Mobile Enterprise Application Platform

Mobile Enterprise Application Platforms

Subscribe to Mobile Enterprise Application Platforms: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Mobile Enterprise Application Platforms: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


MEAP Authors: Liz McMillan, Elizabeth White, Pat Romanski, Rostyslav Demush, Dean Madison

Related Topics: SOA & WOA Magazine, Wireless Technology Magazine, Mobile Enterprise Application Platforms, Network Virtualization

Article

Seeking Answers with Network Access Control

NAC is about managing how people and devices attach to the network and how IT controls the data you have permission to access

Corporate BYOD growth is prompting enterprises to take a closer look at their networks and their approach to security. As this initiative grows, along with the increased need for keeping the network and its data secure, more IT professionals are reconsidering NAC. In fact, a recent Ogren Group research report, "Network Access Control: A Strong Resurgence is Underway,"[1] estimates the network access control (NAC) market has grown to $392 million in 2012 and will sustain a strong 22 percent CAGR through 2017, taking the market to more than $1 billion per year.

Two or three years ago, NAC was in the top ten IT project list, but it was always one of the first projects to hit the chopping block if there were budget constraints. Now as the BYOD phenomenon accelerates, so does the need to keep the corporate network and its data secure. This trend is driving more IT professionals to seek the answer to this question, "Are we ready for NAC?"

Now that your management has the NAC bug, what do you do? Where do you start? Who is involved? There are a lot of questions that need to get asked and answered and in this article, I'll offer suggestions to set you on the right path.

Let's break it down:

What do you want to accomplish?
As the name states, network access control is about managing how people and devices attach to the network and how IT controls the data you have permission to access. The first step is a plan that defines what it is you want to do.

A BYOD program is the most common driver of NAC demand today. However, it is often confused with a Guest Access program. NAC can certainly help with both, but make sure that you know the difference. BYOD initiatives focus on allowing employees to access corporate data from personal devices such as tablets, smartphones and laptops. Many times, management will allow employees to bring their personal device into the office, but limit the use to Internet access only. This scenario is essentially Guest Access and is not a BYOD initiative. When planning for either scenario, you should verify if your employees are going to use their LDAP (Active Directory, eDirectory, etc.) credentials to gain access to data on the corporate network or if pre-determined credentials that may be configured on the NAC appliance will be used for access. Finally, if you want to allow employees to access corporate information, decide how much access to allow? NAC can help with all this.

Another consideration is do you want to limit what employees can access based on their role, location, time of day, etc. For example, there is no reason for someone in the finance department to access the data center, as there is no reason for them to be in the data center in the first place. Conversely, there is no reason for IT to access the payroll server (except for maintenance). With NAC, you can set policies and checks to help you manage access. These policies include, but aren't limited to, anti-virus verification including what brand of AV is supported, determining if the AV is the most current version, operating system checks (what OS is running, are all patches applied), are they running unauthorized applications or are they missing required applications? There are many more options to consider. When you are looking at implementing a NAC solution, make sure that you know what you are looking for.

Another advantage of using NAC is in regards to automating the on-boarding of "headless" devices. Headless devices include printers, IP cameras, and phones. A NAC solution such as CounterACT has the ability to identify and classify any device that could potentially connect to your network, both wired and wireless. Once a device has been identified, NAC will be able to provide the necessary access to the network.

How do I manage access?
Now that you have a clear picture of what you want to accomplish, determine the best approach to achieve those varied tasks. Some tasks manage the access while others interrogate the endpoints to make sure that they meet the policies that you have put in place.

When managing access to the network, there are generally two different methods: VLAN reassignment and Access Control Lists (ACLs). ForeScout has another alternative called Virtual Firewall. This feature allows you to control access of any device attempting to connect to the network.

VLAN reassignment is the most common method for controlling access. When a device connects and has the appropriate authentication, NAC can move the device to the pre-determined VLAN. This is accomplished by integrating with the network switches, routers and wireless controllers. This dynamic VLAN assignment is temporary, and when a device disconnects and another device connects, a new VLAN can be assigned to that port or within the SSID.

Dynamic ACLs are another method of enforcement. While not as widely utilized, they can be equally effective, and in some cases, a combination of VLANs and ACLs are used. For example, a user can connect to the network, be assigned to a VLAN, and based on their authentication have ACLs in place to limit their access.

Who is involved?
When it comes to NAC and implementing a solution, it is important to involve other teams, in addition to the networking and security teams, since a NAC directly impacts the network. The network team needs to be brought in because NAC requires integration with the network equipment. This includes SNMP read/write as well as privileges to make changes to the switch configuration. Another team to consult is security as there are generally specific requirements or policies that need to be in place to maintain corporate security. Additionally, NAC involves the interrogation of the endpoints, so the desktop support team should be included. Whether utilizing an agent or using an agentless method, the endpoint will have changes made to it and the desktop team needs to be informed.

As you see, a lot of decisions and considerations need to be made when planning on NAC. The better prepared you are, the more time you take planning, the more successful the implementation will be. In a dynamic world, things change, and a NAC solution needs to be dynamic too. As new business and security policies emerge, it is critical to integrate them with your NAC plans.

Reference

1.       The Ogren Group, "Network Access Control: A Strong Resurgence is Underway," March 6, 2013, Eric Ogren

More Stories By Ken Daniels

Ken Daniels is a Channel Systems Engineer at ForeScout Technologies. For the last 20 years, he has been a sales/systems engineer primarily focused on networking. His career included working in IT for 3Com and Motorola, as well as several startup companies where his efforts helped lead to successful acquisitions. A background in wireless networking has given him a unique perspective in Network Access Control (NAC) especially given the BYOD phenomenon that is currently driving NAC market growth. Ken has helped many large national and international organizations develop networking solutions. He has extensive experience working with the channel to train technical teams to design, sell, and implement network and security solutions.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.