| |
By definition the topmost and clear cut objective of the right NAC is all about identification and authentication of 100% of IP devices within the enterprise’s network. NAC is all about Access Control and should first and foremost focus on the main highway to the office network:
the Ethernet port |
Fact is that the previous concept of NAC as an Admission Control is not achievable. Practice and field experience show that most clients of the ‘old-way’ are feverishly back at the drawing board attempting to resolve the same reoccurring old Access Control problem.
When searching for the right NAC, the first out of several important questions to be asked is regarding the ownership of that system. Who will own that network security system for the enterprise? the networking or the system’s personal? In the following you will find realistic pointers and guidelines to help you assess and choose the right NAC for your network. There are several models which were found to seek the right access control. Provided herewith is a field tested analysis of each method, its attributes, viability and its shortcomings:
The (IEEE) 802.1x Protocol:
This can be titled as the academician’s dream and the IT administrator’s nightmare.
It is a ‘brainy’ solution suitable for the perfect world of closed and limited exposure laboratories but not for real life.
The 802.1X is complicated and scaringly cumbersome to install and deploy (The supporting switches, workstations and issuing certificates, to name a few issues). As is with any ‘agent solution’, its deployment is limited only to those IP devices capable of a certificate hosting. It is extremely difficult to manage and it focuses on the machine/ device level only not at the user level.
To sum it up, the solution does not provide a satisfactory answer to exceptions (such as telephony).
Its main problem though is the on going day to day operation. If a client can not access the network, usually the sole way to solve the problem is to get to him physically.
The ‘Mac Manager’ based solutions
These solutions are those managing the ‘Inventory List’ of all the stored MAC (Media Access Control) addresses of the enterprise devices. The problems which surface with this solution are primarily administrative. It is a taunting if not impossible task to manage a gigantic list of thousands of devices using the mac address.
Moreover, because MAC addresses are visible all over the
packaging of any device, it contributes to the ease with which one can counter fit a MAC address. Yet, the main problem is the administrative one.
The IDS/IPS type solutions
Unavoidably and maybe by design, this solution leads to the purchase of various designated appliances to serve it. In addition to the considerable expense the appliances make deployment a formidable task especially in a decentralized organization. Most successful organizations are decentralized businesses, what then? A deployment of a machine in each location? There is also the need to record / photo of all the traffic moving through the device.
This brings to mind the absurd of having spent millions so that we have to move the communications through IPS device which isn’t considered as a networking device. Another method will be to implement ‘port mirror’ and practically bring the switch down to its’ knees. IPS / IDS devices can inspect only the traffic which moves through them. You cannot analyze coded encrypted information, high volume of traffic, etc.
Truth is that there are many players offering such approach, all glorifying the many capabilities such as Block User Traffic or Asset Management, yet at the bottom line all they do is distancing the client from implementing the basic required access control and unavoidably become another ‘white elephant’ and a ‘paper weight’ on the shelves of the Security Software.
To sum it up, in its core the IPS device is not a NAC device.
The ‘agent’ type solutions
Can be simply described as a cumbersome, ineffective and a limited deployment solution!
The ‘Agent solution’ violates a cardinal security rule:
In principle, the agent solution gives the workstations, the mandate for network control.
A fact which renders this solution ineffective at the least if not risky altogether. Any printer, time clock or a network physical port become an open uncontrolled access point to the network.
The agent solution is an open invitation for network exploitation by users and hackers alike. Example, the first thing a virus does when it attacks a station is – to strike out and disable the antivirus, same for the NAC Agent device. Moreover, by design the NAC agent solution attempts to solve a problem of another malfunctioning agent. Here, the NAC agent inspects an antivirus agent that inspects a patch management agent.
In addition to all of the technical inadequacies described previously, the Agent solution brings with it some serious financial ramifications. First and foremost, the Agent solution requires exceptionally broad organizational deployment, which by its nature demands considerable IT resources. The Infrastructure type Agent solution is not adaptive. Consequently, it leads to inherently monopolistic and lengthy technical and financial business commitments which are plagued by upgrades, implementation issues and purchase difficulties. For those organizations which are employing VoIP, the deployment of an Agent solution is financially unsound (less than 50% liquidity).
--------------------------------------------------------------------------------------------------------
have your questions answered and your doubts eliminated contact one of our partners.
|
){kind=link}
Mac
in a Sack 
