Product Group Tests
Network access control (2009)
Bradford Network's NAC Director is Best Buy for its ease of management, versatility and functionality.
For its focus on keeping unwanted users off the network, we rate Black Box Veri-NAC Recommended.
Full Group Summary
After years of struggle for recognition, NAC finds its place in the enterprise. By Peter Stephenson.
NAC is perhaps not as well understood as it should be. Even the acronym "NAC" has different translations. Traditionally, NAC means network access control, while Cisco refers to it as network admissions control. For our purposes, we stick to the traditional. More important than semantics is the idea that NAC has struggled in years past to find its place in the enterprise. That is no longer true. However, there are still misunderstandings about what to expect from a NAC product.
Wikipedia says the goals of a NAC system are to mitigate zero-day attacks, enforce policy and manage identity and access. The last two are the primary goals, while the first is something you get for free if you do the other two properly - and the NAC has the requisite functionality.
What to look for in a NAC
NACs come in a variety of shapes and sizes. That means they have different sub-sets of uses within the greater context of their primary objectives. Some NACs are software-only, while others are appliances. Some of the appliances are designed to deliver access control for different-sized enterprises. Many are capable of being connected together, feeding a sort of master NAC with data from outlying organisations.
When buying network access control, the most important factor is the existing security architecture and infrastructure. While NAC can usually stand alone in a security infrastructure, it works best when tightly coupled to other services within the enterprise. For example, NAC coupled with policy management allows fine-grained tuning of access from the enterprise to the application.
NAC ought to be simple to administer. It should have an accessible and easy-to-use policy manager, as well as the ability to gather its information from a primary list of authorised users such as Active Directory. NAC works best when implementation of the database (Active Directory here) is clean - organisation within groups, for example. NACs can take that information and allow individualised controls on a group basis.
Many NACs allow finer-grained control, down to the level of the individual user. An important function is the management of non-employees. This can include guests, contractors, consultants and vendors, who often need access to the internet or, in the case of contractors, to specific resources inside the enterprise. Although most NACs do not control access at the application level, taken with policy management they can often restrict access down to that level.
Most important is the control of non-employees, without heavy intervention by the administrator. Some NACs - those with special provision for non-employees - allow people other than the administrator to assign visitors to a group, considerably simplifying generation of credentials.
Another thing to look for in a NAC is how well it ensures that the computer connecting to the enterprise is safe to connect. Options here include virus pre-scanning (ie scanning before the computer is allowed to connect to the enterprise) and configuration confirmation of the computer attempting to connect.
Finally, as in most enterprise-focused products, scalability is an important question. In this case, we generally see the ability of the NAC to be distributed. Some NACs, anticipating distribution, have several models that are intended to manage different size networks within the enterprise. This not only affects scalability, it improves value for the price of the product, since smaller groups or organisations within the enterprise are not forced to use a product designed (and priced) for a much larger network. This has the benefit of providing NAC for smaller enterprises that need a high level of access control.
How we tested
Testing the NAC products this month was quite straightforward. We set up a network with the usual enterprise accoutrements, such as Active Directory, email, DNS etc. We then installed - or, in the case of the appliances, configured - the NAC under test to attach to our Active Directory. Next, we went through a suite of operations that exercised the capabilities of the NAC in the context described above.
We were especially interested in how easy the product was to deploy in an enterprise, how simple policy configuration was and the granularity we could achieve in access control. The usual ease-of-use tests involved the logical layout of the user interface and, for appliances, the ease with which we could accomplish initial configuration to attach to the network.