Many organizations have failed…implementing a full NAC solution because of its oversimplification by the market space. As a result, poor deployment has been experienced; but that should stop you. Recognize your organization’s true needs and implement in a phased adaptation model where technology is optimized and not the silver bullet.
NAC (Network Access Control) is by its very nature (or initial) is a restrictive control at the network layer based on the identity or credentials of the to-be identified host. Some key points to consider when investigating NAC solutions:
Scope of coverage, scalability, degree of protection and control, interoperability, and $$$ (licensing and resources).
Standards that fit best—Microsoft NAP, Cisco NAC, Network Access Control (TNG), or IETF NEA Working Group (NEA).
Model approach—client-based, network from 802.1x to DHCP and inline, or hybid.
-Client-based NAC important considerations: best visibility of logs yet more difficult to rollout and manage; thin client best but still requiring a client and so rollout diversity can be an issue (yet control is closest to the user)
-NAP-based provides strong pre-admission and standards embraced, though endpoint client policy may be lacking in comparison—with limited O/S support; and overall third-party integration is a must.
-802.1x NAC is the most vendor agnostic although prepare for infrastructure upgrades, link-level authorization but limited endpoint posture assessment/comprehensiveness of identity
-In-line Network based can be a VLAN/VACL rollout road-block but strong pre-admission check and can be application aware
-In-line NAC has no agent component but inline scanning intensive, VLAN nightmare but transparent to users with threat control
-Hybid, well if you haven’t noticed some of the overlap…then not sure how to make the water even more murky
With all the combination blending together the future is bright. At least we should expect vendors to integrate solution particularly since wireless networks (and mobile devices) are becoming the normal….so implement NAC in some faction and throw in 2-factor authentication to make things more interesting/secure. When in doubt just turn to DLP solution, right.
Outside of the dominate MS and Cisco, ever heard of Bradford Networks?
No comments:
Post a Comment