infecting the machine. NAC would provide protection from these situations but the real question is could you prevent the machine being corrupted in the first place and so not need NAC. If the machine is well controlled and used in a controlled environment then you can and NAC will not offer you much. However, if the machine is not tightly managed and locked down or is used outside your own network, such as a laptop used by a roaming user, then NAC has a lot to offer.

At the end of the day your decision will come down to the level of risk that you find acceptable but for most organizations a selective approach will make most sense.



  Tim Eades, Senior Vice President of Sales and Marketing, Sana Security

"NAC. Network Access Control is a verification solution to ensure people connecting to your network have their signatures, patches etc up to date before connecting. The solution does contribute value to an organisation, however the challenges remain when users who are not up to date are pushed to a virtual LAN to get the relevant updates."

"Therefore, the user experience still is not what it should be, and NAC still does not deal with any day zero threats, as nearly all NAC vendors don?t have behaviour solutions integrated into them, which means a high risk of infection still remains."

"When looking at vendors in this space be sure to find one that is 'agnostic' to specific network equipment this way you are more likely to get a best of breed solution and something that is 'core' to the company not 'context', such as Consentry Networks and Mirage Networks."



  Samantha Gurr, Technical Support Director, EMEA, Trend Micro

Day-zero virus and worm invasions continue to disrupt business, causing downtime and continual patching.

Network Access Control (NAC) enables organizations to reduce this risk by preventing vulnerable hosts from obtaining and retaining normal network access. NAC ensures that all hosts comply with the latest corporate antivirus, security software, and operating system patch policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and given reduced network access until they are patched and secured, thus preventing them from being the targets of-or the sources for-worm and virus infections.



  Carole Theriault, Senior Security Consultant, Sophos

Dear Jon,
Network access control (NAC) essentially allows or denies access to a network and its resources by checking whether a user, and the device used, is compliant with the policy. It is a bit like a bouncer at a night club. It can deny entry to rogue, guest, non-compliant, or infected systems. So, for example, if operating systems are unpatched, personal firewalls are turned off, or unauthorized applications are being used, they will be denied access to your network.

Should you spend money on it? As you are writing from a university, I will assume you are talking about a network that students can join and leave with their own machines. And NAC could certainly help you there, because you can set a unifying policy for the network that stipulates the need for anti-virus to be installed and updated, a firewall to be configured appropriately, for patches to be up to date, etc. And the more sophisticated NAC solutions can detect the presence and settings of a huge number of security applications, not just the ones installed on the network.

This can be invaluable in protecting the network from all kinds of bad stuff, saving you time and resource on manning the network.