NAC panel says technology may not add up

"I would guarantee you that we're talking seven-digit costs to do this … and a lot of people are going to stop and say 'wait a minute, what are we really protecting?'" said Roger Herbst, a senior IT technical specialist for the Canton, Ohio-based Timken Company. "The whole process of NAC is nascent enough that unless you do some point solutions or some partial deployments you're probably going to have a hard time writing down that seven-figure number and having somebody sign the bottom line."

NAC products serve as gateways to enterprise networks that check the security credentials and patch levels of any machine attempting to connect to a network. Machines held suspect by the system are quarantined and must be dealt with by IT staff. The goal is to automate the process of checking out the veracity of clients attempting to connect to the network.

The panel discussion, called "Network Admission Control (NAC): What's in it for my organization," was held Tuesday at the Infosec World Conference and Expo. Herbst was joined by Phillip Q. Maier, vice president responsible for information security technologies at Inovant, a subsidiary of Visa USA, and moderator Ken Cutler, vice president of information security at the MIS Training Institute, The experts took questions from about 40 participants during the 90-minute session and laid out some of the major pain points associated with deploying the technology.

While the technology appears promising, it still needs time to mature, the panelists said. There are still no established standards or best practices to follow.

"It's about how much overhead and maintenance that you want to introduce to your environment in the name of security," said Maier, who said his firm conducted several small NAC deployments with varying success.

Companies considering the technology need to conduct a standard risk assessment and figure out how much the project will cost to deploy NAC as well as ongoing support costs. When considering NAC products, companies should ask a vendor how much network reconfiguration needs to be conducted, whether infrastructure needs to be changed and whether the environment needs to be homogeneous, Maier said. The common admission control architecture touted by Cisco Systems and Microsoft is dependent upon customers using Cisco infrastructure and Windows machines.

"Make sure the impact of the existing network infrastructure is clear," Maier said. "Lay out the architecture for the vendor before you accept an answer."

One of the hold-ups to adoption is an internal conflict within organizations, Herbst said. Some people want to enforce a strict policy denying foreign PCs on the network, others want to allow foreign PCs from contractors and specialists to plug into the network, but they want a mechanism that will isolate them to conduct a health check of their systems. A third group wants to assure that nothing bad is being introduced into the network and that all PCs are checked to make sure that antivirus definitions are up to date.

"One of the reasons why we haven't deployed anything is because of these competing groups within the organization and we haven't decided yet which one is going to win out or which combinations we're going to deploy," Herbst said.

When attendees were asked by panel moderator Ken Cutler whether any had begun deploying NAC, no one in attendance raised their hand. Still, some attendees said they plan to investigate whether to move forward with small mini-NAC projects.

The uncertainty and complexity of deploying NAC is likely causing most enterprises to defer deployment plans, said Chuck Baxley, an information technology security manager at Moncks Corner, S.C.-based electric company Santee Cooper.

"My take is that the technology is on the cutting edge and there needs to be a lot of thought process behind it at this point," Baxley said. "So far the costs seem too high to make it worth the investment, but we'll have to take a hard look at it."