Prevention of unauthorized access to data that resides on network is only possible while you deploy right NAC solution. And selection of right solution is only possible while you address right questions.

As organization are becoming more networked and sharing information with clients, employees and vendors in day to day basis, so, it has become imperative for them to strengthen their network significantly, so that unauthorized persons should not get access to the sensitive information resources. An unauthorized access to sensitive data can really do massive damage not only to business but also to the reputation of the company.

Factors Driving Need

The changing business environment has made NAC the hottest, yet vexing technology for the last year. Technology and working practices has changed considerably making a significant impact on the IT perimeter. According to Sophos, rising demand for mobility from employees, requiring network access off site, allowing access to your network to third party contractors and guests—all these have increased the no of devices, types of devices, user and access requests going to the network. This has resulted in significant security gaps bringing about the advent of control over Network access or NAC as a methodology of dealing with the shifting IT perimeters.  Thus the need for NAC grew.  However,   proper implementation of NAC is still at a very nascent stage.  The early adopters suffered from cost and complexity issues but today the technology has matured and the costs have come down. NAC is still an evolving technology with complexities to be managed so one can conclude that the adoption of NAC across organizations is still at an early stage while the technology is maturing.

With vast development in network infrastructure, it has become very easy to access corporate resources through various access methods as wired and wireless. According to Dr.M.Prasad, Head (Operations), NeoAccel India, the demand for WLAN access has surged so dramatically over the past few years that users are clamoring for WLAN access, because it allows them to access their network and the Internet from anywhere in the workplace, without having to “plug in”. There is a continuous fire fighting against network intrusion, viruses, and SPAM in any enterprise. Not with standing this, there is a large number of wireless access points being installed at airports, Hotels and other public places to provide connectivity where ever you are. Thus a threat of network service disruption by unauthorized sources also grows as network reliability and security becomes more critical.

The maturity level of the NAC solution in India is still evolving. Customers are aware of the solution and the benefits that it offers. Sanjay Jotshi, Director of Enterprise and Channels, India & SAARC, Juniper Networks believes that from an implementation point of view, customers are still evaluating the various vendors and what each vendor can bring to table in terms of benefits, the impact it will have on their existing infrastructure, administration and management issues they will have to face if any before going ahead with the same.

What to Look For

While selecting a network access-control (NAC) solution, it demands evaluating an abundance of vendors with different deployment options, form factors, varying deployment and management costs. Deployment and management of a NAC architecture is unfortunately not followed or done in right manner as it should be. Here below some points have been discussed, which organization should follow before finalizing the NAC solution:

Identify Requirements

Each business would have different issues while selecting a NAC solution. For example: In the ITES vertical, per seat utilization is an important criteria as the investment is calculated on a per seat basis. Using the NAC solution we can ensure the seat utilization is 100% or close to 100% across the various customers / programs and agents which is not the case in BFSI or manufacturing verticals.

Dynamism

A comprehensive access control solution should be capable of dynamic changes if:

• The endpoint’s security state, network information, or user information changes, even if these changes occur mid-session. This dynamic policy should also be enforceable in real

• Time across the network on enforcement points. Given the large investments in enterprise

• LAN infrastructure across campus and branch offices, the enforcement of policy should

• Ideally leverage existing investments in network infrastructure.

Flexibility

Another thing to think about is the flexibility consideration – whether the solution is standards-based or not. Other salient points are the cost effectiveness, the return on investment and lower total cost of ownership. For example, if a solution requires an upgrade to the switching infrastructure, the user must  factor in the time required to inventory the devices on the network, determine what type of switches are deployed and what version of code is running, get hardware and/or software upgrades as required, and test the network..

Granularity

Experts believe that the enterprise network is never truly static. An access control solution must be granular enough to provide the controls needed, but flexible enough to accommodate changing infrastructure and deployments. In addition, the purpose of the access control itself can change. One example might be in a wireless deployment. Initially, the solution might be deployed to provide an additional layer of access control to your WLAN, by ensuring that users are authenticated. Over time, however, there may be a desire to check the endpoint security state of users and ensure that they comply with minimum acceptable limits.

