SAN FRANCISCO -- Despite all of the buzz and the spotlight on
Network Access Control (NAC) at this year's Burton Group Catalyst
Conference, analysts warned network architects that NAC may not yet
be ready for widespread deployment. And though Burton vice
president and service director Phil Schacter noted that the network
does have a responsibility to play a role in addressing security,
it may still be too soon for NAC.
"Clearly, a standard is needed," Schacter said, pointing out
that vendors across the board are creating NAC solutions, but there
is no single thing tying them all together. Cisco Systems Inc. has
Network Admission Control; Microsoft has Network Access Protection;
Juniper has Unified Access Control; Nortel has Secure Network
Access; Check Point has Total Access Protection; and the Trusted
Computing Group has Trusted Network Connection. There are also
dozens of startups offering NAC solutions.
Schacter's main advice was to "hold off on investing in NAC
frameworks until industry standards emerge." And for those who may
have already plunked down a large chunk of change for NAC, he
warned: "Proceed with caution if you're about to commit to a
vendor's [NAC] framework."
By a show of hands in the audience of more than 100, it appeared
that about 30% of the crowd were already knee-deep in NAC. They had
either already deployed or were planning a deployment.
And one attendee at Catalyst shared how his company is making
NAC work in its favor.
Mike Roncadori, security engineer with Sun Microsystems, said
Sun deployed a Cisco NAC solution several months ago. Sun's unique
environment had no real Wintel infrastructure; numerous personal
laptops in daily use; a large number of engineers, labs and
operating systems; and system support levels that were not
equal.
Roncadori said Sun looked to Cisco's NAC to authenticate clients
to the network, ensure all clients are properly managed, and
provide a stepping stone to eventually breaking the network into a
group of role-based enclaves.
"We want everybody to announce themselves," he said. "We want
everybody to tell us who they are when they come on the
network."
Roncadori said Sun also wanted a better way to know exactly whom
to call on with a problem.
Before the NAC deployment, which featured Cisco's Clean Access
Manager, users would come on and off the network with little to no
security check, Roncadori said.
"People just came on, did what they did, and left," he said.
From there, any mess they left in their wake -- such as viruses,
worms and other security holes -- were "cleaned up after the
fact."
Sun looked at a bunch of NAC solutions and went through demos,
delving deep into each, Roncadori said. Eventually, Cisco was
chosen because it was ready to go out of the box, was
architecturally compatible, and could provide future functionality
as NAC evolves. Also, he said, Sun wanted to pilot NAC in one month
and deploy in four. Cisco was the only vendor that could
accommodate that aggressive timeline.
Sun piloted the Clean Access Manager in a Colorado office to
verify Cisco's claims and ensure that it could do what they
expected. Some minor issues arose requiring configuration tweaks on
other parts of the network, Roncadori said, but those problems were
quickly resolved.
Since Sun outsources its computer and network operations, it
also took a little time for that third party to learn NAC.
Roncadori suggests starting the NAC conversation early if a
deployment is planned. He estimated that if Sun had not outsourced,
it would have taken roughly five full-time IT staffers to implement
and manage NAC.
Now, Sun's first major NAC deployment is in place, and the
company is looking at worldwide deployment by July 2007.
For the future, Roncadori said that NAC will help Sun set up
enclaves, which will allow role-based access to entities and
subnetworks and scaled authentication based on classification. Sun
is also looking into white listing and blacklisting, which will
allow access based on expertise and behavior or deny access based
on individual behavior, meaning that if one particular user is
prone to introducing problems, his access will be denied until he
receives future clearance.
The company put in a "dirty VLAN" for users who are not allowed
onto the network for one reason or another. Overall, Roncadori
said, the user experience is rather unintrusive. Users have to
launch a browser and are sent to the NAC box for authentication
before they are allowed in. If there are problems, they are either
placed in the VLAN or told to update and clean their computers. The
overall process is not time consuming, he said, unless a user's PC
is infected or doesn't have proper security installations. For
example, if a user doesn't have a personal firewall, the system
tells him to get one.
"There can be an indeterminate amount of work if you've really
let your system go and it's not up to snuff," he said.
As for the cost, Roncadori said it was justified. He said Sun
was handling between 3,000 and 4,000 incidents per month related to
PCs introducing something unwanted onto the network. With NAC, Sun
foresees that number dropping dramatically. Using an
incident-costing model, Roncadori estimated that each incident cost
the company anywhere from $750 to $1,000. If a good chunk of
incidents are stopped, he said, the NAC solution will pay for
itself.
"It's easy to justify spending $2 million to $3 million when you
have a $6 million problem," he concluded.
This article originally appeared on SearchNetworking.com.