Few organizations have taken the initiative to implement network access control (NAC) technology on the grand scale
that industry experts had predicted over the past few years. Budget constraints, implementation complications and possible confusion of NAC advantages have all been cited as key reasons in the slow growing NAC installation base.
But how should we define NAC? Is it merely an SSL VPN gateway with the ability to ensure that endpoint policies are enforced before devices are granted corporate network access? Or is NAC more of a comprehensive technology built into the fabric of the network? The answer often depends whom you talk to, so it's no wonder many organizations have yet to spend money on the technology. What security manager can justify investing in a technology when its role and benefits to the enterprise are unclear? In this tip, we'll suggest a few no-cost ways in which your organization can experiment with NAC technology in order to determine whether it can improve your enterprise's network security.
Sign of the times
Recently, vendors have begun to release limited-feature NAC products for free in order to increase implementation numbers and clarify what NAC is once and for all. For example, earlier this year Cisco Systems Inc. announced that the Cisco Trust Agent (CTA) would become open source. Cisco later retracted its decision, but in September 2007, vendor StillSecure made a free derivative of its NAC product, Safe Access, available to the public. Safe Access Lite gives organizations the opportunity to experiment with NAC technology using a simplified implementation before deciding to integrate it into their networks. Similarly, the OpenSEA (Secure Edge Access) Alliance -- a recently created consortium featuring six leading network and security vendors, including TippingPoint and Symantec -- offers a free NAC client or 802.x supplicant for organizations interested in trying NAC technology.
The call for open source
Many organizations are turning to open source NAC products to subvert the cost of commercial NAC technologies. Packetfence, an open source NAC system, was developed by two Harvard University employees and coins itself with the tagline, "NAC for the rest of us." It's easy to implement and includes many of the same features offered by NAC vendors such as Cisco and Microsoft. Packetfence is vendor agnostic -- it doesn't require the use of specific vendor equipment -- and also includes a VMware virtual appliance called the Zero Effort NAC (ZEN), geared toward organizations that do not have in-house Linux technical expertise.
Due to comfort levels or just plain organizational policy, open source may not be the path for every organization, but it is one of several low- or no-cost options available to help determine if this technology should be a must-have in your environment. Regardless of whether your long-term NAC plans revolve around an open source implementation or an expensive commercial product, keep in mind that it may be wise to delay making a purchase. Demand for NAC products is expect to increase over time, and with demand comes competition, and with competition comes lower pricing.
About the author:
Peter Giannoulis, GSEC, GCIH, GCIA, GCFA, GCFW, CISSP, is an information security consultant for Access 2 Networks, a Toronto, Ontario based security consulting firm. He also serves as a technical director for GIAC.