Who controls what connects to your network? You've probably got contractors coming in and out of your building, accessing your network and introducing all kinds of threats right under your nose. In fact, your mobile workers and other offsite employees might even be your biggest problem, taking their laptops home or into the field and bringing them back infected with potent malware that's just itching to bring down your infrastructure. The increasingly popular solution to these problems is Network Access Control (NAC), which ensures that every device connecting to your network conforms to your company's security baselines.
NAC has its origins at Cisco, which pioneered a pre-connect security technology that augmented firewall functionality. Since then, NAC has become a much more robust technology. Vendors offer several approaches to NAC, and you need to be aware of key differentiators.
Is the solution client-based or clientless? Whereas client-based solutions tend to be OS-specific and require the installation of agents, clientless solutions can detect any device connecting to the network, regardless of origin. Clientless solutions also don't need to automatically require device quarantine by default.
Enforcement is another differentiator. Does the solution immediately place connecting devices into a remediation virtual LAN (VLAN)? Does the solution offer custom enforcement options that let you configure degrees of enforcement for different levels of threat? What kinds of notification options are available?
A common fear among potential NAC customers is network disruption. Will a NAC solution's activities be invisible to users, or might it slow down or otherwise disrupt network activity? Inline NAC solutions have more potential to cause disruption, whereas out-of-band solutions are more ideal, sitting outside the network, observing and taking action when necessary.
One solution that we like is ForeScout, a clientless, out-of-band solution that offers tailored enforcement options. Stay tuned to Windows IT Pro for an upcoming comparative review about other NAC solutions, in which we'll explore differentiators and other vendors in more depth.
--Jason Bovber
