Documente Academic
Documente Profesional
Documente Cultură
2
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
3
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
4
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining network access control (NAC)
5
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC solves an IT oxymoron: secure access
6
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC is gaining significant momentum in large
enterprises . . .
• Demand side: NAC has jumped to an early mindshare
position within large enterprises.
» Some 40% of enterprises were tackling NAC initiatives in
2006.
» Some 52% of firms indicated the need for access control
across all network mediums: wired, wireless, and remote
access.
• Supply side: Dozens of vendors are jumping on the
bandwagon — RSA’s 2006 “NAC Show.”
» Infrastructure vendors: 3Com, Cisco, Enterasys, Extreme,
Foundry, HP ProCurve, Nortel
» Software vendors: Elemental Security, ENDFORCE, F-
Secure, McAfee, Panda Software, Symantec/Sygate
» Appliance vendors: Caymas, Check Point, ConSentry,
ForeScout, Granite Edge, InfoExpress, Lockdown, Mirage,
Nevis, Vernier
7
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But many companies suffer from stalled
deployments
• . . . Only 4% of firms had completed deployments.
• Why?
» Multiple, confusing architectures
» Lack of interoperability
» Upfront costs exceed benefits
» Lack of identified business drivers
8
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defined use cases are just now coming into
focus
• The ROI of NAC is a lost cause
• Successful deployments focus on business needs
for:
» Unmanaged or guest systems
» Partner extranet functionality
» Enterprise mobility
» Virus/worm contamination
9
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
The result: Enterprises are in the second wave
of NAC deployments
10
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
11
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Today’s NAC deployments focus on three
architectural components
• Endpoint
» PCs — Desktops, laptops, servers
» Devices — IP phones, printers, embedded OS machines
» Primary ownership: desktop or client operations
• Network
» Perimeter devices — Security appliances, VPN concentrators,
firewalls
» Wiring closet devices — routers, switches, wireless APs
» Primary ownership: network operations
• Back-end servers
» AAA, policy, configuration, and remediation servers
» Primary ownership: security operations
12
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
But successful enterprises are shifting focus to
two distinct functional components
• Pre-admission — “Keep people out”
» Technologies to perform integrity and compliance
checks before network resources are granted
» Key components: endpoint security scans and
identity via authentication
• Post-admission — “Kick people off”
» Technologies to monitor resource access violations,
anomalous behavior
» Key components: identity management and IPS
13
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Bridging NAC’s architectural and functional
views
Pre-admission control:
• Endpoint integrity check
• Enforcement during authentication
Function
Post-admission control:
• Behavior monitoring
• Resource and application violations
14
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
15
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
As NAC evolves functionally, focus on
building a user or device-access control life
cycle . . .
Remediation Pre-admission
Post-
admission
16
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But NAC is only a small component in an
endpoint security life cycle
NAC
17
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC evolves to encompass a wider risk-based
architecture
Proactive endpoint risk management
Client Network
NAC
Identity
18
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining proactive endpoint risk management
► Policy-based hardware and software technologies that proactively manage risk by integrating endpoint
security, access control, identity, and configuration management
19
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda
20
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Firms must overcome the four “dirty little
secrets” of the NAC market
Why it hurts How to
NAC deployments overcome Key vendors
Select vendors
Multivendor policy Policy isn’t “plug-and-play” that have proven
Cisco (NAC) and
across multiple vendors. Microsoft (NAP)
interoperability
21
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: vendor selection
22
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: deployment best practices
Phase in NAC to maximize short-term effectiveness:
• Phase 1 — Create NAC policies: Leave three months to
simply write policies and understand who goes where under
what conditions.
• Phase 2 — Deploy an overlay pre-admission solution: Get
policy-savvy solutions in place that allow you to begin NAC
but may not have a full set of enforcement capabilities.
• Phase 3 — Add more enforcement and post-admission: Once
you have the right policy infrastructure in place, you can scale
out enforcement with 802.1X and behavior monitoring with
IPS.
• Phase 4 — Build remediation capabilities: Finally, you can
enable user-remediation or auto-remediation with
configuration management solutions.
23
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Thank you
Robert Whiteley
+1 617/613-6183
rwhiteley@forrester.com
www.forrester.com
24
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Selected bibliography
25
Entire contents © 2006 Forrester Research, Inc. All rights reserved.