The Current Failed State of NAC

Mike posted some thought on NAC (here), I agree with what he said and decided to toss some additional thoughts into the mix.

Few security initiatives have enjoyed as much hyperbole as network access control (NAC). Driven by industry titans Cisco and Microsoft and adopted as a rallying cry by the majority of security vendors, NAC has nearly transcended compliance as the most talked about security-related function. However, failed deployments, lowered expectations, over promised and under delivered solutions will plague the industry for the next 2-3 years at least. Organizations looking to enable NAC within their environment need to plan accordingly, set proper expectations, leverage existing infrastructure and deploy using a phased approach with an initial narrow focus if they hope to come even remotely close to what is being promised.

The definition of NAC is contested and given the amount of vendor hype and posturing there is little agreement on what NAC actually is. NAC is a process and not a product; no single technology will be able to provide NAC without technology and process integration. NAC is the process by which a device is assessed to determine its security state prior to that device gaining access to a network or other resources. Based upon the state of the device, and organizational policies, an action is taken to disallow access, limit access, or allow full access to network resources, ideally the a non-compliant or compromised host is remediated. This is called pre-connect NAC, there is also what would be referred to as post-connect NAC, that is the device is assessed after a network connection is made and then an action is taken if the device is determined to be or becomes non-compliant, hostile, or compromised. Pre vs. post connect has been a source of much contention.

Adding to the confusion is the swarm of vendors that claim to provide NAC technology, some assess the devices remotely, others rely on agents (resident or dynamic), some perform network access control via networking gear such as switches, others constrain the end-point in the network but require additional appliances placed throughout the network and a another set will constrain the end-point itself through IPSec, a personal firewall or some additional NAC or security agent. There is also a group of patch and configuration management vendors that integrate with NAC solutions, or offer their own, to provide the remediation or mitigation functions required to return quarantined devices to a compliant or non-hostile state. Pre or post, with any one or some combination of the above technologies, introduce significant challenges that will need to be overcome by even the most technically advanced organizations.

There are many issues with NAC, ranging from the resources required, the lack of product maturity, organizational complexity, logistical challenges to quarantining, and the ability for attackers to bypass controls, to the process and technology integration demanded. However the biggest problem is that NAC focuses an organization on quarantining hostile devices – poorly – including managed assets, as opposed to implementing mechanisms to prevent the devices from becoming non-compliant or compromised in the first place.

NAC can only effective, if it can be effective at all, when coupled with a program of continuous policy enforcement of managed systems. Quarantining devices should be a last and final line of defense and not the main method to secure an environment, it is small part of an organizations overall security program, not the cornerstone. In addition to the incorrect orientation, targeted threats that are far more sophisticated and stealthy than previous worms like blaster and slammer, coupled with a lack of user orientation, and the demands to actually secure information and not just systems, will obsolete most current NAC approaches before they mature.


3 thoughts on “The Current Failed State of NAC

  1. Hi,

    You make some valid point, but are missing out on the Value NAC adds today. Not all NACs require major Infrastructure upgrades.

    Most people I meet just want to recogise ‘guests’ and either block them or put them on a special vlan.

  2. So this brings up an interesting point, the majority of people who espouse the virtues of NAC use the “guest” or unmanaged asset the issue folks are trying to solve, I would assert that if some joker can walk into your offices, plug a laptop into any port he feels like it and receive a DHCP lease you have issues far greater than network security can solve.

    So if the value of NAC is simply to identify “guests” so they can be routed to a VLAN or block them, there are far less expensive and far more reliable methods than adding NAC gear.

  3. Pingback: StillSecure Insecure about NAC? « Observations of a digitally enlightened mind

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s