You might have been reading or hearing recently about the increasing number of network access control (NAC) products on the market today. If you're not familiar with the concept, NAC refers to hardware and software that controls when, how and what any given machine is allowed to transmit over the network. And it's all based on criteria an administrator defines, usually relating to the overall health of the "source" machine.

Requires Free Membership to View

Windows network security extras

Plan for a security breach, step by step

Network Access Control Learning Guide

Even the big players, like Cisco and Juniper, are joining the NAC race with modestly priced products. And Microsoft is integrating support for quarantining and NAC functionality into Windows Longhorn Server, due out at the end of this year. So it's clearly a popular agenda item.

But is the NAC paradigm, and all of the benefits and challenges it brings to your network, appropriate for you and yours? Here are some signs that indicate you should spend some time considering whether tougher network access controls are necessary in your organization:

  • You've recently noticed an uptick in malware spreading internally. Don't confuse this with malware that ends up on one or two of your systems. Despite all the perimeter protection in the world, statistically speaking, you're going to get nailed at some point. It's not a matter of if; it's a matter of when. But if you notice that such malware isn't just on one or two systems, but suddenly begins to spread itself around your internal machines with ease, that's something that a network access control product could prevent.
  • You support a significant population of mobile users. If many employees in your company work offsite for a good portion of their work week and typically and regularly connect to your network, their connection is essentially an unprotected orifice. All of the malware their laptops accumulate while those employees are on the road can penetrate your network in its soft, white underbelly and wreak havoc. If you manage a group of people using dial-up or VPN connections, and you haven't implemented any sort of vetting procedures when they dial up (in particular, the true road warriors that are hardly ever in the office and hardly ever dial in), then tougher network access controls might be appropriate for you.
  • Business conditions have dictated that you will have more mobile users entering your network than before.

Computers over which you have no control pose the biggest and most significant threat to your infrastructure. Situations might include:

  • The computers in a company you've acquired.

  • Employees with laptops hosted at your corporate campus for a temporary session.

  • Working without a Windows domain or any sort of advanced, certificate-based wireless security, which thus permits anyone to join your wireless network.

If you have time to budget and plan in advance of your new environment, NAC could do a lot to prevent the transmission and spread of nastygrams among the newcomers to your network.

  • You have a heterogeneous environment, with lots of Windows machines and a bevy of Macs, Unix or Linux computers and so on. Some management capabilities, like Group Policy, central IPsec configuration and automatic certificate requests, that you only get in a Windows Server-based domain won't work on your cross-platform machines. In that case, you have to have another source of protection, such as: bulletproof perimeter detection; trust in a secure desktop-based anti-malware product; or implement NAC to be sure that the members of your network are "siloed" when they should be. Or else you can rest on your laurels and place confidence in the technical and architectural superiority of your platforms.

About the author: Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. Jonathan's books include RADIUS and Learning Windows Server 2003 for O'Reilly Media and Hardening Windows for Apress. His work is seen regularly in popular periodicals such as Windows IT Pro magazine, SecurityFocus, PC Pro and Microsoft's TechNet Magazine. He speaks around the world on topics, including networking, security and Windows administration. He can be reached at jhassell@gmail.com.


This was first published in April 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.