RSA: NAC Experts Recommend Due Diligence

These were the main messages from solution providers who took part in a Thursday panel discussion at the RSA 2007 conference in San Francisco, which focused on how NAC is more of a philosophy and architecture than it is a security product.

Now that the initial wave of hype around NAC has subsided, many companies are taking a wait and see attitude about NAC. Those that have decided to go ahead with NAC are doing so in careful, measured increments, according to solution providers.

"Most organizations aren't ready to put NAC everywhere, but they'll put a NAC appliance in front of a WLAN access point or VPN, said Preston Hogue, chief security officer at Network Computing Architects (NCA), a Seattle-based solution provider.

After discussing the scope of the project with a customer, NCA does a risk analysis to ensure that the company would be meeting PCI and Sarbanes-Oxley regulatory compliance requirements. "It's important to figure out what the organization's needs are before actually putting NAC into the network," said Hogue.

Sponsored post

Many companies are interested in NAC because it gives them the ability to measure how their systems are measuring up against security policies governing which users can access certain types of information. "The policy aspect has to be decided on prior to implementation because NAC technology only solves a piece of the puzzle," said Chris Labatt-Simon, president and CEO of D&D Consulting, Albany, N.Y.

NAC's ability to integrate with security information and event management systems (SIEM) and handle ongoing threat containment after the initial connection are other goals companies have with the technology, said Tim Hebert, president and CEO of solution provider Atrion Networking, Warwick, R.I.

Currently, NAC appliance vendors have come to market with two approaches: out-of-band control and in-band control, Hebert noted. "We've found that out of band is better for scalability, and it also allows you to add layers to the network such as identity management, endpoint control and policy management," he said. Using examples of lessons learned during previous NAC deployments, the solution providers offered advice to the security professionals in attendance on how to tap into NAC's ability to prevent malware from infecting networks.

In late 2005, D&D Consulting deployed a NAC solution for a public sector organization focused on the energy industry -- a "heavily audited" company with 200-member IT staff, half of whom were contractors, according to Labatt-Simon.

In August of that year, the Zotob worm helped convince the organization to deploy NAC after a contractor unwittingly brought an infected laptop into the network, leading to a widespread infection and two full days of downtime, Labatt-Simon said.

Atrion a few years ago installed a NAC solution for a 5000-student university that had malware problems that peaked at the start of every semester and after vacations. After determining the issues were being cause by students bringing infected laptops into the network, Atrion deployed an out-of-band NAC appliance that worked with the university's heterogenous network infrastructure.

In the first semester after deployment, the number of IT issues dropped from 11,000 to 3,000 and then fell to 1,000 issues the subsequent semester, Hebert said.

But despite NAC's potential, the solution providers agreed that organizations should take care not to rush when choosing and deploying the technology.

It's especially important to have a lab to test a NAC solution prior to deploying it on the network because the technology isn't plug-and-play, Labatt-Simon said.

"NAC adds to the complexity of the network and increases the noise level you see going across the network. It's also an invasive solution on the network if you do a full implementation," Labatt-Simon said.

Although the NAC space is crowded today with numerous startups, NCA's Hogue predicted eventually NAC will be integrated into the network layer and won't be sold as a point product.

"We look at NAC from the perspective that every business is going to need a solution, but eventually, NAC will be integrated throughout the network infrastructure," Hogue said.