Less Administrative Burden

Any enterprise considering NAC should carefully evaluate–and seek to minimize–the administrative burden its deployment represents. Increased help desk calls are a common burden and should be reviewed when testing, as end-users may flood the help desk with calls asking why they have been quarantined and how they can get back on the network. The best-case scenario is that the NAC product can automatically remediate or has good hand-holding techniques to help end-users self-remediate.

Agent or Agentless?

Experts believe that both the agent based and agentless solutions are here to stay in the market. The apt solution depends on the requirement. For example on the layer 2 front a supplicant (agent) is mandatory. Above Layer 3 we can go in for an agentless solution. However even for layer 3 and above deployments, if the end point must be secured with a personal firewall having a centralized policy management, then we would need the supplicant.

Box:-

The upside of using agents is that, because they reside on the endpoint, a higher level of scrutiny can be conducted, which should help to improve security. The reality is that agents can be the least disruptive solutions available, especially when it comes to network traffic. This is because the agent runs quietly in the background, only sending periodic updates to the policy server and making sure security is enforced thoroughly. But let's face it: No one wants another application to install, no matter how high the security payback may be.

The advantage of choosing an agentless NAC strategy is there are no necessary client installs or downloads, which facilitates gathering test results before implementing enforcement of the security policy. This strategy also is beneficial for networks where all devices are on a Windows domain, since a domain administrative account can be used to log onto the device for testing. On the other hand, specifying credentials for testing can be difficult for users.

Technical Support Strength of Vendor

Supporting strength is very crucial. Vendors should be able to provide basic 24/7 support with experts at the frontline. Local expertise should be available to replicate, analyze and solve your problems.  A good laboratory and product development team is a must. Vendor should also be able to provide tailored packages for specific requirements offering enhanced support with predefined service levels, priority incident handling and remote system support

Supporting strength of the NAC vendor should be considered as one of the important criteria. Since you are at the heart of the network and the user access is based on this solution this is crucial. Also as new requirements arises as time progresses, the vendor should be able to support these new features / roll outs etc.

Current available solutions

Sophos currently provides two levels of NAC. The basic NAC comes at no extra cost with our end point security and control module. This is installed along with the Sophos AV and client firewall. It provides a basic level of policy definition, check AV and other security applications are active and updated, checks  for OS service packs, patches, does assessment and remediation; standard reporting and enforcement using agent and Microsoft DHCP . The NAC advanced can be installed with third party AV applications and installed separately using software distribution tools.  In addition to all the features of NAC basic it can define policies by user groups, create custom applications and policies, provide advanced reporting and can also enforce using 802.1, Cisco, VPN and other DHCP modules.

NeoAccel is offering an out of band ‘NAC plus’ solution with granular access control and End Point security. NAC Plus also contains Private CA functionality for small business services. Included is the capability to enforce a uniform security policy for all users independent of the network access methods i.e. via wireless, remote/VPN, or wired 802.1X. NAC Plus has the performance and reliability criteria to handle heavy traffic load, with full support for any type of network infrastructure.

Juniper Networks is offering the ‘Unified Access Control’ that combines user identity, device security state and location information for session-specific access control policy by user. Open and standards-based, UAC leverages existing enterprise network infrastructure, components, and software to reduce deployment complexity and cost, while increasing operational efficiencies. Juniper UAC is built on our award-winning, field-tested, best-in-class security and network access control products. Juniper Networks Unified Access Control is adaptable and scalable to meet the network access control requirements for businesses of all sizes.

Conclusion

There are considerable differences in the ways that NAC systems work and features provided by vendors with different architectures. It's important that your evaluation to find the most effective NAC solution has to be perfect for your network and which also should be most cost-efficient to operate.

—By: R. Manoj, Assistant Editor, 'InfoSecurity' magazine, Fanatic Media.