Chapter 2. The Technical Components of NAC Solutions

A car is a car, though sometimes it is called an automobile. Regardless, there are expensive cars, middle-range cars, and cheap cars. The expensive cars sure are nice, but sometimes the middle-range or cheap cars actually do what you need and can save you some money. That notwithstanding, cars are generally built of the same components:

• Tires

• Engine

• Body

• Steering wheel

• Accelerator

• Brake

• Gas tank

Clearly, a high-priced Ferrari will be faster than a Chevette from the 1980s. At the same time, you couldn't use a Ferrari to transport hay, horses, and so on, so it would be cool but rather useless on a farm. What's the point? There are actually a few of them.

The big one is that just as there are many different types of cars, there are many different types of NAC and NAP. Regardless, the solutions will have pretty much the same components, irrespective of the exact solution that is chosen.

Also, there are different cars for different jobs. What you are attempting to accomplish and secure will define the NAC/NAP solution you should use. For example, if your goal is to secure your laptops when users are sitting at a Wi-Fi hotspot at Starbucks or at an airport, will a NAC/NAP device sitting on your LAN actually do that if they don't try to VPN back to your network? No, it won't, and that's why Mobile NAC would be utilized. It's all about using the right tool for the job.

Some NAC/NAP solutions are expensive, and some of them are cost-effective, just like with cars. Again, the point is that you don't necessarily need the most expensive NAC/NAP solution; you need the one that fits your needs.

Finally, whether you call it a car or an automobile, your "ride" is still going to perform the same functions. It doesn't matter what the vendor decides to call it.

From a NAC/NAP perspective, the components are as follows:

• A technology to analyze the security posture of, and to authenticate, the device

• A policy-related component to configure and set the policy on what specific security criteria will be analyzed on the device

• A technology to communicate the security state of the device to other facets of the NAC/NAP solution

• A mechanism that receives the security posture of the device, and performs an action based upon those results

• A policy-related component to configure and set the policy regarding what action will take place

• A remediation technology whose purpose is to bring the device back into compliance

• A reporting mechanism

Of all the NAC/NAP technologies available, they all will have various combinations of these technologies, and will implement these components in their own special way. You'll also find that many of the solutions don't actually have every single one of these pieces. At the same time, sometimes a component will be offered, but it won't be nearly as good as a similar component being offered by a competitor's solution. It's just like anything else with technology. You pick the solution that meets your requirements and do your due diligence in selecting a technology.

Now, let's take a closer look at each of the solutions. In the chapters that follow, we'll take a very in-depth look at how Microsoft, Cisco, Fiberlink, and so on implement these individual components for their solutions.