NAC, Vista, and Your Security Strategy

Though a new year is underway, IT professionals still face the challenge of securing the end-point machines that access the networks and Big Iron. Network access control and Microsoft Windows Vista are advertised as options that will satisfy our hunger for improved security. For 2007, one still may be problematic and only sampling the other may be smart.

Network access control (NAC) is a set of infrastructure pieces that enforce security policy compliance on all devices seeking to access network computing resources. Unless the device can prove it is healthy (right minimal OS, BIOS, patches, not virus- or spyware-infected, and compliant with corporate security standards), the device gets shunted to a network side rail and can’t access corporate data stores.

At the same time, NAC can follow role-based rights that provide which servers and what data stores can be used by the properly-authenticated device. That device can be anything from a smartphone or personal computer to a server, printer, intelligent office copier, or computerized medical device.

The approaches fall into three categories: infrastructure-based (Cisco, Microsoft, and Jupiter are the usual names), end-point software-based (Symantec and McAfee are two examples), appliance-based (such as products from StillSecure, Mirage, and even Cisco put these companies into the appliance game), as well as a hybrid of these.

Like many other technology challenges, there is no universal “best” way to implement NAC. The variables include network connect topologies (such as data center, local, LAN, wireless, VPN, or WAN), client diversity (stationary versus mobile, full client versus PDA/smartphone, homogenous versus heterogeneous), user-trust (employee and role versus guest versus contractor), scalability (hundreds of seats to 100,000+), central controls (whose capabilities and reporting vary widely), and cost.