So many vendors were shouting about Network Admission Control (NAC) at this year???s Interop that they nearly drowned out the ???ding-ding??? of the slot machines. That means enterprises investigating NAC first have to tune out high levels of marketing B.S., vendor obfuscation and bandwagon-jumping before they hear of anything with actual business value.
To help save your eardrums, I???ll point you toward two interesting NAC architectures that emerged from the noise at Interop: peer-based enforcement and SSL VPNs on the LAN.
Peer Pressure
First is Dynamic NAC from InfoExpress. Here???s the idea: Take a small number of PCs or servers on a subnet that already have the DNAC client software installed and make them Enforcers. Enforcers monitor broadcast traffic on the segment to detect and intercept endpoints as they connect to the network. Enforcers use a variety of techniques, such as ARP redirects, to shunt new endpoints to a policy server.
The policy server checks for the presence of DNAC software and runs compliance checks. Non-compliant machines can then be quarantined and/or sent to remediation sites. If the end point doesn???t have the DNAC client software, the enterprise has a variety of policy options: download a full agent, use an on-demand Web-based agent, or restrict the end point???s network access.
DNAC???s clearest benefit is that it doesn???t require 802.1x, nor an upgrade to your switching infrastructure nor the purchase of NAC switches or NAC appliances, all of which can be expensive and complicated. It also helps address the problem of guest workers and contractors outside your administrative domain.
On the downside, Enforcers may be overwhelmed if they have to deal with a large number of non-compliant end points. Enforcers themselves may fall out of compliance and lose Enforcer status, which may result in an unmonitored subnet. InfoExpress says administrators can create persistent Enforcers to continue monitoring even if their own compliance status changes.
SSL VPNs on the Inside
The second idea is to invert an SSL VPN and run it inside the LAN. Vendors such as Aventail, Array Networks and Caymas Systems are playing up the similarities between SSL VPNs and NAC. That???s because SSL VPNs already perform NAC-like functions for remote users: assess the health of the end point and enable policy-based access to applications.