Teleconference

Demystifying NAC: Going Beyond

Basic Admission Control
Robert Whiteley
Senior Analyst
Forrester Research

September 25, 2006. Call in at 12:55 p.m. Eastern Time

Theme

Firms must look beyond

current limitations of NAC
and build a life cycle with
both pre- and post-
admission.

2
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls

3
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls

4
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining network access control (NAC)

► A mix of hardware and software

technologies that dynamically control client
systems’ access to networks based on their
compliance with policy.
► Network quarantine = network access
control = Network Admission Control
(Cisco’s specific term) = Network Access
Protection (Microsoft’s specific term)

5
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC solves an IT oxymoron: secure access

NAC provides the technology framework and

policy hooks to make security and access tradeoffs.

Access Network access control Security

The most accessible The most secure

systems are not systems are not
secure. accessible.

6
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC is gaining significant momentum in large
enterprises . . .
• Demand side: NAC has jumped to an early mindshare
position within large enterprises.
» Some 40% of enterprises were tackling NAC initiatives in
2006.
» Some 52% of firms indicated the need for access control
across all network mediums: wired, wireless, and remote
access.
• Supply side: Dozens of vendors are jumping on the
bandwagon — RSA’s 2006 “NAC Show.”
» Infrastructure vendors: 3Com, Cisco, Enterasys, Extreme,
Foundry, HP ProCurve, Nortel
» Software vendors: Elemental Security, ENDFORCE, F-
Secure, McAfee, Panda Software, Symantec/Sygate
» Appliance vendors: Caymas, Check Point, ConSentry,
ForeScout, Granite Edge, InfoExpress, Lockdown, Mirage,
Nevis, Vernier
7
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But many companies suffer from stalled
deployments
• . . . Only 4% of firms had completed deployments.
• Why?
» Multiple, confusing architectures
» Lack of interoperability
» Upfront costs exceed benefits
» Lack of identified business drivers

8
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defined use cases are just now coming into
focus
• The ROI of NAC is a lost cause
• Successful deployments focus on business needs
for:
» Unmanaged or guest systems
» Partner extranet functionality
» Enterprise mobility
» Virus/worm contamination

9
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
The result: Enterprises are in the second wave
of NAC deployments

Momentum: Early adopters

Driver: Controlling the “Wild, Wild West”

Momentum: Early majority

Driver: Unmanaged/guest systems

Momentum: Late majority

Driver: Operation efficiency

Wave 1 Wave 2 Wave 3

Homogenous Hybrid Interoperable
architectures architectures architectures

2004 2005 2006 2007 2008

10
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls

11
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Today’s NAC deployments focus on three
architectural components
• Endpoint
» PCs — Desktops, laptops, servers
» Devices — IP phones, printers, embedded OS machines
» Primary ownership: desktop or client operations
• Network
» Perimeter devices — Security appliances, VPN concentrators,
firewalls
» Wiring closet devices — routers, switches, wireless APs
» Primary ownership: network operations
• Back-end servers
» AAA, policy, configuration, and remediation servers
» Primary ownership: security operations

12
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
But successful enterprises are shifting focus to
two distinct functional components
• Pre-admission — “Keep people out”
» Technologies to perform integrity and compliance
checks before network resources are granted
» Key components: endpoint security scans and
identity via authentication
• Post-admission — “Kick people off”
» Technologies to monitor resource access violations,
anomalous behavior
» Key components: identity management and IPS

13
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
 Bridging NAC’s architectural and functional
views

Endpoint tools: Intelligent network: Policy and identity servers:

• Endpoint security tools • Switches and routers • Authentication and authorization
• Client security suites • VPN gateways (RADIUS, LDAP, AD)
Architecture (AV, FW, etc) • Wireless APs • Remediation and configuration
• Compliance agent • Security appliances management
(optional) • Audit and assessment

Pre-admission control:
• Endpoint integrity check
• Enforcement during authentication
Function
Post-admission control:
• Behavior monitoring
• Resource and application violations

14
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls

15
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
As NAC evolves functionally, focus on
building a user or device-access control life
cycle . . .

Remediation Pre-admission

Post-
admission

16
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
. . . But NAC is only a small component in an
endpoint security life cycle

NAC

17
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
NAC evolves to encompass a wider risk-based
architecture
Proactive endpoint risk management

Client Network

NAC

Identity
18
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Defining proactive endpoint risk management

► Policy-based hardware and software technologies that proactively manage risk by integrating endpoint
security, access control, identity, and configuration management

19
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Agenda

• Examining NAC’s momentum

• Detailing today’s NAC architectures
• Going beyond: predicting NAC’s future
• Recommending how to overcome NAC’s pitfalls

20
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
 Firms must overcome the four “dirty little
secrets” of the NAC market
Why it hurts How to
NAC deployments overcome Key vendors

Enterprise-class Underpinning hardware — Budget for high-

Infoblox, MetaInfo,
components DHCP, RADIUS, and DNS — are availability
and INS
not reliable enough. components

NAC doesn’t provide automatic

Automatic remediation of noncompliant
Integrate config. Altiris, Shavlik,
remediation management tools BigFix, etc.
users.

Select vendors
Multivendor policy Policy isn’t “plug-and-play” that have proven
Cisco (NAC) and
across multiple vendors. Microsoft (NAP)
interoperability

NAC is device-centric, and Integrate with

True identity Applied Identity and
many solutions don’t support AD/LDAP, and
awareness user context. push for SSO.
Identity Engines

21
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: vendor selection

• Pick vendors that focus on:

» Identity: Without identity, NAC is device-centric and
misses the full-policy-compliance framework.
» Remediation: The ability to remediate or enforce
compliance is key to automating NAC.
• Look for solutions that focus on interoperability:
» Microsoft: NAP
» Cisco: NAC
» TCG: TNC

22
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Recommendations: deployment best practices
Phase in NAC to maximize short-term effectiveness:
• Phase 1 — Create NAC policies: Leave three months to
simply write policies and understand who goes where under
what conditions.
• Phase 2 — Deploy an overlay pre-admission solution: Get
policy-savvy solutions in place that allow you to begin NAC
but may not have a full set of enforcement capabilities.
• Phase 3 — Add more enforcement and post-admission: Once
you have the right policy infrastructure in place, you can scale
out enforcement with 802.1X and behavior monitoring with
IPS.
• Phase 4 — Build remediation capabilities: Finally, you can
enable user-remediation or auto-remediation with
configuration management solutions.
23
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Thank you

Robert Whiteley
+1 617/613-6183
rwhiteley@forrester.com

www.forrester.com

24
Entire contents © 2006 Forrester Research, Inc. All rights reserved.
Selected bibliography

• September 8, 2006, Trends “Refreshing Enterprise

LAN Infrastructure”
• May 12, 2006, Trends “Getting The NAC Of It: 2006
Network Access Control Adoption”
• November 2, 2005, Best Practices “Securing The
Network From The Inside Out”
• June 28, 2005, Tech Choices “Choosing The Right
Network Quarantine Solution”

25
Entire contents © 2006 Forrester Research, Inc. All rights reserved.