1.3. The Best NAC Approach

So, how do you decide the best NAC solution approach for you, your network, and your organization? How do you select a solution to best meet your access control needs, without forcing yourself to redesign or redefine your network?

No one offers a single, be-all-and-end-all NAC product. First, you and your organization must decide what area or areas of your network you need to secure, as well as what issue is the most dangerous to your organization, network, and resources. A NAC solution can address these kinds of needs:

• Giving guest users secure, appropriate access to your network, while protecting your key resources and IP

• Differentiating access for different user types, such as employees, contractors, partners, and guests

• Protecting sensitive data and intellectual property from unauthorized access

• Minimizing the fear of an insider threat

• Addressing regulatory compliance and preparing for compliance audits

Your organization first needs to consider whether a particular NAC solution can handle the different device types that will be trying to access the network. Any comprehensive NAC solution should seamlessly address employee or guest user authentication and endpoint compliance before it grants a user, and his or her endpoint device, access to a network.

1.3.1. Do your NAC homework

Regardless of the issue or issues that your organization prioritizes — what parts of the network your organization wants to control access to, from whom, and for whatever reason — you need to research and answer all these questions before you decide on the NAC solution type, vendor, and product that you want to review or purchase.

Walk through these simple steps: After you determine that you need NAC, figure out whether budget is, or could become, an issue. Your organization may choose to leverage existing infrastructure, existing endpoint security software, and so on in an effort to maximize efficiencies, maintain costs, and protect existing network investments. If cost is an overriding issue, and scalability and performance aren't as vital, your organization may consider implementing certain NAC solution types, such as an inline NAC appliance that can deliver both a policy server and an enforcement point in a single networked box, a switch-based NAC solution, or client- or host-based NAC. Decide whether network and resource security is your organization's key concern. If you want the ability to leverage existing network components, but also effectively segment your network so that you can allow only authorized users to access sensitive data and intellectual property, then your organization may need to investigate an out-of-band NAC appliance that has strong Layer 2 and Layer 3 enforcement capabilities. If your organization is concerned with guest user access, investigate NAC solutions that include a client-less or dissolvable client option. We describe these options in the section "Clientless NAC solutions," earlier in this chapter. Figure out whether your organization is most worried about keeping the wrong people off of the network and away from valuable resources and information. In this situation, consider a NAC solution that supports strong two- or multi-factor authentication. If ensuring the security of critical networked resources keeps you up at night, then you need a NAC solution that focuses on the segregation of networked resources. This kind of solution ensures that only the correct, authorized users who have the appropriate authority and access rights can access the critical resources. Determine what use cases are the most important for your organization. If your organization needs to address regulatory compliance, outsourcing or even off-shoring, or business continuity during times of disaster, you can find a NAC solution that can address this for you.

1.3.2. Must-have traits of your NAC solution

Whatever your NAC needs, you can find a NAC solution, deployment type, and environment that can well address your security and access control needs. Just know about any limitations that your NAC solution has and take those limitations into consideration before purchasing the solution.

Absolutely, positively ensure that you find the following attributes and capabilities in any NAC solution that your organization reviews or selects.

1.3.2.1. Strong user/device authentication and integrity

NAC solutions usually combine two types of checks — user identity and endpoint integrity. A NAC solution, though, should be able to combine user identity, device integrity, and location information with policy to deliver dynamic, comprehensive NAC.

1.3.2.2. Dynamic identity- and role-based policies

A NAC solution should define policies based on user and/or device identity, as well as the user's role, which a NAC solution should predefine for the user. Also, a NAC solution should be able to create policies on the fly, dynamically, so that if endpoint device integrity, user or device identity, or other factors change, the solution can assign a new policy and take the appropriate actions to ensure network and resource security and integrity. You need the ability to know who's on your network — as well as where they're going and what they're doing — particularly if you have to worry about regulatory compliance and audits. Tracking users and devices by IP address just isn't enough any longer.

