Access to network resources has grown ubiquitous giving rise to the increasing challenge of making resources available and preserving a high-level of security. Mobile laptops and non-compliant desktops and devices are susceptible to a myriad of Internet threats, yet are still allowed to access the corporate network and business critical resources.

Very often, business requirements demand that these devices get access to resources and applications, but providing such access without sufficient security controls opens the enterprise to a number of security risks and regulatory compliance challenges.

Enter Network Access Control which Greg Bunt, regional systems engineer manager, APAC says uses a combination of identity-based policy and endpoint intelligence to give enterprises real-time visibility and policy control throughout the network. As a result, enterprises can control access, prevent threats, ensure compliance, and deliver secure and assured network services.  So crucial is this that Forrester predicts 2006 will be a big year for NAC, also known as network quarantine, which provides a framework for proactive network security.

However, Bunt also says that there needs to be a shift in the traditional outlook of NAC and UAC, that is, that it is a way of getting into a network from the outside. “The vision should be to take it not just from the outside in, but also from within the organization itself. That is, there is a great need to also think of authenticating people inside the network, and not just from the outside. 
Security is always thought of as a fortress but the downside to this is that it does not cater to a breach from the inside. This includes the use of wireless devices,” he explains.

“Organizations should ask how they can use new tools to better protect their Intellectual Property and corporate assets as well as secure their network better,” he elaborates.

Bunt also notes that different verticals especially need to know about NAC and UAC. He adds that banking & finance, health, law enforcement, airports and security control sectors as well as with a trading relationship with the U.S. and the European Union are already very aware of this technology, which though considered an emerging technology, is also seen as very important to many organizations in these verticals.

Despite this, an education process on the technology is definitely needed, says Bunt. “Users need to become aware of security threats as well as authentication and the need for it,” adds Bunt. However he does concede that more people nowadays are beginning to request for more credentials and validation.

He also stresses that security is about spending the appropriate amount of money to protect what is needed. He adds that compliance requirements will push people and companies to implement more security such as two-factor authentication. “If not, the opportunity costs are too much and the risks too high.”

Bunt adds that NAC represents one of the most significant changes in the way that networks are secured. Hailed as one of the “in” emerging technologies, there are unsurprisingly now a whole slew of vendors going into the NAC market.

There are three fundamental approaches to NAC based on where the access control is being enforced in the enterprise.

These are:

Edge Control
Edge control takes the principle of the firewall and pushes it to the edge of the network where systems connect. If it is a LAN, the individual switch port becomes the NAC control point. If it is a VPN connection, the IP Sec concentrator or the SSL VPN device is in charge or enforcing access controls. If it is wireless, the access point or wireless switch takes on the NAC role.

Core Control
Here, controls can be enforced anywhere in the network as long as it is in deeper than the edge device. A NAC device can be inserted inline or as a passive tap, between edge switches and the core, where it could collect authentication and endpoint-security information and then enforce the appropriate access control policy. These devices inspect traffic or control-plane information passing by, and reach into the network to change configuration to apply enforcement.

Client Control
This focuses on the end system connecting to the network where greater attention is paid to the management and control of the end system.
However, while the client control approaches are attractive from a lower-budget and simplistic management point of view, they do not strongly overlap with NAC approaches that integrate with the network to help to defend itself, to force user authentication or to provide identity-based access controls.

There are some distinguishing characteristics among the three above-mentioned NAC approaches. For example, some vendors consider the endpoint-security assessment to be a one-time check at the system connection, while others take a continual approach, constantly checking and verifying the state of the endpoint security.

There are also some who focus completely on endpoint security as the main reason for implementing NAC, while others zero-in on authentication and policy as the prime pieces.
Some NACs work well only in environments where their own agent is installed on the endpoint, while others attempt to embrace environments where no agent is available.
The three NAC implementation approaches mentioned help narrow down NAC choices but one still has to delve deeper into the proposed architectures to further decide what works best in your network.

The corollary of Trusted Computing is Network Access Control. Vendors like Juniper and Cisco have not historically seen themselves as "identity" companies, but let's face it, that's what network access control is all about - controlling who has access to what resources in the network. NAC is essentially identity-based technology for network security.
Bunt however begs to differ, saying that NAC is more than identity management, because “identity management just proves who you are, NAC is much more than this.
It’s a role versus realm issue, and NAC should not be used solely for authentication purposes.”

He is very optimistic that NAC will become a mainstay technology soon and says that while still in the early adopter days, it will continue to evolve strongly and not be just about network mission control but also about server-based mission control, which will become just as vital. ◊