ORLANDO, Fla. -- A panel of IT security pros said the costs
associated with deploying network access control (NAC) is likely
not worth the benefits promised by the new technology.
"I would guarantee you that we're talking seven-digit costs to
do this … and a lot of people are going to stop and say 'wait a
minute, what are we really protecting?'" said Roger Herbst, a
senior IT technical specialist for the Canton, Ohio-based Timken
Company. "The whole process of NAC is nascent enough that unless
you do some point solutions or some partial deployments you're
probably going to have a hard time writing down that seven-figure
number and having somebody sign the bottom line."
NAC products serve as gateways to enterprise networks that check
the security credentials and patch levels of any machine attempting
to connect to a network. Machines held suspect by the system are
quarantined and must be dealt with by IT staff. The goal is to
automate the process of checking out the veracity of clients
attempting to connect to the network.
The panel discussion, called "Network Admission Control (NAC):
What's in it for my organization," was held Tuesday at the Infosec
World Conference and Expo. Herbst was joined by Phillip Q. Maier,
vice president responsible for information security technologies at
Inovant, a subsidiary of Visa USA, and moderator Ken Cutler, vice
president of information security at the MIS Training Institute,
The experts took questions from about 40 participants during the
90-minute session and laid out some of the major pain points
associated with deploying the technology.
While the technology appears promising, it still needs time to
mature, the panelists said. There are still no established
standards or best practices to follow.
"It's about how much overhead and maintenance that you want to
introduce to your environment in the name of security," said Maier,
who said his firm conducted several small NAC deployments with
varying success.
Companies considering the technology need to conduct a standard
risk assessment and figure out how much the project will cost to
deploy NAC as well as ongoing support costs. When considering NAC
products, companies should ask a vendor how much network
reconfiguration needs to be conducted, whether infrastructure needs
to be changed and whether the environment needs to be homogeneous,
Maier said. The common admission control architecture touted by
Cisco Systems and Microsoft is dependent upon customers using Cisco
infrastructure and Windows machines.
"Make sure the impact of the existing network infrastructure is
clear," Maier said. "Lay out the architecture for the vendor before
you accept an answer."
One of the hold-ups to adoption is an internal conflict within
organizations, Herbst said. Some people want to enforce a strict
policy denying foreign PCs on the network, others want to allow
foreign PCs from contractors and specialists to plug into the
network, but they want a mechanism that will isolate them to
conduct a health check of their systems. A third group wants to
assure that nothing bad is being introduced into the network and
that all PCs are checked to make sure that antivirus definitions
are up to date.
"One of the reasons why we haven't deployed anything is because
of these competing groups within the organization and we haven't
decided yet which one is going to win out or which combinations
we're going to deploy," Herbst said.
When attendees were asked by panel moderator Ken Cutler whether
any had begun deploying NAC, no one in attendance raised their
hand. Still, some attendees said they plan to investigate whether
to move forward with small mini-NAC projects.
The uncertainty and complexity of deploying NAC is likely
causing most enterprises to defer deployment plans, said Chuck
Baxley, an information technology security manager at Moncks
Corner, S.C.-based electric company Santee Cooper.
"My take is that the technology is on the cutting edge and there
needs to be a lot of thought process behind it at this point,"
Baxley said. "So far the costs seem too high to make it worth the
investment, but we'll have to take a hard look at it."