Corporate bring your own device (BYOD) growth is prompting enterprises to take a closer look at their networks and their approach to security.
As this initiative grows, along with the increased need for keeping the network and its data secure, more IT professionals are reconsidering network access control (NAC). In fact, a recent Ogren Group research report titled “Network Access Control: A Strong Resurgence is Underway” estimates the NAC market has grown to $392 million (£254 million) in 2012 and will sustain a strong 22 per cent CAGR through 2017, taking the market to more than $1 billion per year.
Two or three years ago, NAC was in the top ten IT project list, but it was always one of the first projects to hit the chopping block if there were budget constraints. Now as the BYOD phenomenon accelerates, so does the need to keep the corporate network and its data secure. This trend is driving more IT professionals to seek the answer to this question, “Are we ready for NAC?”
So, now that your management has the NAC bug, what do you do? Where do you start? Who is involved? There are a lot of questions that need to get asked and answered and in this article, I'll offer suggestions to set you on the right path. Let's break it down.
What do you want to accomplish?
As the name states, NAC is about managing how people and devices attach to the network and how IT controls the data you have permission to access. The first step is a plan that defines what it is you want to do.
A BYOD program is the most common driver of NAC demand today. However, it is often confused with a Guest Access program. NAC can certainly help with both, but make sure that you know the difference.
BYOD initiatives focus on allowing employees to access corporate data from personal devices such as tablets, smartphones and laptops. Many times, management will allow employees to bring their personal device into the office, but limit the use to internet access only. This scenario is essentially Guest Access and is not a BYOD initiative.
When planning for either scenario, you should verify if your employees are going to use their LDAP (Active Directory, eDirectory, etc.) credentials to gain access to data on the corporate network or if pre-determined credentials that may be configured on the NAC appliance will be used for access. Finally, if you want to allow employees to access corporate information, decide how much access to allow? NAC can help with all this.
Another consideration is do you want to limit what employees can access based on their role, location, time of day, etc? For example, there is no reason for someone in the finance department to access the data centre, as there is no reason for them to be in the data centre in the first place. Conversely, there is no reason for IT to access the payroll server (except for maintenance).
With NAC, you can set policies and checks to help you manage access. These policies include, but aren't limited to; anti-virus verification including, what brand of anti-virus is supported, determining if the anti-virus is the most current version, operating system checks (what OS is running, are all patches applied), are they running unauthorised applications or are they missing required applications?
There are many more options to consider. When you are looking at implementing a NAC solution, make sure that you know what you are looking for.
Another advantageous use of NAC is in regards to automating the on-boarding of “headless” devices. Headless devices include printers, IP cameras, phones and more. A NAC solution such as CounterACT has the ability to identify and classify any device that could potentially connect to your network, both wired and wireless. Once a device has been identified, NAC will be able to provide the necessary access to the network.
How do I manage access?
Now that you have a clear picture of what you want to accomplish, determine the best approach to achieve those varied tasks. Some tasks manage the access itself while others interrogate the endpoints to make sure that they meet the policies that you have put in place.
When managing access to the network, there are generally two different methods: VLAN reassignment and Access Control Lists (ACLs). VLAN reassignment is the most common method for controlling access; when a device connects and has the appropriate authentication, NAC can move the device to the pre-determined VLAN.
This is accomplished by integrating with the network switches, routers and wireless controllers. This dynamic VLAN assignment is temporary, and when a device disconnects and another device connects, a new VLAN can be assigned to that port or within the SSID.
Dynamic ACLs are another method of enforcement. While not as widely utilised, they can be equally effective, and in some cases, a combination of VLANs and ACLs are used. For example, a user can connect to the network, be assigned to a VLAN, and based on their authentication have ACLs in place to limit their access.
Who is involved?
When it comes to NAC and implementing a solution, it is important to involve other teams, in addition to the networking and security teams, since NAC directly impacts the network. The network team needs to be brought in because NAC requires integration with the network equipment. This includes SNMP read/write as well as privileges to make changes to the switch configuration.
Another team to consult is security as there are generally specific requirements or policies that need to be in place to maintain corporate security. Additionally, NAC involves the interrogation of the endpoints, so the desktop support team should be included.
Whether utilising an agent or using an agentless method, the endpoint will have changes made to it and the desktop team needs to be informed.
As you see, a lot of decisions and considerations need to be made when planning on NAC. The better prepared you are, the more time you take planning, the more successful the implementation will be. In a dynamic world, things change, and a NAC solution needs to be dynamic too. As new business and security policies emerge, it is critical to integrate them with your NAC plans.
Ken Daniels is a channel systems engineer at ForeScout