Stacey Lum, CEO, InfoExpress: Navigating Network Access Control
April 2009 by Marc Jacob
When done right, NAC offers a myriad of benefits. These include on-the-fly authentication of appropriate users and ensuring that all end-point devices get access only after they’re proven to be compliant to internal security policies.
However, many NAC solutions are designed in such a way that they require significant, and often convoluted, changes to existing network infrastructure. Whether it’s network appliances that need to be installed at each location, or client-side agents that must reside on each end-point, many NAC solutions require not only significant up-front investment and system and network changes — but also continuous feeding and caring. All of this overhead reduces the cost benefits that should be realized from a NAC solution.
As you are considering a NAC solution, you should select one that limits the number of hardware, configuration, and network changes. By minimizing the alterations to your organization, you’ll save on your deployment costs, and quickly benefit from the ongoing cost savings associated with reducing end-point maintenance, having auditing and compliance reporting, and generating fewer costly help desk calls.
The high cost of changes to deploy NAC
NAC solutions that require changes typically have some hidden costs during implementation. First, in-line hardware solutions usually need to be installed at every location. This is obviously expensive for organizations with many distributed sites.
Out of band NAC solutions can be centralized, but require even more configuration changes. Administrators have to coordinate all NAC management processes, provide updates to the equipment, reconfigure networks, add new servers, install appliances, configure new virtual LANs (VLANs), and reconfigure routers and switches — just to get the NAC deployment moving.
The high cost of agent-based NAC
It’s obvious why agent-based NAC is so expensive: Not only must software agents be installed on every endpoint, but network changes for NAC must be maintained. And, just as is the case for in band solutions this is yet another unwanted cost and burden on the IT team. Each time something goes awry with the agent, a flurry of help desk calls ensues. In addition, having to install and manage another application on each endpoint, especially unmanaged and mobile endpoints doesn’t provide any savings if ongoing network changes and reconfigurations are required.
That brings Us to Dynamic NAC
Dynamic NAC leverages existing network infrastructure to attain the benefits of NAC without most of the overhead. There aren’t any network changes required. This, alone, provides considerable implementation savings.
Dynamic NAC leverages existing PCs as policy enforcers, so dedicated appliances and PCs are not required, as is the case with hardware and software-based NAC solutions. And while appliances may be required for remote access VPNs, they’re certainly not required at each location or network segment. Not having to install appliances at each site provides significant savings for any enterprise with multiple locations.
While there are agents, they don’t need to be installed on all endpoints, such as embedded devices or operating systems that aren’t supported. This approach doesn’t require client software to be installed on every system. Agents are installed on trusted systems. And, much like a police force, only a small ratio of law enforcement to the general population is needed to make certain that everyone is in compliance. And, whenever necessary, additional systems can be “deputized” so that the system scales with network growth.
Stacey Lum is CEO, CTO and co-founder of InfoExpress, a leading vendor of network access control solutions for enterprise networks. Prior to InfoExpress, Lum developed network protocols and applications at Proxim and other wireless networking vendors. Lum is an active speaker and panelist at various industry events, and holds a BS EECS from University of California at Berkeley.