The Current Failed State of NAC

Mike posted some thought on NAC (here), I agree with what he said and decided to toss some additional thoughts into the mix.

Few security initiatives have enjoyed as much hyperbole as network access control (NAC). Driven by industry titans Cisco and Microsoft and adopted as a rallying cry by the majority of security vendors, NAC has nearly transcended compliance as the most talked about security-related function. However, failed deployments, lowered expectations, over promised and under delivered solutions will plague the industry for the next 2-3 years at least. Organizations looking to enable NAC within their environment need to plan accordingly, set proper expectations, leverage existing infrastructure and deploy using a phased approach with an initial narrow focus if they hope to come even remotely close to what is being promised.

The definition of NAC is contested and given the amount of vendor hype and posturing there is little agreement on what NAC actually is. NAC is a process and not a product; no single technology will be able to provide NAC without technology and process integration. NAC is the process by which a device is assessed to determine its security state prior to that device gaining access to a network or other resources. Based upon the state of the device, and organizational policies, an action is taken to disallow access, limit access, or allow full access to network resources, ideally the a non-compliant or compromised host is remediated. This is called pre-connect NAC, there is also what would be referred to as post-connect NAC, that is the device is assessed after a network connection is made and then an action is taken if the device is determined to be or becomes non-compliant, hostile, or compromised. Pre vs. post connect has been a source of much contention.

Adding to the confusion is the swarm of vendors that claim to provide NAC technology, some assess the devices remotely, others rely on agents (resident or dynamic), some perform network access control via networking gear such as switches, others constrain the end-point in the network but require additional appliances placed throughout the network and a another set will constrain the end-point itself through IPSec, a personal firewall or some additional NAC or security agent. There is also a group of patch and configuration management vendors that integrate with NAC solutions, or offer their own, to provide the remediation or mitigation functions required to return quarantined devices to a compliant or non-hostile state. Pre or post, with any one or some combination of the above technologies, introduce significant challenges that will need to be overcome by even the most technically advanced organizations.

There are many issues with NAC, ranging from the resources required, the lack of product maturity, organizational complexity, logistical challenges to quarantining, and the ability for attackers to bypass controls, to the process and technology integration demanded. However the biggest problem is that NAC focuses an organization on quarantining hostile devices – poorly – including managed assets, as opposed to implementing mechanisms to prevent the devices from becoming non-compliant or compromised in the first place.

NAC can only effective, if it can be effective at all, when coupled with a program of continuous policy enforcement of managed systems. Quarantining devices should be a last and final line of defense and not the main method to secure an environment, it is small part of an organizations overall security program, not the cornerstone. In addition to the incorrect orientation, targeted threats that are far more sophisticated and stealthy than previous worms like blaster and slammer, coupled with a lack of user orientation, and the demands to actually secure information and not just systems, will obsolete most current NAC approaches before they mature.