7.3. Networking Social

You may have the networking team (as opposed to the networking security team, discussed in the section "A Team Security Blanket," earlier in this chapter) involved in the search for a NAC solution. They can help set criteria for network access control, as well as help select and purchase the right NAC solution for your organization. The networking team may even, in some cases, drive the NAC decision-making process — particularly if the NAC solution or solutions that you're considering include any sort of network appliance or device.

Here are the differences between a network security team and a networking team:

• The networking team at most organizations is responsible for the selection, deployment, management, and administration of the network infrastructure. Network infrastructure can refer to the backbone of the network, as well as the access points for, types of appliances and devices on, and the appliances and devices that connect to the network. It also refers to the appliances and equipment — the physical devices themselves — that the organization uses to communicate data and information throughout the network and beyond. So, devices such as routers, hubs, gateways, bridges, and even Ethernet switches and wireless access points can fall under the control of the networking team.

  The networking team is in charge of

  • Wired network infrastructure: The miles and miles of cables that connect network infrastructure devices, the operating systems and management software for those devices, and any software that operates on the network infrastructure fall under the watchful eye of the networking team.

  • Wireless network infrastructure: This team also has responsibility for the repeaters, gateways, hubs, and access points for wireless networking.

  • Network infrastructure equipment: This category can include virtually anything that's connected to a network, including wired or wireless network infrastructure components. And, if something is part of the network infrastructure, it likely falls under the scope of the networking team.

  • Managed services: Managed services are networking services and applications that a third-party provider supplies. These providers are often referred to as managed service providers (MSPs). MSPs can provide services such as user authentication, security, storage, remote access, and so on. You can find a managed service for virtually any service available locally to a network. (Although the networking team can select and manage managed services, a security-related managed service, such as authentication, may fall under the responsibilities of the security or network security team.)

The networking team, in most organizations, is responsible for managing the network infrastructure and its components, which normally includes

• Determining the organization's need for various networking solutions (including NAC solutions)

• Creating the selection criteria for network infrastructure products

• Selecting the network infrastructure device or solution vendors and products

• Evaluating the vendors and products by piloting or lab testing chosen network infrastructure devices and solutions

• Selecting products

• Negotiating with the vendors for their products

• Installing the products — or contracting with a third party to install the products

• Troubleshooting and testing the products — which can be done in a lab environment with a network mock-up, or live on the network environment

• Determining the lifecycle of the products that constitute your organization's network

7.3.1. You gotta have heart

If your network is the brain of your organization, the network infrastructure is your organization's heart — pumping vital information and coordinating the mix of collaboration, communication, and information that allows the network to live and thrive. The infrastructure acts much in the same way that the human heart mixes blood and oxygen that it sends to the human brain.

If malware, a breach, or even an attack that brings down a server or switch affects a network, any interruption in the network or its sensitive mix can make an organization cease to operate efficiently. In some cases, an organization can stop operating at all, like the human brain does without its supply of fresh blood and oxygen mix. In some extreme cases, in which the network is extremely vital to the organization's life or the attack against the network lasts a long time, the organization might cease to exist. So, the networking team is sort of like the cardiologist for the network, ensuring that the life-giving pump — the network infrastructure — continues to feed the brain of the organization (the network), and all the information and communications on it.

Because of the importance of the network infrastructure to the life of the network and even the organization, in most cases, you need to have the networking team actively involved in any NAC solution investigation, decision, and deployment. If the NAC solution can affect the organization's heart and damage its brain, this team wants to know all about the NAC selection process and have a say in it!

7.3.2. Don't tread on me

If you involve the networking group in defining or selecting a NAC solution, they will likely want to be reassured that the NAC solution doesn't disrupt the way that they deploy their internal network architecture or how that architecture works.

The networking team can be very particular about their network footprint and topology. The networking team will greatly scrutinize anything that now affects or could ultimately affect the network infrastructure and the network's operation — not to mention its security. The networking team will also want assurances that the implementation and deployment of any security device, especially a solution as intrusive and all-encompassing as a NAC solution, won't impact the current performance or interfere with the ongoing, day-to-day operations of their network.

Anytime you add anything new to the network infrastructure — no matter what that thing is or how you deploy it — you introduce a risk to the network and, ultimately, to the organization. This sort of action can send shivers up and down the spine of even the most hardened networker. The mere mention of upgrades can make the little hairs on the back of a networker's neck stand on end because of the potential for breaches, hacks, and other bad things happening.

Showing how easily the networking team — or the organizational or third-party team chosen to deploy the NAC solution — can deploy your selected NAC solution — particularly if it involves a network component, appliance, or even network software — can make all the difference between getting the networking team onboard or having them act as a roadblock to your NAC solution's implementation. Build consensus for deploying NAC on your network and solidify your NAC decision with the networking team.

7.3.3. Use your phasers

Deploying your NAC solution in phases (for example, component by component, group by group, department by department, floor by floor, or wired then wireless) can help assuage the fears of your networking team.

By deploying in phases, you likely need less labor, so the networking team doesn't have to expend as many resources, saving the team time and cost, as well as decreasing the opportunity costs faced by the networking team. You also cut the costs of other organizational teams that don't have to focus all their resources on your large-scale, multi-tentacle NAC rollout.

A phased deployment scenario also enables the networking team and other teams involved with a NAC deployment to work out any issues during the NAC solution's shakedown cruise. The team or agency deploying the NAC solution can then apply these lessons during the next rollout phase, again limiting labor used and exposure. A phased deployment also limits the organization's and the network's exposure if something goes awry with the deployment, eliminating a lot of helpdesk calls. The fewer users adversely impacted, the fewer calls to the helpdesk and the lower the overall cost.