Security threats are increasing, making life miserable for everybody. There
is also the equally miserable job of finding the right mix of security products
to combat them. There's a huge list of combatware (what else do you call them
collectively?) popping up like mushrooms on a rotting log. There's a security
product for just about everything nowadays. At the basic level is the 'anti'
squad-for virus, spam, phishing and other malware. You can't do without this
set at all. Then there's the appliance squad, which is the hardware version of
the 'anti-squad'. Now you need to tighten your belt for the next big thing
in security called NAC (Network Access Control), which is also being termed
differently by different vendors as Network Admission Control, Network
Quarantine, Endpoint Access Control, Network Access Protection, Trusted Network
Connect, etc. We're yet to see any common standard emerge for these.
Anil Chopra, Associate Editor |
Without getting into specific vendor solutions, NAC means that machines will
be granted limited or no access to your network depending upon their level of
compliance to your security policies. Even Gartner says that NAC is about first
establishing a base policy for your network and then enforcing it. The policy
could be to prevent a machine from connecting to the network if its virus
definitions aren't updated or the latest patches haven't been applied. It
could be to grant limited access, or move to a quarantined area. These don't
necessarily have to be notebooks. They could be machines at all available entry
points to your network, be it VPN, web or wireless. So think of it as an X-ray
scan of your baggage at an airport. The baggage is allowed to pass only after it
gets scanned and given an approval stamped by the security staff. If the
security suspects something, you have to open up the baggage to clear their
doubts. Most probably, you are already practicing some form of NAC. Guest access
is one, where you limit network access privileges. Likewise, you've already
defined privileges for other users as well.
But these are minor reasons to merit deploying a new technology. A strong
reason is the growing number of security pain points for every organization.
When your mobile users go out with their notebooks, they're likely to bring
back infected machines. Likewise, as you open up remote connectivity to your
data center for your branch offices, customers, partners, and suppliers, you're
also opening an avenue for security threats to come in. Patches and updates are
anyways a serious concern that needs to be managed, and need no further
explanation. NAC could be used to first check all these machines for compliance
before allowing them in.
So NAC is actually about compliance. How you do it depends upon your policies
and how you enforce them.