RealTime IT News

Interop: The Problem With NAC

LAS VEGAS -- Network Access Control (NAC) technology may well be the next great evolution for enterprise networks, providing security and policy compliance.

But as NAC gains steam -- shifting from its early-adopter phase to what many industry insiders see as increasingly must-have technology -- both enterprises and vendors need to understand the risks they're taking.

At stake is nothing less than billions of dollars in networking equipment, not to mention the overall security of the enterprise, according to Joel Snyder, the widely regarded NAC expert who ran the NAC Day program today here at the Interop conference.

"Are you ready to add another 'priority one' service to your network?" asked Snyder, a senior partner at Opus One, before a capacity crowd of several hundred NAC Day attendees. "What happens if the policy decision point goes down?"

The questions highlight the decision ahead of network admins considering NAC -- and they risks they face by relying on the technology. Since NAC is by definition an access control technology, if its services are not operational, then access to the entire network can be threatened.

Consequently, if an enterprise deploys a NAC solution, it's critical that it ensures that it has the proper redundancy and resiliency demanded by its particular network requirements, Snyder said.

It's also unclear how much support there is for NAC for remote users, another element buyers should weigh.

"How will you do NAC in remote access and wireless situations?" Snyder asked. "What works inside the LAN should bring you value everywhere. [But] the reality is that some NAC products are only designed to work in one environment."

Snyder added that when deploying NAC, the network needs to properly take all access methods into account.

In many ways, NAC is a disruptive technology, in that it fundamentally changes the network access paradigm. In the pre-NAC era, a user simply plugged their Ethernet cable into a jack to access the network.

[cob:Special_Report]With NAC, that's not the case, as any user who plugs in is subjected to an audit to ensure policy compliance before they can proceed.

"When you add NAC to a network, it's no longer a switching infrastructure -- it's a policy infrastructure," Snyder said. "You plug something in and only maybe will it work."

But with that paradigm change, network professionals must cope with another potential hurdle in deploying NAC: the issue of false positives, which could undermine the technology's perceived usefulness within the enterprise.

But to Snyder, it's important that the organization as a whole buys into the concept of NAC, seeing such difficulties as a necessary trade-off for network security.

"The goal of NAC is to get people on the network and not to keep devices off the network," he said. "Make sure that your NAC vendor shows you a management interface, so when things go wrong, you understand what's going wrong, so you can keep people happy."

Of course, these problems all mean enterprises have a great deal on which to reflect when considering whether to implement NAC.

"What value does NAC bring to the organization?" Snyder asked, citing vendors' traditional high-level answers, including compliance and security.

But he added that it's difficult to provide actual metrics for calculating the return on investment (ROI) of any security technology.

"I can't answer the question for you, but when you go figure out your deployment, you need to answer why your organization should spend time and money on NAC and what is the ROI going to be."