Alternatives to buying full-on network access control (NAC) systems

In this expert response, Peter Wood outlines some alternatives to NAC systems, and explains why, sometimes, NAC systems really are the best choice.

What's an effective, less expensive alternative to network access control (NAC)? Our organization desires a system to apply patches and remediate malware issues but fears a full-on NAC system would be too costly and complex.
Network access control (NAC) systems are designed to secure access to a network when devices initially attempt to connect. As you suggest, they can also check or enforce policy settings and patch levels and provide antimalware controls.

As the mobile workforce has continued to grow, it has become a major headache for organisations to ensure laptops have been patched and are not carrying malware when they reconnect to the corporate network. You are right to be concerned about the cost and complexity of full-blown NAC systems; a significant investment in time and money will be required to implement any such enterprise-wide technology (as is the case for intrusion prevention systems [IPS] and security information and event management systems [SIEM] as well).

If you are concerned about rogue devices connecting to your network as well as patch management enforcement, NAC may be the best choice. However, if your primary focus is to ensure legitimate computers are patched correctly and malware-free, then there are less-costly alternatives.

Assuming we're looking at Windows devices in an Active Directory environment (the standard architecture in contemporary enterprises), careful use of Group Policy Objects (GPOs) combined with well-configured antivirus, personal firewalls and full disk encryption can prevent malware and patching problems from arising in the first place. GPOs can prevent the laptop user from running with local administrator privilege or installing applications. Antivirus and personal firewalls can be configured such that the user cannot turn them off. Full disk encryption can prevent the user from using free tools to obtain local administrator privileges. Combining these controls significantly reduces the likelihood of malware infection or hacking of the laptop whilst off site. GPOs can also enforce patch updates once the laptop is reconnected to the corporate network.

Content Continues Below

Read more on Endpoint security