Understanding NAC choices, solutions and tradeoffs

NAC Design Considerations

NAC is finally getting the interest it deserves. The benefits of NAC are numerous and essential:
- Ability to know what is on each monitored network segment (wired or wireless right now)
- Additional information about each device
- Knowing when a device appeared
- Knowing what the device is

Potentially knowing even more information:
- Is the device compliant with your security needs?
- Who is on the device?
- What processes are running on the device?
- What switch and switch port is the device connecting to?

Potentially automatically acting upon new devices or changes in the security posture of your devices:
- Disabling/quarantining a device
- Optionally alerting the user
- Potentially remediating a device or offering assistance for remediation

NAC: Basic Considerations and Questions

- What’s the scale of the deployment?
- Are there any guests or contractors that would force agentless considerations?
- Is an enrollment or captive portal process desired?

NAC: Active or Passive?

Passive NAC is used when visibility into the environment is the only requirement. This is a great starting place for NAC.

Active implies the ability to block and/or quarantine devices. While this is extremely important in secure environments, it needs to be planned and implemented correctly.

NAC: Layer 2 or Layer 3?

Layer 2 is easier, but layer 3 is more secure. Either can add tremendous visibility into what is on the networks.

Layer 3 can be considered in homogeneous environments and with all 802.1x capable switches and intelligent devices. It can be more difficult and time consuming to implement. It also requires that more infrastructure already be in place.

NAC: Other Considerations and Features?

All the NAC solutions are somewhat different, some offer special features like:
- Detecting what users are connected to each device
- Knowing the security/compliance posture of each device (operating system version, patch status, AV software status, etc.)
- Detecting devices probing the network
- Knowing what applications are running within the network
- Knowing what ports are open on the device
- Knowing what switch port a device is connected to
- Ability to quarantine a device
- Ability to send a message to a user on a device
- Ability to integrate with ticketing systems
- Ability to ingrate and coordinate with other security devices

NAC Vendors to Consider

At Altaware, Inc. we carry and offer several different NAC solutions and NAC related solutions. Below are two NAC solutions we generally would recommend:

© 2021 Altaware, Inc. | All rights reserved.