Chapter 1. Understanding Terms and Technologies

You've all heard the old analogies: Do you call a tomato a "tuh-mey-toh" or do you call it a "tuh-mah-toh"? Do you pronounce Illinois "il-uh-noi" or "il-uh-nois." Is a roll with salami, ham, cheese, and so on a submarine sandwich, a hero, or a hoagie? Likewise, is it NAC? Is it NAP? Is there a difference? What about TNC? And what the heck is Network Access Quarantine Control?

There's no lack of acronyms out there to describe technologies that are pretty darn similar. Adding to the confusion is the addition of these technologies to everyday vocabulary as used in a generic sense. Remember Xerox copy machines? It wasn't long before office workers were saying, "Hey, go Xerox me a copy of this report...." The brand name Xerox became a verb and part of the everyday vocabulary. It didn't necessarily represent the brand of copier actually being used to perform the document copying function.

NAC is faring a pretty similar fate. Generically speaking, many people and enterprises refer to many different technologies as NAC. Does this mean that they are all actually and officially called "NAC"? Does it matter?

For this book, we are going to break out the various NAC/NAP technologies into the following categories:

• Cisco NAC

• Microsoft NAP

• Mobile NAC

• NAC in other products

Let's start by looking at how a few of the vendors define the different technologies.

Cisco defines NAC as follows:

Cisco® Network Admission Control (NAC) is a solution that uses the network infrastructure to enforce security policies on all devices seeking to access network computing resources ... NAC helps ensure that all hosts comply with the latest corporate security policies, such as antivirus, security software, and operating system patch, prior to obtaining normal network access.

Microsoft defines NAP as follows:

Network Access Protection (NAP) is a platform that provides policy enforcement components to help ensure that computers connecting to or communicating on a network meet administrator-defined requirements for system health.

The leader in Mobile NAC solutions is a company called Fiberlink Communications Corporation, and they define Mobile NAC as follows:

An architecture that performs most NAC functions on endpoint computers themselves rather than inside the corporate network ... with a focus on extending extremely high levels of protection out to mobile and remote computers, as opposed to emphasizing defenses at the perimeter.

You can tell by looking at the descriptions that NAC and NAP focus on protecting the corporate LAN, while Mobile NAC focuses on protecting endpoints as they are mobile. This is the key fundamental difference between Mobile NAC and the other NAC/NAP types, which brings up an important theme throughout this book: What exactly are you trying to protect with your NAC solution?

In addition to the NAC/NAP types, variations on NAC/NAP can be found in a variety of different products and technologies. It's interesting to see how technologies that have been around for quite some time are now being touted and positioned as NAC. This isn't necessarily bad, as many of them certainly do provide NAC-type functions. The point to understand is that these functions existed and were implemented well before the terms NAC or NAP were ever invented.

So, what are some of these "other" technologies that implement NAC? Well, two that have been around for some time are IPSec and Secure Socket Layer (SSL) based virtual private network (VPN) solutions. Here's a quick description of how these two technologies implement NAC:

• IPSec VPN — Many devices are able to perform at least a rudimentary assessment of a device attempting to gain Layer 3 access into the corporate network. If the device's security posture is deficient, access to the corporate network via the VPN can be denied or limited.

• SSL VPN — This is similar to IPSec VPN's assessment, although sometimes the assessment can be much more granular, because an ActiveX or Java component may be automatically downloaded to assess the machine. For example, Juniper's SSL box can run quite a detailed assessment. Based upon the security posture of the endpoint seeking to connect to the corporate LAN, access can be denied or limited to certain areas of the LAN, and Layer 3 access can be denied, while browser-based SSL access can be allowed.

The"other"technologiesaren'tlimitedtoVPNdevices.McAfeeandSymantec both have NAC-type solutions, as do a number of other vendors. Later chapters in this book will cover a slew of these technologies in much greater detail.

The big point to get out of this section is that regardless of whether or not it is called NAC, NAP, or whatever, the area to focus on is what is the purpose of each technology and what is it trying to protect. Again, many of the solutions are geared toward protecting the corporate LAN, whereas Mobile NAC is geared toward protecting mobile endpoints while they are mobile. This point will be further discussed in great detail later in this chapter. Personally, I don't care if the solution I implement is officially called NAC or NAP; I simply want it to secure the items that I feel need to be secured.

So, now we know what the actual vendors themselves are calling the technologies at a high level. In the upcoming chapters, we are going to cover all of these options in great detail.