1.3.2.3. Complete network protection

The NAC solution that you choose should be able to deliver a rich set of predefined endpoint integrity checks, as well as the ability to create custom endpoint checks right out of the box. It should also be capable of making dynamic network status changes if the endpoint device's security state, network information, or user information changes — even if the changes occur in the middle of a network session. Your NAC solution must enforce dynamic policy in real time across a distributed network. And any NAC solution that you select needs to effectively address the quarantine and remediation of an offending user, and his or her device, prior to granting network access. You also want a NAC solution that includes automatic or automated remediation, in addition to self-remediation capabilities.

1.3.2.4. Network and application-level control, visibility, and monitoring

If your organization must comply with industry or government regulations, then you really need to ask whether, and how, the NAC solution can accomplish this compliance. The best NAC solution simplifies adherence to regulatory compliance requirements, as well as providing the required security for and necessary data to prove compliance with industry and/or governmental regulatory requirements. A NAC solution also needs to address application access control, which enables an organization to apply user and/or device level policies for access to sensitive or protected applications, limiting access to critical data to only authorized users and devices. A NAC solution that addresses application access control can also provide a quick, effective way to virtually segment your network. Finally, any NAC solution today must have the ability to provide visibility into and monitoring of users and devices attempting to access a network and its applications. The ability to match user identity and role information with network and application usage enables the NAC solution to better track and audit network and application access. Plus, a NAC solution can leverage and use a user's role when determining access control policy.

1.3.2.5. Robust extended security

Consider whether the NAC solution leverages your investments in existing access and security devices. Your NAC solution needs to work with your existing firewalls, Ethernet switches and access points, and AAA infrastructure. Your network access control solution shouldn't require costly, time-consuming upgrades or a rip-and-replace scenario. Any NAC solution should integrate quickly and seamlessly with your existing AAA infrastructure to validate user identity. Your NAC solution should also deliver interoperability with existing network and security infrastructure components, effectively extending NAC capabilities to include intrusion prevention systems (IPSs), security information, and event management (SIEM) solutions, and other vital network infrastructure components to deliver investment protection and comprehensive NAC.

1.3.2.6. Flexible, phased deployment and ease of operation

When you look at NAC solutions, consider what you need to deploy the solution. Most organizations are best suited to a phased deployment approach to NAC. Flexibility in your NAC solution is vital because a network is fluid, not static; your NAC solution should be able to change with and adapt to your network while that network grows and changes. The NAC solution should be able to add an additional enforcement method without requiring you to rip and replace the network that you've already deployed. One of the best ways to ensure this level of interoperability is to seek solutions that are based on open specifications and standards.

1.3.2.7. Simple administration and management

Consider the ease of administration and management of a NAC solution when you select a solution for your organization. You can determine a NAC solution's ease of administration by considering whether you can use existing network management capabilities to manage that NAC solution. Can solutions or access control devices share or reuse security and access control policies? Does the NAC solution have a centralized management console that can aid in administering and provisioning various solution and/or infrastructure components? Also take into account how easily the NAC solution can create or edit policies, or deploy endpoint integrity checks, and whether the solution can predefine host checks or policies.

1.3.2.8. Value

The value that you can get from a NAC solution combines factors of deployment flexibility, ease of use, the time that you have to spend administering and managing the solution, the actual acquisition cost, and the time that you need to spend redesigning your network (if required). What security or access control components or policies can you leverage, reuse, or repurpose on your network to help enforce NAC? If a solution requires that you upgrade your switching infrastructure, you must also factor in the time you have to spend inventorying the devices on your network, determining what types of switches you already have deployed, and what version of code they're running; getting hardware and/or software upgrades, as required; and testing the network. You may find a phased approach to deployment easier to justify to your organization or management because it can save valuable time and expense. Be aware that you can easily deploy some NAC solutions in a phased manner, but you can't so easily deploy others in this way.