Why NAC Alone Is Not Enough

The development of Network Admission Control (NAC) products, which check that hosts connecting to a network meet the requirements needed to join that network, has blurred the boundaries of endpoint security. Whether it is the original iteration from Cisco, Microsoft’s NAP, or the Trusted Computing Group’s TNC, NAC is becoming an increasingly popular solution to stop infected machines from entering a secure network.

The technology is effective in stopping worms and viruses from gaining access to networks through authorized external users. However, depending on how many users you have and how far you need to go in your NAC deployment, NAC may not be the most cost-effective solution. While all NAC products ensure that a host is “clean,” some go far beyond verifying the presence of an up-to-date anti-virus and personal firewall client on the endpoint and ensuring the OS is properly updated (or patched) and that no malware exists on the machine. Some NAC solutions can be customized to include user-defined requirements for gaining network access.

Ultimately, a NAC solution will do what its name says—control network admission. What happens if an endpoint becomes noncompliant while it’s connected to the network? That’s where clientless endpoint security management (CESM) comes into play. CESM looks at the endpoint and its activity the entire time a user is connected to the network, making NAC and CESM complementary technologies.