Why is there so much hype around Network Admission Control (NAC)? Some believe it’s to satisfy DISA regulations or other mandates like 802.1x requirements. However people who really understand the need for NAC are engineers supporting Port Security manually. The harder they try to lockdown the network, the more error disables they have to run off to repair. Plus some agencies believe random scans or signs stating, “all new devices should be scanned” are going to actually enforce network policy. In the end, you either have automated access control or you don’t have control of what’s on your network.
What are the top things to look for in a Network Admission Control (NAC) solution? First off the solution should categorize all devices as authenticating or non-authenticating. Usually devices that can authenticate have operating systems, which can be scanned for anti-virus, updates, etc. as well as leverage some type of single or multi-factor authentication solution. The best NAC solutions can leverage an existing authentication solution so users don’t have any additional logins unless it’s by design for temporary users such as guests or contactors.
Non-authenticating devices typically use the network for specific purposes such as printers, card readers, IP phones, etc. and don’t have operating systems. This makes it hard to control these devices since they don’t belong to a naming database that can be leveraged to assign network access. Weak access control solutions whitelist non-authenticating devices by MAC address which opens the door to any hacker who can spoof a known MAC. Strong NAC solutions develop roles for non-authenticating devices based on behavior and factors that can be scanned using network based protocols. Profiling devices make deployments easier since many administrators have heartburn developing a master whitelist of all devices. Profiling also maintains security by monitoring devices for anomalies. A simple way to think of this is catching a user spoofing a known printer by identifying the printer surfing the web as well as a change in the NIC card chipset.
Strong NAC solutions group authentication and policy into a category, which should be enforced prior to permitting network access. Common factors NAC solutions leverage for policies are device certificates, operating system types, installed applications and existing patch management solutions. The best solutions manage users and devices for LAN, VPN and Wireless in one GUI including detailed reporting capabilities.
Finally, design elements such as high availability, load balancing and scalability should be top of mind. Everybody is virtualizing so brownie points should be awarded to VMware friendly solutions. Make sure to ask what happens when your network grows beyond the design capacity, how failover works and what the process is to update code levels. Also don’t get cheap and skip the maintenance contact since most NAC solutions will blow up your helpdesk if they die during business hours without a backup solution.