How to implement network access control

In spite of the billions of dollars spent each year on IT security, companies still suffer data leaks, security breaches, and virus outbreaks, writes Chris Boscolo, CTO and founder of Napera Networks.

In spite of the billions of dollars spent each year on IT security, companies still suffer data leaks, security breaches, and virus outbreaks, writes Chris Boscolo, CTO and founder of Napera Networks.

Today's security challenges come both from the changing threat environment but also from changes in how we work. Mobile working is now the norm rather the exception. Many employees use their company laptops for both business and personal use. While this is a boon to productivity and work-life balance, it also means we are in danger of losing control of corporate IT assets.

Traditional security solutions, such as firewalls, anti-virus, anti-spyware, patch management, or VPNs are no longer sufficient to keep the threats off the network. While these play a vital role, companies are still dealing with devices connecting to the network with unpatched software, out-of-date anti-virus and improper security settings. Not keeping devices up to date is probably the largest hole in the security fight today.

What is network access control?

Network access control (NAC) products entered the market a few years ago to fill this gap. A typical NAC solution provides an endpoint assessment of the computer and then enables access and enforces security policy based on the state of the computer and the identity of the user.

Early NAC solutions were expensive and complex and targeted at the large enterprise market. But even for those companies with budgets and IT staff to manage NAC, the deployments often failed or stalled. This was due to complexity, the lack of interoperability and proprietary technologies used in the NAC solutions.


Cisco, Microsoft, and the Trusted Computing Group (TCG), a consortium of suppliers, proposed alternate frameworks and interoperable architectures in an attempt to overcome this hurdle. Today, NAC is moving toward more standards-based protocols.

TCG developed its Trusted Network Connect (TNC) framework with the sole goal of implementing standards around NAC. In addition to this, the Internet Engineering Task Force (IETF) has a working group focused on having these same NAC protocols standardised.

The biggest boon to NAC has been Microsoft and its Network Access Protection platform and protocols. Under NAP Microsoft is interoperating with other vendor solutions, and encouraging partners to develop agents and tools to enable NAP to communicate with non-Windows devices as well as competing policy servers. Partners have responded by developing Macintosh and Linux NAP agents.

NAP was slow out of the gate because of the long adoption cycle for Windows Vista and Windows Server 2008, which holds the policy enforcement engine for Microsoft's NAP platform. But the NAP agent for Windows XP was in Service Pack 3, released worldwide earlier this year. As a result, the NAP agent is expected to be available to some 80% or more of Windows laptops, by the end of 2008.

One key benefit of NAP is that any anti-virus vendor that reports status via Windows Security Centre will also be capable of reporting status via NAP. Most of the anti-virus products work with NAP, and hopefully all of them will. (You can see a current list here: )

Getting started

NAC has come a long way in the past year. But how do you get started?

If you are mostly a Windows shop, then Microsoft NAP would be a good place to start. If you are a smaller organisation, then you don't need Windows Server 2008 but can use a network appliance to enforce policies and directly communicate with the Microsoft NAP agent. If you have Macintosh or Linux computers, then you need to look for cross-platform support.

There is much debate about where to enforce NAC, but I believe that the best place is at the network layer (layer 2 or 3). There are now several NAC appliances that are relatively easy to deploy and manage.

Also, it's best to find a solution that provides centralised management for both employee and guest accesses. Mobile employees pose a huge risk to your network, but visitors, partners or suppliers working on site bring an even greater danger, since you have no way to manage those devices.

A good NAC solution should enable you to provide guests with controlled and safe access either to the internet or a select group of printers or network resources, without exposing the rest of the network.

It is useful to be able to implement NAC in phases, so you aren't disrupting your network or your workers or creating a burden for your help desk.

Your first task is to monitor your environment. Gather the information you need and understand what is actually happening with devices on your network. Many IT managers are shocked by what they find. One IT manager discovered he had several virtual machines on his network he was unaware of another found that more than half of the laptop computers were not running the latest security patches yet another found their desktop security suite was incorrectly configured and that all of their desktop firewalls were disabled.

This insight into your network is one of the greatest benefits of NAC. While few companies deploy NAC for this reason, it is always the first thing IT staff notice and appreciate. Never before have they been able to have this central view of every device on the network and, importantly, the security status of those devices. One of our customers, Bakha Nurzhanov, co-founder and CTO of Design Clinicals, a Seattle-based healthcare IT firm, said, "It was like having a microscope over my entire network,".


In spite of your efforts, employees often ignore the rules. Even with NAC, you need to think about authentication of both devices and users. For example, many companies are now using Wi-Fi access points to provide easy wireless access to the corporate network, but they forget to add the necessary security. The problems with WEP wireless encryption are well documented, and WPA provides a reasonably secure alternative. But in our recent survey of 40 small and medium enterprises, more than half used a shared password for all wireless access.

Regardless of your choice of encryption, this is an obvious Achilles heel because individual users cannot easily be identified and any change to the shared password creates massive disruption. Identifying wireless users and dealing with changing a shared password regularly is one task that makes wireless access a management nightmare.

A more secure way to do Wi-Fi is to use WPA Enterprise. This requires every user to authenticate with his or her own username and password when connecting. Although initial setup of WPA Enterprise can be difficult, the day-to-day burden of changing a shared password is eliminated. WPA Enterprise also means you can give guests access by creating a guest user.

I have yet to meet an organisation that didn't have at least one computer on their network that was out of compliance or that presented a direct threat to the network. No matter what they have, if they don't have a way to check devices before they access the network, they risk having a virus or other threat spread across the company.

While you may not be able to control everything your employees do, you can take control back of mobile computing and implement better policies and technologies that make sure all devices accessing the network are healthy and secure.

Read more on Antivirus, firewall and IDS products