Experts advise caution on implementing NAC
Do you really need it?
By Elizabeth Montalbano, IDG News Service | Published: 06:00, 25 September 2006
Security researchers and experts have cautioned network administrators to consider carefully whether they need to implement network access control (NAC) technology in their security infrastructure before buying in to the current hype surrounding it.
Speaking on a panel at the Interop New York conference, Josh Corman, host protection architect for Internet Security Systems, said that a company should have good reason to implement NAC, not just purchase the technology because it's the latest buzzword in the industry. "Do you want NAC because you heard it’s important or do you have real business problems to solve?" he said.
NAC allows companies to perform health checks on end-point devices such as PCs and mobile devices before they are granted access to company networks. For example, employee PCs might be checked to make sure they are not infected with a virus and have up-to-date antivirus definitions before being allowed onto a corporate LAN.
Corman was joined on the panel by Mike McKinnon, Americas director of security for Hewlett-Packard's ProCurve networking business; Elliott Glazer, direct of security architecture and consulting for Depository Trust and Clearing Organization; and Paul Stamp, a security analyst with Forrester Research.
Speaking from a customer perspective, Glazer said he is more concerned at the moment with making sure the network infrastructure in his company itself is secure before worrying about how that network can check on the health of devices coming on to the network.
"One of the fundamental things that has to be considered when you think about NAC is, is the network secure enough?" he said. "When I look at NAC, I say it's a great thing to do, but what do I do when someone comes in with a new piece of hardware - what's it going to do to my network? Before I go down a NAC path, I'm going to make sure there is a secure environment there for me."
"There's a lot of great stuff about NAC, but for us it's a little early," Glazer said.
Forrester's Stamp said that for NAC to work effectively, companies involved in providing network security and those developing client technology must work together to make sure the networks can communicate effectively with endpoint devices.
"[In NAC] it is the client-based technologies that are giving us the information, it is the client-based technologies that have to deal with any of the problems that arise," he said. "We as security are setting the policies, but the policies are taken into actionable rules by endpoint people. We have to be open to that and help them out. We really have to embrace the involvement of the endpoint guys."