Blogs
Eric Ogren's picture
Eric Ogren

Security Impact

More posts |

August 4, 2006 - 10:53 A.M.

Aim NAC at remote access

I have been spending some time looking at network access control (NAC) solutions from a million different angles. It seems every network security vendor on the planet has a solution that interprets NAC differently. That's cool for analysts, but is a giant pain for IT folks.

A couple of customers I have talked to got it right – they have placed NAC appliances to evaluate the health of remote users and are using more traditional approaches for local access. After all, it is generally the remote devices that cannot be managed 24/7, are most likely to have unauthorized configuration changes, and are the source of attacks that penetrate the network. Also, be sure the NAC solution has an answer for the scenario where IT cannot install software agents on partner and customer user machines that remotely access the network. Most of the IT managers I have talked with are comfortable with the security of tethered desktops and other managed devices that they can touch.

Emphasizing NAC for remote users allows you to make determinations of end-point health and resultant risk to various classes of applications. This can be done without massive switch upgrade projects and modifications to your networking infrastructure, and gives the best return on your energy (ROYE). End-user devices are assessed no matter how they enter the network, and decisions on how to mitigate trouble can be made in real-time for those that violate security policy. InfoExpress, Lockdown Networks, StillSecure are a few of the leading vendors that provide agentless NAC capability for remote access.

If most of your users come in over an SSL VPN, then be sure your SSL vendor offers an agentless solution with pre-authentication security checks, health-influenced access control to applications, and post-session cleanup. Yes, an agent approach yields better security like being able to inspect the registry and have more robust mitigation options, but most enterprises cannot deploy an agent for 100% of their remote users. Aventail, Check Point, FiberLink, F5 Networks, Juniper and Symantec are vendors that have good answers here.

My suggestion for IT is to start a NAC security strategy with a Phase 1 focus on remote users, and save the "boil the ocean" plan for later.

Related Posts

LightSquared vs. GPS politics: Improper influence?
Megaupload down, DoJ charges 7, Anonymous fights back
SOPA/PIPA 'dead' as OPEN bill rises from ashes
SOPA/PIPA bill blackout Weds: Wikipedia to go dark #J18

Today's Top Stories

When IT gets to play: Skunk works projects
'Server huggers' present obstacle to cloud use
European regulators start investigating Carrier IQ
'Nothing but the facts' approach just won't work with business people
Mozilla declines to say if it's renewed lucrative Google deal
SAP faces cloud strategy questions with SuccessFactors buy