Controlling Network Access Control

The story Big Business Slow to Adopt Network Access Control reveals that big businesses are slow to adopt Network Access Control (NAC) for a few reasons.

As you might know, NAC allows you to check for endpoint policy compliance and provides some form of quarantine and remediation path. So, for example, if NAC determines that a PC doesn't have certain security patches installed or isn't running specific antivirus software, NAC can prevent the PC from accessing network resources. NAC technology sounds like a good idea for internal private networks. But bigger implications need to be considered before the technology starts being deployed rampantly.

I read another story in the news last week about an antivirus company (that shall remained unnamed by me) that released a new solution aimed at online businesses, such as banks and other merchants of products and services. The solution is a form of NAC that would prevent someone from accessing certain areas of a Web site unless the person's computer passes a security scan.

If your bank decided to use the solution, you wouldn't be able to conduct online banking without first proving compliance with the bank's idea of proper security. That would of course include letting the bank download an ActiveX control onto your computer that would scan your system for various forms of malware. The same would hold true for any business that decided to use the technology for its Internet-facing Web site.

I think a lot of you will agree that such a scenario is a major problem. First and foremost, letting some relatively untrusted third party install software on your computers is a big risk. Second, letting someone else dictate how you handle system security is outright ludicrous. Third, ActiveX controls are notoriously targeted by intruders looking for weaknesses. And finally, not all platforms support the use of ActiveX controls, so any site that enforces the use of this particular solution would necessitate the use of particular platforms, which runs counter to the concept of an open cross-platform World Wide Web.

This is where NAC seems to be headed, and it seems like a very dangerous path to me. It's probably a good idea to keep your eye on NAC product developments to see what the key players are up to. At the same time, keep an eye on smaller players, which seek to compete by offering niche solutions that target existing problems, such as the theft of credentials, as a means of quicker market penetration.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.