2008-11-12

Solve the right problem with NAC


NAC is an important technology. It's neat. It's cool. But it's expensive. And, while many Cisco or networking zealots may argue to the contrary, it's not always necessary.

NAC prevents unauthorized computers from participating in a network. This is good for environments which your IT staff doesn't have control of, but need to permit a certain level of access to. VPN's, of course, are one of the most common examples. They also happen to be one of the simplest use cases for most administrators.

However, in corporate environments where assets are owned by the same entity that control the network, NAC shouldn't be a replacement for good software management. With a few notable exceptions, if you can implement NAC, you can typically implement good software management on your endpoints.

NAC is also not an appropriate binary access control mechanism in most cases. If the primary goal is to restrict network access to computers you own, this is a site security problem. Naturally, if you have contractors or customers who require access to your network, there is a role for NAC to play. The right answer here is to define your security requirements in general terms, articulating the decision point between an IT and physical security concern for each aspect.

Use NAC. But do it with a clear understanding of your goals, and apply it just like you would any other technology: where it's appropriate. IT solutions are slick, but they're not always the best option available.

Image from http://download.101com.com/wa-mcv/spo/images/april7/monitor.gif

No comments: