NAC landscape: tech pros and cons snapshot

Many organizations have failed…implementing a full NAC solution because of its oversimplification by the market space. As a result, poor deployment has been experienced; but that should stop you. Recognize your organization’s true needs and implement in a phased adaptation model where technology is optimized and not the silver bullet.

NAC (Network Access Control) is by its very nature (or initial) is a restrictive control at the network layer based on the identity or credentials of the to-be identified host. Some key points to consider when investigating NAC solutions:
Scope of coverage, scalability, degree of protection and control, interoperability, and $$$ (licensing and resources).
Standards that fit best—Microsoft NAP, Cisco NAC, Network Access Control (TNG), or IETF NEA Working Group (NEA).
Model approach—client-based, network from 802.1x to DHCP and inline, or hybid.
-Client-based NAC important considerations: best visibility of logs yet more difficult to rollout and manage; thin client best but still requiring a client and so rollout diversity can be an issue (yet control is closest to the user)
-NAP-based provides strong pre-admission and standards embraced, though endpoint client policy may be lacking in comparison—with limited O/S support; and overall third-party integration is a must.
-802.1x NAC is the most vendor agnostic although prepare for infrastructure upgrades, link-level authorization but limited endpoint posture assessment/comprehensiveness of identity
-In-line Network based can be a VLAN/VACL rollout road-block but strong pre-admission check and can be application aware
-In-line NAC has no agent component but inline scanning intensive, VLAN nightmare but transparent to users with threat control
-Hybid, well if you haven’t noticed some of the overlap…then not sure how to make the water even more murky

With all the combination blending together the future is bright. At least we should expect vendors to integrate solution particularly since wireless networks (and mobile devices) are becoming the normal….so implement NAC in some faction and throw in 2-factor authentication to make things more interesting/secure. When in doubt just turn to DLP solution, right.
Outside of the dominate MS and Cisco, ever heard of Bradford Networks?

Security Management of end-points tool

End-point security solution comes in many flavors and every vendor has its spin. But how’s one that you can drop in relatively cheap (at least as cheap I’ve seen lately) and get cool reports on the health [anti-virus, firewall, patch] of your Windows PCs/Laptops? Of course they support MAC and UNIX flavors but just didn’t have enough time…they should extended the meeting into (a free) lunch ;)

So, here’s the sales pitch and you tell me if it gets any cooler. Scan all your hosts (totals reaching in the 50K neighborhood) within in minutes (provided a light scan is done vs. full throttle) and get instantaneous results/graphs based exceptions or host list of non-compliance. The claim is low level scans at the API level so quick and dirty yet anything from registry setting and software/hardware inventory is acquire from a client-less based solution. The scan scheduling can be configured to your hearts content and appears to work off of either a pre-populated IP pool, input from DNS, or a ping sweep. What happens if you go stealth including disabling ICMP reply…hummm?
Included in the package is even a remediation module which allows you to enforce, for example, registry settings that your GPO would otherwise do a so-so job of enforcement—though it seems customizable enough such that Windows users can manually change the setting (but enough to create havoc when the scan/enforcement cycle s through again). Thus, user-defined configuration assurance--with blacklisting for those disruptive/unapproved (Corporate) software packages and collaboration tools like Instant Messaging, LimeWare, Kazaa...
A solution customizable to report on compliance with your company polices, O/S standards, and regulatory standards. Point-and-click as one said….for the most part. Oh, and it has a energy management component that will save you $$$. All this for a price of approx. $20 per host…shamWOW