Does NAC Finally Deliver?

For years now, the notion of having centralized control over endpoints has been a tantalizing, yet elusive goal. Vendors have held the network access control (NAC) carrot in front of the cart for years now, often promising on deliverables that just never materialized. We witnessed early adopters take a leap of faith, and on the same note, we watched the same organizations lick their wounds after the fact.

But that was early in the NAC game and a lot of time and energy has been put into the solution. Given this, and the value a true NAC implementation can bring an enterprise, is NAC finally ready to let us catch the carrot?

Let's start by looking at one of the major NAC players such as Sophos.

It is the dream of every security administrator to have a single console that can tell you if your endpoints are compliant; firewalls turned on; and if there are systems that will pose a risk to your environment before they actually connect.

The added benefit here is that if you're already a Sophos AV customer, you can also see the state of your AV product in the console. As anyone can see, this is a very robust and attractive solution.

Another benefit that emerged while testing Sophos' NAC solution is that there was no latency when the NAC client is added to the normal login cycle. This is important because if end users or management perceives a negative impact, the solution may not stand a chance for acceptance.

Now, digging a little deeper into the bag, it is important to note that Sophos does not currently support 64bit Vista, MAC OS, or the many flavors of Linux. This is very important to enterprises that have heterogeneous endpoint deployments.

Compliance has forged a NAC market.

Let's face it. Any enterprise that has to comply with HIPAA or other compliance initiatives makes NAC a must. The nice thing about NAC these days is that you have many architectural choices for deployment.

You can use agents, gateways, appliances, or a combination of any. This makes it much easier to engineer NAC into your existing infrastructure and of course allows real cost savings to be realized. Having something that simply "drops in" is a powerful argument from not only a policy perspective, but usability, compliance and cost perspective as well.

Talking the talk has turned into walking the walk

Many early NAC deployments actually added additional compliance issues to any enterprise brave enough to attempt a deployment. As soon as the product was added, it became a compliance liability. Today, NAC vendors have listened to the barrage of complaints and have added high availability and robust auditing to their product lines. Additionally, when it can be deployed with existing infrastructure, you can now breathe easy when auditors come through and look for compliance issues. At last, you're actually solving a problem without creating six more.

Microsoft is on board

Microsoft is now playing heavily in the NAC space (they call it Network Access Protection). It seems that they have not only added the cornerstone services of NAC, but they've also laced in many of the traditional Microsoft services such as AD integration, SMS and antivirus.

Microsoft does have a few things that need to be considered.

The first is that it runs on Server 2008, which may or may not be in your environment already. You will also need to do some AD configuration and keep an eye on the load limitations on the NAP server.

NAC has come a long way in other areas as well. It can now go as far as using the TPM (Trusted Computing Model) chips included on laptops. For those not aware, manufacturers such as Dell, HP and Gateway have integrated the TPM chip that holds security keys and other crypto information. This allows for full disk encryption and pre-boot authentication. Additionally, you can include other hardware solutions such as biometrics, but you will need a third party NAC solution to use in conjunction with TPM.

If you sit down and consider what this offers you in the way of effectively managing endpoints, you can see that NAC appears to ready to play in the enterprise, no matter what your requirements may be.

This article was first published on EnterpriseITPlanet.com.